SSL Validation failure connecting to host while boostrapping

Hi all,
I tried to bootstrap a node with a chef server on cent os 7

[devesh@localhost work] knife ssl check Connecting to host localhost:443 Successfully verified certificates from `localhost' [devesh@localhost work] sudo knife bootstrap 192.168.1.11 --ssh-user devesh --identity-file dc911.pem --node-name node1-desk --run-list ‘recipe[pkg_oprn_ubuntu]’
[sudo] password for devesh:
Node node1-desk exists, overwrite it? (Y/N) y
Client node1-desk exists, overwrite it? (Y/N) y
Creating new client for node1-desk
Creating new node for node1-desk
Connecting to 192.168.1.11
devesh@192.168.1.11’s password:
192.168.1.11 -----> Existing Chef installation detected
192.168.1.11 chmod: changing permissions of ‘/etc/chef/client.pem’: Operation not permitted
192.168.1.11 Starting the first Chef Client run…
192.168.1.11 Starting Chef Client, version 12.14.89
192.168.1.11 [2017-02-02T20:14:42+05:30] ERROR: SSL Validation failure connecting to host: localhost - SSL_connect returned=1 errno=0 state=error: certificate verify failed
192.168.1.11
192.168.1.11 ================================================================================
192.168.1.11 Chef encountered an error attempting to load the node data for "node1-desk"
192.168.1.11 ================================================================================
192.168.1.11
192.168.1.11 Unexpected Error:
192.168.1.11 -----------------
192.168.1.11 OpenSSL::SSL::SSLError: SSL Error connecting to https://localhost/organizations/lp7/nodes/node1-desk - SSL_connect returned=1 errno=0 state=error: certificate verify failed
192.168.1.11
192.168.1.11 Platform:
192.168.1.11 ---------
192.168.1.11 x86_64-linux
192.168.1.11
192.168.1.11
192.168.1.11 Running handlers:
192.168.1.11 [2017-02-02T20:14:42+05:30] ERROR: Running exception handlers
192.168.1.11 Running handlers complete
192.168.1.11 [2017-02-02T20:14:42+05:30] ERROR: Exception handlers complete
192.168.1.11 Chef Client failed. 0 resources updated in 02 seconds
192.168.1.11 [2017-02-02T20:14:42+05:30] FATAL: Stacktrace dumped to /home/devesh/.chef/cache/chef-stacktrace.out
192.168.1.11 [2017-02-02T20:14:42+05:30] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
192.168.1.11 [2017-02-02T20:14:42+05:30] ERROR: SSL Error connecting to https://localhost/organizations/lp7/nodes/node1-desk - SSL_connect returned=1 errno=0 state=error: certificate verify failed
192.168.1.11 [2017-02-02T20:14:42+05:30] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

My knife.rb configuration file is

current_dir = File.dirname(FILE)
log_level :info
log_location STDOUT
node_name "dc911"
client_key “/home/devesh/work/dc911.pem"
chef_server_url “https://localhost/organizations/lp7"
cookbook_path [”/home/devesh/work/cookbs”]
ssl_verify_mode :verify_none

Also I have set ssl_verify_mode :verify_none in client.rb of client node

Hi,

To really disable all SSL checks you will have to set “verify_api_cert false” in your knife.rb and client.rb.
What seems odd to me is the chef server url. Are you sure that localhost is what you want? How can the node your are trying access the chef server if it’s configured url is localhost?

Yeah, knife ssl check is only going to verify your workstation config, not the setup on the server you’re bootstrapping. You probably also need to add in the --sudo flag to knife bootstrap as well, judging from the permission error you ran into on /etc/chef/client.pem.

try to copy all the certs from server to workstation and make sure you config knife.rb right but providing the url BTW what chef server are you using is it automate or manage…?

Hi @joerg.herzinger ,Thak you for your quick reply,
I added erify_api_cert false" in knife.rb as well as client.rb but I am facing same error.
And yes my computer name is localhost hence when i generated knife.rb from chef mange localhost got into the url of chef server
I am unable to find whats wrong but could it be
chmod: changing permissions of ‘/etc/chef/client.pem’: Operation not permitted
owing to this ?
and I have changed permissions of client.pem to 777 by chmod

Well, I have to admin that I still don’t really understand your setup. The “localhost” setting however can not be correct. The chef_server_url will be used when using “knife bootstrap” to tell the new node the location of the chef server. Could you provide the content of your your new nodes /etc/chef/client.rb? This could confirm my theory that simply your chef server setup is wrong.

@joerg.herzinger ,here are the contents of client.rb of my node

log_location STDOUT
chef_server_url "https://localhost/organizations/lp7"
validation_client_name "chef-validator"
node_name "node1-desk"
trusted_certs_dir "/etc/chef/trusted_certs"
erify_api_cert :false

is client.rb get created or modified while every bootstrap ?

I am not sure if the client.rb get overwritten at every bootstrap, but I think so. At least this confirms my theory, since localhost can of course not be the correct URL for the chef server. My guess is that you need to correct your chef server setup and/or your knife.rb.

@joerg.herzinger could you suggest me what needs to be modified, Do i need to configure chef server with different host name ?

Well, I do not know your setup but here are some suggestions:

  • Configure your chef server to use a valid and real FQDN, something like chef.my-company.com or chef.my-internal-dns.com.
  • Use a valid certificate for your chef server
  • Configure your workstation/chefdk to use this valid FQDN to access the chef server

You can get the cacert.pem file from a chef install, insert your own self-signed/internal CA cert into this file and then use a cookbook to deploy it to your nodes. Once the certs are in the cacert.pem (in /opt/chef/embedded/ssl/certs) the ssl validation will work.