SSL error running workstation/client commands to hosted server


#1

Hi all,

I am having some trouble getting anything on my Ubuntu box to connect to my hosted chef server. What I am trying to do (I think) is to set up a workstation and/or a chef client on this same machine (which, I guess is ok?). One example that produces the failure is ‘knife client list’ which returns:

root@esx-v4-068-234:/opt/chef/chef-repo# knife client list
ERROR: Errno::ECONNRESET: Connection reset by peer - SSL_connect

I have this config:

root@esx-v4-068-234:/opt/chef/chef-repo/.chef# ll
total 20
drwxr-xr-x 2 root root 4096 Aug 8 08:53 ./
drwxr-xr-x 10 root root 4096 Aug 8 08:50 …/
-rw-r–r-- 1 root root 817 Aug 9 12:41 knife.rb
-rw-r–r-- 1 root root 1675 Aug 9 10:38 philhelm.pem
-rwxr-xr-x 1 root root 1675 Aug 9 09:04 phils_hosted_chef_server-validator.pem*

and my knife.rb looks like this:

See http://docs.opscode.com/config_rb_knife.html for more information on knife configuration options

current_dir = File.dirname(FILE)
log_level :info
log_location STDOUT
node_name "philhelm"
client_key "/opt/chef/chef-repo/.chef/philhelm.pem"
validation_client_name "phils_hosted_chef_server-validator"
validation_key “/opt/chef/chef-repo/.chef/phils_hosted_chef_server-validator.pem"
chef_server_url “https://api.opscode.com/organizations/phils_hosted_chef_server"
cache_type 'BasicFile’
cache_options( :path => “#{ENV[‘HOME’]}/.chef/checksums” )
cookbook_path [”#{current_dir}/…/cookbooks”]
ssl_ca_path '/etc/ssl/certs’
ssl_verify_mode 'verify_none’
ssl_version ‘SSLv3’

(the last three lines here were added by me after doing some googling - it didnt seem to change anything)…

I tried some manual openssl commands on my Ubuntu box:

openssl s_client -connect api.opscode.com:443 -key /opt/chef/chef-repo/.chef/philhelm.pem
which returns this output:

CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0

Certificate chain
0 s:/C=US/ST=Washington/L=Seattle/O=Opscode, Inc/CN=*.opscode.com
i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

Server certificate
-----BEGIN CERTIFICATE-----
MIIGqjCCBZKgAwIBAgIQCJlQhNSTz1z3zHZb972KvDANBgkqhkiG9w0BAQUFADBI
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSIwIAYDVQQDExlE
aWdpQ2VydCBTZWN1cmUgU2VydmVyIENBMB4XDTEzMDQxMjAwMDAwMFoXDTE0MDYx
NjEyMDAwMFowYzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
BgNVBAcTB1NlYXR0bGUxFTATBgNVBAoTDE9wc2NvZGUsIEluYzEWMBQGA1UEAwwN
Ki5vcHNjb2RlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+U
HLAzObPRlmchlkJ2JFeReJRPXj5F27HuX8SXT+5WhVGunQf1swjASJ0utk1x9wGT
f9tnF8fYiwJIqWJopaPiwzNw1cD6CnIfhM3z4T3EzLAWWu2ZhfuaQk9Z6jhItkm7
upO4CsFq1xw7IjqOq09PCAklYC/Y/8Qq5Qj8VoTp0ldVv6hbqTNkezhWcKU/07si
jAX1O+DYN6dlVNezfl4Xt5ccsu8Mp0s92IMVYLgY6bpb1b91ez9+XBE1v7zjaR0V
EP7Ix9av/pXjqMqHgjlsg46UpLa30f4FEi2xmXpCBpOP94rCrT7g+u8UlIrJ/QK/
/lHyKBpCm0R9ftDbppsCAwEAAaOCA3MwggNvMB8GA1UdIwQYMBaAFJBx2zfrc8jv
3NUeErY0uitaoKaSMB0GA1UdDgQWBBTdhCU7MvQblxtWHlfHG4jPUTuh5DBLBgNV
HREERDBCgg0qLm9wc2NvZGUuY29tggtvcHNjb2RlLmNvbYIQY29ycC5vcHNjb2Rl
LmNvbYISKi5jb3JwLm9wc2NvZGUuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwYQYDVR0fBFowWDAqoCigJoYkaHR0cDov
L2NybDMuZGlnaWNlcnQuY29tL3NzY2EtZzEuY3JsMCqgKKAmhiRodHRwOi8vY3Js
NC5kaWdpY2VydC5jb20vc3NjYS1nMS5jcmwwggHEBgNVHSAEggG7MIIBtzCCAbMG
CWCGSAGG/WwBATCCAaQwOgYIKwYBBQUHAgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQu
Y29tL3NzbC1jcHMtcmVwb3NpdG9yeS5odG0wggFkBggrBgEFBQcCAjCCAVYeggFS
AEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0AGgAaQBzACAAQwBlAHIAdABpAGYAaQBj
AGEAdABlACAAYwBvAG4AcwB0AGkAdAB1AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBu
AGMAZQAgAG8AZgAgAHQAaABlACAARABpAGcAaQBDAGUAcgB0ACAAQwBQAC8AQwBQ
AFMAIABhAG4AZAAgAHQAaABlACAAUgBlAGwAeQBpAG4AZwAgAFAAYQByAHQAeQAg
AEEAZwByAGUAZQBtAGUAbgB0ACAAdwBoAGkAYwBoACAAbABpAG0AaQB0ACAAbABp
AGEAYgBpAGwAaQB0AHkAIABhAG4AZAAgAGEAcgBlACAAaQBuAGMAbwByAHAAbwBy
AGEAdABlAGQAIABoAGUAcgBlAGkAbgAgAGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBl
AC4weAYIKwYBBQUHAQEEbDBqMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wQgYIKwYBBQUHMAKGNmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv
bS9EaWdpQ2VydFNlY3VyZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqG
SIb3DQEBBQUAA4IBAQCNk1+7l+VlAZrKov7ugP7WuKS7IEUZRk8CVAFPtIrp+jFB
6W0ta1qMpYyItp5enTBCGOkTfPly06hZnFRQw3ZnkSsWDKIvCRks4kZt3oHLd3nO
G671JGRJI/qbs6F5l6c96kotlZkolYIPMhyK8Ex4LjMW6UrPWdpJrXTWPvLq4c85
ZaN52yKu6tsLrBTPwPmK9t+zQ2drb1g8Eq9B+cuwD3Row6njsDQ1Ltry+KCnivki
E/ptgwyCkS4brkhjHMz5l5Co0KMsHylAb2XcBxFVFSl0aJIqK5Gr0nTlg26pNG7O
qxv6ncOHl3tmArETi36TQbTYvFc+6cNb8CqdWe95
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Opscode, Inc/CN=*.opscode.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA

