SSL errors on windows

Jeppe_Nejsum_Madsen · March 3, 2014, 4:01pm

Hi

I’ve started to look into using chef-solo to configure our workstations.
I’m running into the SSL problem shown below

I can see this is somewhat related, but should be fixed:
https://tickets.opscode.com/browse/CHEF-4649

Any other suggestions to solve this?

/Jeppe

Starting Chef Client, version 11.10.2

Recipe: git::windows

windows_package[Git version 1.8.1.2-preview20130201] action
installRecipe: <
Dynamically Defined Resource>
remote_file[c:/chef/Git-1.8.1.2-preview20130201.exe] action
create[2014-03-0
3T16:35:24+01:00] ERROR: SSL Validation failure connecting to host:
msysgit.goog
lecode.com - SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read
server h
ello A

Torben_Knerr · March 3, 2014, 8:12pm

Hi Jeppe,

seeing this quite often in recent times. Might all be the same:

github.com/chef-boneyard/vagrant-omnibus

Windows SSL cert verification issue

opened 01:12AM - 25 Feb 14 UTC

closed 12:52PM - 25 Apr 14 UTC

schisamo

This issue was originally reported by @tknerr as [a comment](https://github.com/…schisamo/vagrant-omnibus/issues/6#issuecomment-35963392) on #6: ## FYI: I was also running into the SSL cert verification issue described here: http://railsapps.github.io/openssl-certificate-verify-failed.html As a result, I got: ``` There are errors in the configuration of this machine. Please fix the following errors and try again: vagrant-omnibus: * '11.10.4' is not a valid version of Chef. A list of valid versions can be found at: http://www.opscode.com/chef/install/ ``` Baiscally any Chef version specified via `config.omnibus.chef_version` failed. This was on Windows 7 box, with ruby 1.9.3p125 and rubygems 2.0.3 I could fix it by downloading the `cacert.pem` and setting `SSL_CERT_FILE` as described here: https://gist.github.com/fnichol/867550 After that it worked again...

github.com/hashicorp/vagrant

Vagrant's embedded OpenSSL is missing root certificates

opened 06:14AM - 27 Feb 14 UTC

closed 06:17AM - 27 Feb 14 UTC

docwhat

The embedded OpenSSL in Vagrant is missing the root certificate bundles. Here's… an example of the problem: ``` bash ∵ /usr/bin/ruby -e "require 'open-uri' ; open('https://www.vagrantup.com/') { |f| puts f.read.size }" 4837 ∵ /Applications/Vagrant/embedded/bin/ruby -e "require 'open-uri' ; open('https://www.vagrantup.com/') { |f| puts f.read.size }" /Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError) from /Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:918:in `block in connect' from /Applications/Vagrant/embedded/lib/ruby/2.0.0/timeout.rb:52:in `timeout' from /Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:918:in `connect' from /Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:862:in `do_start' from /Applications/Vagrant/embedded/lib/ruby/2.0.0/net/http.rb:851:in `start' from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:313:in `open_http' from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:708:in `buffer_open' from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:210:in `block in open_loop' from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:208:in `catch' from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:208:in `open_loop' from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:149:in `open_uri' from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:688:in `open' from /Applications/Vagrant/embedded/lib/ruby/2.0.0/open-uri.rb:34:in `open' from -e:1:in `<main>' ``` It looks like `libcrypto.dynlib` is looking for `cert.pem` in `/vagrant-installer/staging/embedded/ssl/cert.pem`: ``` bash ∵ strings -a /Applications/Vagrant/embedded/lib/libcrypto.dylib | grep /cert.pem /vagrant-installer/staging/embedded/ssl/cert.pem ``` As a counter example, the Homebrew version of OpenSSL: ``` bash ∵ strings -a /usr/local/opt/openssl/lib/libcrypto.dylib | grep /cert.pem /usr/local/etc/openssl/cert.pem ``` What Homebrew does to provide some certificates is (get them from the Keychain) [https://github.com/Homebrew/homebrew/blob/master/Library/Formula/openssl.rb#L71]: ``` bash security find-certificate -a -p /Library/Keychains/System.keychain > cert.pem security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> cert.pem ``` However, you'll have to adjust the way you build Vagrant's OpenSSL so that it expects the `cert.pem` someplace within the embedded directory. Of course, you could also use the `export SSL_CERT_FILE=/path/to/cert.pem` method within the `vagrant` command but it won't fix people trying to use the embedded ruby directly. Ciao!

...

This is what worked for me:

gist.github.com

https://gist.github.com/fnichol/867550

README.md

# Why?

There is a long standing issue in Ruby where the *net/http* library by default does **not** check the validity of an SSL certificate during a TLS handshake. Rather than deal with the underlying problem (a missing certificate authority, a self-signed certificate, etc.) one tends to see [bad](http://stackoverflow.com/questions/1555006/how-do-i-tell-rubys-openssl-library-to-ignore-a-self-signed-certificate-error) [hacks](http://www.ruby-forum.com/topic/129530) [everywhere](http://www.peterkrantz.com/2007/open-uri-cert-verification/). This can lead to [problems](http://www.rubyinside.com/how-to-cure-nethttps-risky-default-https-behavior-4010.html) down the road.

From what I can see the OpenSSL library that [Rails Installer](http://railsinstaller.org) delivers has no certificate authorities defined. So, let's go fetch some from the [curl](http://curl.haxx.se/ca/) website. And since this is for ruby, why don't we download and install the file with a ruby script?

