Self-signed cert issues when trying to install chef client on virtual box image

#1

Looking for some help on this error. I'm guessing it my company's security policy or something that is blocking my download, but I'm trying to see what I can pass in to get this to work.

I have a simple generated chef cookbook with ubuntu 16.04 and ubuntu 18.04. I'm trying to run a kitchen converge for the first time on some virtual box vm's set up with Vagrant. In order to get the vagrant images to download I set up my kitchen.yml to have the platforms look like this:

platforms:

  • name: ubuntu-16.04
  • name: ubuntu-18.04
    driver:
    box_download_insecure: true

I did put in the suites section the following:

attributes:
  chef_client:
    config:
      ssl_verify_mode: ":verify_none"

However, when trying to run a converge and the VM tries to reach out to download the install.sh script, it is complaining about a self-signed certificate in the chain. I'd much rather download this securely rather than bashing through everything and telling it not to worry about it, but I'd like to find some sort of workaround at least so that I can actually get to writing cookbooks and not just try to set up my local environment. Any thoughts on how I can pass in either the --no-check-certificate or find a way to do this securely?

  STDERR from wget:

   --2019-03-19 03:24:09--  https://omnitruck.chef.io/install.sh
   Resolving omnitruck.chef.io (omnitruck.chef.io)... 151.101.50.110
   Connecting to omnitruck.chef.io (omnitruck.chef.io)|151.101.50.110|:443... connected.
   ERROR: cannot verify omnitruck.chef.io's certificate, issued by ‘emailAddress=certadmin@netskope.com,CN=ca.deloitte.eu.goskope.com,OU=fa991b84508e74cc07c03e37c6fce511,O=Deloitte Pilot,L=Los Altos,ST=California,C=NL’:
     Self-signed certificate encountered.
   To connect to omnitruck.chef.io insecurely, use `--no-check-certificate'.
0 Likes

#2

This sounds like you are sitting behind a proxy server that is doing traffic inspection. This is a common situation when running stuff like this at work. I got around it by taking a copy of my companies root and intermediate certificates (.cer format) and putting them inside of the my .chef/trusted_certs folder.

0 Likes

#3

You nailed it! Thanks for the recommendation.

For future search engine seekers, here's the steps that I took.

I used the doctor.rb file from this github project:

And from the cookbook directory I stored and ran the file by entering:

chef exec ruby doctor.rb

That helped me determine the certificate that was complaining. Since I'm on Windows, I opened up mmc.exe, added the Certificates snap-in, and I found my particular certificate in question in the intermediate certificates area. I then saved the exported .cer certificate in the .chef/trusted_certs folder from the root of the cookbook. I also tried at ~/.chef/trusted_certs, which did not work.

Thanks for your help in getting past this major roadblock!

0 Likes