SSL Error connecting to https://supermarket.chef.io/universe: certificate verify failed (unable to get local issuer certificate)


#1

I have installed Chef Workstation on a work Windows PC and was able to complete the Quick Start tutorial (https://docs.chef.io/quick_start.html).

I am now trying the Try Chef tutorial (https://learn.chef.io/modules/try-chef#/) but am getting an error when running the command for the 3rd step.

Command
chef-run web1 file hello.txt

Output
PS C:\workspace\Git\cookbooks\try_chef> chef-run web1 file hello.txt

[:heavy_check_mark:] Packaging cookbook... done!

[:heavy_multiplication_x:] Could not create local Policyfile bundle.

CHEFPOLICY001

Could not create local Policyfile bundle.

The following error was reported:

Failed to generate Policyfile.lock

Looking at the stack-trace file:
2019-01-07 14:49:45 -0800: Error encountered while running the following:
web1 file hello.txt
Backtrace:
ChefApply::Action::PolicyfileInstallError: ChefApply::Action::PolicyfileInstallError
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/action/generate_local_policy.rb:36:in rescue in perform_action' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/action/generate_local_policy.rb:28:inperform_action'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/action/base.rb:116:in block in run' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/telemeter.rb:85:inblock in timed_capture'
C:/opscode/chef-workstation/embedded/lib/ruby/2.5.0/benchmark.rb:293:in measure' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/telemeter.rb:85:intimed_capture'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/telemeter.rb:70:in timed_action_capture' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/action/base.rb:114:inrun'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/cli.rb:231:in generate_local_policy' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/cli.rb:142:inblock in render_cookbook_setup'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/ui/terminal/job.rb:31:in run' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/ui/terminal.rb:76:inrender_job'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/cli.rb:144:in render_cookbook_setup' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/cli.rb:111:inperform_run'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/cli.rb:72:in block in run' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/telemeter.rb:85:inblock in timed_capture'
C:/opscode/chef-workstation/embedded/lib/ruby/2.5.0/benchmark.rb:293:in measure' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/telemeter.rb:85:intimed_capture'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/telemeter.rb:74:in timed_run_capture' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/cli.rb:70:inrun'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/startup.rb:189:in start_chef_apply' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/startup.rb:65:inrun'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/bin/chef-run:23:in <top (required)>' C:/opscode/chef-workstation/bin/chef-run:322:inload'
C:/opscode/chef-workstation/bin/chef-run:322:in <main>' Caused by: ChefDK::PolicyfileInstallError: Failed to generate Policyfile.lock C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile_services/install.rb:114:inrescue in generate_lock_and_install'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile_services/install.rb:93:in generate_lock_and_install' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile_services/install.rb:63:inrun'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-apply-0.2.4/lib/chef_apply/action/generate_local_policy.rb:30:in perform_action' ... 23 more Caused by: OpenSSL::SSL::SSLError: SSL Error connecting to https://supermarket.chef.io/universe - SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-14.8.12-universal-mingw32/lib/chef/http.rb:451:inrescue in retrying_http_errors'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-14.8.12-universal-mingw32/lib/chef/http.rb:408:in retrying_http_errors' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-14.8.12-universal-mingw32/lib/chef/http.rb:365:insend_http_request'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-14.8.12-universal-mingw32/lib/chef/http.rb:149:in request' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-14.8.12-universal-mingw32/lib/chef/http.rb:115:inget'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile/community_cookbook_source.rb:88:in full_community_graph' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile/community_cookbook_source.rb:56:inuniverse_graph'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile_compiler.rb:291:in block in remote_artifacts_graph' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile_compiler.rb:290:ineach'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile_compiler.rb:290:in remote_artifacts_graph' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile_compiler.rb:266:inartifacts_graph'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile_compiler.rb:234:in block in graph' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile_compiler.rb:233:intap'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile_compiler.rb:233:in graph' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile_compiler.rb:229:ingraph_solution'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile_compiler.rb:176:in install' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-dk-3.6.57/lib/chef-dk/policyfile_services/install.rb:101:ingenerate_lock_and_install'
... 25 more
Caused by: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
C:/opscode/chef-workstation/embedded/lib/ruby/2.5.0/net/protocol.rb:44:in connect_nonblock' C:/opscode/chef-workstation/embedded/lib/ruby/2.5.0/net/protocol.rb:44:inssl_socket_connect'
C:/opscode/chef-workstation/embedded/lib/ruby/2.5.0/net/http.rb:981:in connect' C:/opscode/chef-workstation/embedded/lib/ruby/2.5.0/net/http.rb:920:indo_start'
C:/opscode/chef-workstation/embedded/lib/ruby/2.5.0/net/http.rb:909:in start' C:/opscode/chef-workstation/embedded/lib/ruby/2.5.0/net/http.rb:1455:inrequest'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-14.8.12-universal-mingw32/lib/chef/http/basic_client.rb:69:in request' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-14.8.12-universal-mingw32/lib/chef/http.rb:372:inblock in send_http_request'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-14.8.12-universal-mingw32/lib/chef/http.rb:411:in block in retrying_http_errors' C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-14.8.12-universal-mingw32/lib/chef/http.rb:409:inloop'
C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.5.0/gems/chef-14.8.12-universal-mingw32/lib/chef/http.rb:409:in `retrying_http_errors'
... 40 more

I've tried to figure this out and solve it, but I'm getting nowhere. There was a similar post on this topic, but I couldn't get that solution to work either. It's probably something simple - I'm just not seeing it.

Thanks


#2

Are you behind a proxy server?


#3

Yes, I am behind a proxy server.


#4

Check out the section SSL_Cert_File
https://docs.chef.io/chef_client_security.html

You can add your owns root and intermediate cert chain to that pem file so that chef can make it through your proxy server. There are similar setups you will need to do for rubygems, vagrant, and docker if you need to them get external sources.


#5

I am having the same exact issue. I've setup the Try Chef Docker environment on a Windows PC, behind a proxy and trying to walk through the tutorial. Based on the last comment in this thread I've checked out the SSL_Cert_File section of https://docs.chef.io/chef_client_security.html but the resolution isn't clear. I'm assuming it is telling me I need to copy my companies proxy cert chain to the cacert.pem file. I'm not sure how I get my certs to the Docker machine running Chef and import them.