# Installation

## The Ruby Way! (Fun)

This file has been truncated. show original

win_fetch_cacerts.rb

require 'net/http'

# create a path to the file "C:\RailsInstaller\cacert.pem"
cacert_file = File.join(%w{c: RailsInstaller cacert.pem})

Net::HTTP.start("curl.haxx.se") do |http|
  resp = http.get("/ca/cacert.pem")
  if resp.code == "200"
    open(cacert_file, "wb") { |file| file.write(resp.body) }
    puts "\n\nA bundle of certificate authorities has been installed to"

This file has been truncated. show original

HTH, Torben

On Mon, Mar 3, 2014 at 5:01 PM, Jeppe Nejsum Madsen jeppe@ingolfs.dkwrote:

Hi

I've started to look into using chef-solo to configure our workstations.
I'm running into the SSL problem shown below

I can see this is somewhat related, but should be fixed:
https://tickets.opscode.com/browse/CHEF-4649

Any other suggestions to solve this?

/Jeppe

Starting Chef Client, version 11.10.2

Recipe: git::windows

windows_package[Git version 1.8.1.2-preview20130201] action
installRecipe: <
Dynamically Defined Resource>

remote_file[c:/chef/Git-1.8.1.2-preview20130201.exe] action
create[2014-03-0
3T16:35:24+01:00] ERROR: SSL Validation failure connecting to host:
msysgit.goog
lecode.com - SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read
server h
ello A

Adam_Edwards1 · March 3, 2014, 8:50pm

Well, that shouldn’t be an issue if you installed via Omnibus - Jeppe, did
you use omnibus to install Chef or did you gem install?

If you are missing the following file, that’s probably the cause, and
Torben’s advice would come into play for how you can replace it:

C:\opscode\chef\embedded\ssl\certs\cacert.pem

It’s also possible that something is out of date with that file, so
obtaining the latest per Torben’s instructions and copying it over the
existing could solve it.

I tried the following recipe on Chef 11.10 with ssl_verify_mode set to
:verify_peer and it worked for me via chef-solo, so at the moment I can’t
reproduce the issue

remote_file “c:/test/mybing.html” do

source “https://bing.com”

this fails when I replace with a site that has an invalid cert, and

that will succeed if I set verify mode to none

end

If that works for you Jeppe, then there must be something specific we need
to repro with your recipe - if you can share a failing fragment, that would
help.

Thanks.

-Adam

From: Torben Knerr [mailto:ukio@gmx.de]
Sent: Monday, March 3, 2014 12:13 PM
To: chef@lists.opscode.com
Subject: [chef] Re: SSL errors on windows

Hi Jeppe,

seeing this quite often in recent times. Might all be the same:

…

This is what worked for me:

gist.github.com

https://gist.github.com/fnichol/867550

README.md

# Why?

There is a long standing issue in Ruby where the *net/http* library by default does **not** check the validity of an SSL certificate during a TLS handshake. Rather than deal with the underlying problem (a missing certificate authority, a self-signed certificate, etc.) one tends to see [bad](http://stackoverflow.com/questions/1555006/how-do-i-tell-rubys-openssl-library-to-ignore-a-self-signed-certificate-error) [hacks](http://www.ruby-forum.com/topic/129530) [everywhere](http://www.peterkrantz.com/2007/open-uri-cert-verification/). This can lead to [problems](http://www.rubyinside.com/how-to-cure-nethttps-risky-default-https-behavior-4010.html) down the road.

From what I can see the OpenSSL library that [Rails Installer](http://railsinstaller.org) delivers has no certificate authorities defined. So, let's go fetch some from the [curl](http://curl.haxx.se/ca/) website. And since this is for ruby, why don't we download and install the file with a ruby script?

# Installation

## The Ruby Way! (Fun)

This file has been truncated. show original

win_fetch_cacerts.rb

require 'net/http'

# create a path to the file "C:\RailsInstaller\cacert.pem"
cacert_file = File.join(%w{c: RailsInstaller cacert.pem})

Net::HTTP.start("curl.haxx.se") do |http|
  resp = http.get("/ca/cacert.pem")
  if resp.code == "200"
    open(cacert_file, "wb") { |file| file.write(resp.body) }
    puts "\n\nA bundle of certificate authorities has been installed to"

This file has been truncated. show original

HTH, Torben

On Mon, Mar 3, 2014 at 5:01 PM, Jeppe Nejsum Madsen jeppe@ingolfs.dk
wrote:

Hi

I’ve started to look into using chef-solo to configure our workstations.
I’m running into the SSL problem shown below

I can see this is somewhat related, but should be fixed:
https://tickets.opscode.com/browse/CHEF-4649

Any other suggestions to solve this?

/Jeppe

Starting Chef Client, version 11.10.2

Recipe: git::windows

windows_package[Git version 1.8.1.2-preview20130201] action
installRecipe: <
Dynamically Defined Resource>
remote_file[c:/chef/Git-1.8.1.2-preview20130201.exe] action
create[2014-03-0
3T16:35:24+01:00] ERROR: SSL Validation failure connecting to host:
msysgit.goog
lecode.com - SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read
server h
ello A

Topic		Replies	Views
ERROR: SSL Validation Failure connecting to host Chef Infra (archive)	0	714	May 21, 2019
Why will hosted chef not work? SSL Validation failure connecting to host: s3-external-1.amazonaws.com Chef Infra (archive)	2	608	June 13, 2014
Apt_repository started failing with SSL verification errors Chef Infra (archive)	3	1299	October 4, 2021
Kitchen converge returns OpenSSL::SSL::SSLError: SSL_connect Chef Infra (archive)	5	3484	May 25, 2016
Intermittent SSL Errors with S3 Bookshelf Chef Infra (archive)	0	328	May 20, 2014

this fails when I replace with a site that has an invalid cert, and

Related Topics