No client certificate CA names sent

SSL handshake has read 3200 bytes and written 551 bytes

New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: B572D6CBE3B0E35D9E071B61F99C69C257A4724E7127E9A727E90695FA0DF61D
Session-ID-ctx:
Master-Key: A35B6F5141086833168B7837829F78A5F502C5B09606BD668ECA069BE8E1F7E01F055EA16766CCBDD1220CDF920D28BF
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 18 68 75 3a 27 c2 3d ec-97 bf 87 ed 9e eb 0b e9 .hu:’.=…
0010 - 36 ef 1f 8f 24 71 f8 f7-46 ae 91 aa 33 56 56 5d 6…q..F...3VV] 0020 - 21 25 b6 2e 8b 69 ec ba-f4 e6 76 12 31 55 79 9a !%...i....v.1Uy. 0030 - 1e fa 60 43 42 6a 40 42-3f a6 28 9f 16 2d 62 47 ..`CBj@B?.(..-bG 0040 - 88 47 ea 23 c2 fb a9 3a-4d 43 5a 2b be 39 c3 43 .G.#...:MCZ+.9.C 0050 - da c7 ba 10 9d 97 e4 04-8d 2d c5 2a d7 3f d4 9f .........-.*.?.. 0060 - 2b 02 47 eb a0 63 7c 30-f6 e2 1a 0d 54 dd 62 e5 +.G..c|0....T.b. 0070 - 25 db 1b 6c 7c 58 c2 be-23 af f9 c9 9e 44 fd 10 %..l|X..#....D.. 0080 - a2 8b 6d 5f d3 08 dd a0-8d 82 b3 60 48 d0 a9 0c ..m_.......`H... 0090 - 07 53 cf ae a8 3b de 50-09 1b b0 24 3c 26 b6 c0 .S...;.P...<&…

Start Time: 1376069258
Timeout   : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)

read:errno=0

I dont know if this really tells me anything. I have tried countless google suggestions to no success. Does anyone have any thoughts on this?

Chef version 11.6
Ruby 1.8 and Ruby 1.9.1 installed (not sure why - maybe this is a problem?)
Ubuntu 12.04

Thanks
Phil


#2

On Friday, August 9, 2013 at 10:33 AM, phil helm wrote:

Hi all,

I am having some trouble getting anything on my Ubuntu box to connect to my hosted chef server. What I am trying to do (I think) is to set up a workstation and/or a chef client on this same machine (which, I guess is ok?). One example that produces the failure is ‘knife client list’ which returns:

root@esx-v4-068-234:/opt/chef/chef-repo# knife client list
ERROR: Errno::ECONNRESET: Connection reset by peer - SSL_connect
Does this happen consistently?

