SSL: certify: ssl_handshake.erl:239:Fatal error: certificate unknown

Chef Infra (archive)
1

After replacing Wildcard SSL cert with CAtrust provider Comodo we are unable to upload cookbooks. Nginx SSL test Verify = OK. Ruby via pry test OK. We have updated all CAtrust (cacert.pem) with new Intermediate certs.

Error from ./chef-logs/erchef/current
2017-12-08_16:47:55.89697 [error] SSL: certify: ssl_handshake.erl:239:Fatal error: certificate unknown
2017-12-08_16:47:55.90299 [error] Checking presence of file (checksum: <<“somenumber here”>>) for org <<“00000000000000000000000000000000”>> from bucket “bookshelf” (key: “organization-00000000000000000000000000000000/checksum-###”) raised exception error:{aws_error,{socket_error,{conn_failed,{error,“certificate unknown”}}}}
2017-12-08_16:47:55.90301
2017-12-08_16:47:55.90897 [error] {<<"method=PUT; path=/sandboxes/####; status=500; ">>,{error,{throw,{checksum_check_error,1},[{chef_wm_named_sandbox,validate_checksums_uploaded,2,…

Error from nginx - ./chef-logs/nginx/access.log:
1.1.1.1- - [08/Dec/2017:16:47:55 +0000] “PUT /sandboxes/### HTTP/1.1” 500 “0.129” 36 “-” “Chef Knife/11.10.4 (ruby-1.9.3-p484; ohai-6.20.0; x86_64-linux; +http://opscode.com)”
“127.0.0.1:8000” “500” “0.088” “11.10.4” “algorithm=sha1;version=1.0;” “userid” “2017-12-08T16:47:55Z” “hashkey=” 1030

2

Just to followup in case others have run into this. We also noticed the same above error when running “chef-server-ctl test”

We even went as far as forcing TLv1.0 in the net_http.rb code which corrected the issue. In all other forums it mentions to upgrade erlan, openssl, ruby, etc - which is completely out of the question.

We performed a successful test using a test SSL specifically for the https://chef.dns.com - using a trial SSL cert from GEO trust: https://www.geotrust.com/ssl/free-ssl-certificate/

“knife cookbook update” & “chef-server-ctl test” were successful!! I believe the issue was with our WildCard from Comodo and how the code is not handling the CN and alias within the wildcard. We then purchased a permanent CA from GEO trust and we are now working again!!