Can you re-run this with -VV ?


Daniel DeLeo


#3

Also, are you gem installing chef or using omnibus? If you install 11.6
with omnibus (and validate that ls -la which knife is a symlink to
omnibus) does it fix it? Are you using rbenv or rvm?

On 8/9/13 11:41 AM, Daniel DeLeo wrote:

On Friday, August 9, 2013 at 10:33 AM, phil helm wrote:

Hi all,

I am having some trouble getting anything on my Ubuntu box to connect
to my hosted chef server. What I am trying to do (I think) is to set
up a workstation and/or a chef client on this same machine (which, I
guess is ok?). One example that produces the failure is ‘knife client
list’ which returns:

root@esx-v4-068-234:/opt/chef/chef-repo# knife client list
ERROR: Errno::ECONNRESET: Connection reset by peer - SSL_connect
Does this happen consistently?

Can you re-run this with -VV ?


Daniel DeLeo


#4

Daniel,

Does this happen consistently?
Yes. Its a hard failure.

Can you re-run this with -VV ?
root@esx-v4-068-234:/opt/chef/chef-repo/.chef# knife client list -V -V
DEBUG: Signing the request as philhelm
DEBUG: Sending HTTP Request via GET to api.opscode.com:443/organizations/phils_hosted_chef_server/clients
/opt/chef/embedded/lib/ruby/1.9.1/net/http.rb:800:in connect': Connection reset by peer - SSL_connect (Errno::ECONNRESET) from /opt/chef/embedded/lib/ruby/1.9.1/net/http.rb:800:inblock in connect’
from /opt/chef/embedded/lib/ruby/1.9.1/timeout.rb:55:in timeout' from /opt/chef/embedded/lib/ruby/1.9.1/timeout.rb:100:intimeout’
from /opt/chef/embedded/lib/ruby/1.9.1/net/http.rb:800:in connect' from /opt/chef/embedded/lib/ruby/1.9.1/net/http.rb:756:indo_start’
from /opt/chef/embedded/lib/ruby/1.9.1/net/http.rb:745:in start' from /opt/chef/embedded/lib/ruby/1.9.1/net/http.rb:1285:inrequest’
from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/rest-client-1.6.7/lib/restclient/net_http_ext.rb:51:in request' from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.6.0/lib/chef/rest/rest_request.rb:99:inblock in call’
from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.6.0/lib/chef/rest/rest_request.rb:114:in hide_net_http_bug' from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.6.0/lib/chef/rest/rest_request.rb:98:incall’
from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.6.0/lib/chef/rest.rb:169:in block in raw_http_request' from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.6.0/lib/chef/rest.rb:289:inretriable_rest_request’
from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.6.0/lib/chef/rest.rb:167:in raw_http_request' from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.6.0/lib/chef/rest.rb:161:inapi_request’
from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.6.0/lib/chef/rest.rb:102:in get' from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.6.0/lib/chef/api_client.rb:139:inlist’
from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.6.0/lib/chef/knife/client_list.rb:38:in run' from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.6.0/lib/chef/knife.rb:466:inrun_with_pretty_exceptions’
from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.6.0/lib/chef/knife.rb:173:in run' from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.6.0/lib/chef/application/knife.rb:123:inrun’
from /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.6.0/bin/knife:25:in <top (required)>' from /usr/bin/knife:23:inload’
from /usr/bin/knife:23:in `’

Lamont,

Also, are you gem installing chef or using omnibus?
omnibus

If you install 11.6 with omnibus (and validate that ls -la which knife is a symlink to omnibus) does it fix it?
root@esx-v4-068-234:/opt/chef/chef-repo/.chef# ls -la which knife
lrwxrwxrwx 1 root root 19 Aug 8 08:24 /usr/bin/knife -> /opt/chef/bin/knife

Are you using rbenv or
rvm?
I have no idea. Do you think thats related? how do i switch back and forth to test?


From: Daniel DeLeo dan@kallistec.com
To: phil helm dendron8@yahoo.com
Cc: "chef@lists.opscode.com" chef@lists.opscode.com
Sent: Friday, August 9, 2013 2:41 PM
Subject: Re: [chef] SSL error running workstation/client commands to hosted server

On Friday, August 9, 2013 at 10:33 AM, phil helm wrote:
Hi all,

I am having some trouble getting anything on my Ubuntu box to connect to my hosted chef server. What I am trying to do (I think) is to set up a workstation and/or a chef client on this same machine (which, I guess is ok?). One example that produces the failure is ‘knife client list’ which returns:

root@esx-v4-068-234:/opt/chef/chef-repo# knife client list
ERROR: Errno::ECONNRESET: Connection reset by peer - SSL_connect

Does this happen consistently?

Can you re-run this with -VV ?


Daniel DeLeo