SSL verification fails on a Berks API server?

Chef Infra (archive)
1

I set up an organization called berks-api on my Chef 12 Enterprise server to act as my Berks API server, and setup berkshelf-api. I then ran berks-api with

$ berks-api -c ~/.berkshelf/api-server/config.json

…where my config.json file looks like

{
“endpoints”: [
{
“type”: “chef_server”,
“options”: {
“url”: “https://myserver.domain.com/organizations/berks-api”,
“client_name”: “jenkins”,
“client_key”: “/etc/berkshelf/api-server/jenkins.pem”,
“ssl_verify” : false
}
}
]
}

…and see the following on my terminal, so I know it’s working.

[2015-04-14T18:49:12.737950 #10033] INFO – : Cache manager starting…
I, [2015-04-14T18:49:12.738207 #10033] INFO – : Loading save from /root/.berkshelf/api-server/cerch
W, [2015-04-14T18:49:12.739368 #10033] WARN – : Endpoints in config have changed - invalidating cache
I, [2015-04-14T18:49:12.739465 #10033] INFO – : Cache contains 0 items
I, [2015-04-14T18:49:12.740341 #10033] INFO – : Cache Builder starting…
I, [2015-04-14T18:49:12.846975 #10033] INFO – : REST Gateway listening on 0.0.0.0:26200
I, [2015-04-14T18:49:12.887143 #10033] INFO – : Processing chef_server: https://myserver.domain.com/organizations/berks-api
I, [2015-04-14T18:49:12.963418 #10033] INFO – : Found 25 cookbooks from chef_server: https://myserver.domain.com/organizations/berks-api
I, [2015-04-14T18:49:12.964527 #10033] INFO – : Processing metadata for 25 cookbooks with 0 remaining on chef_server: https://myserver.domain.com/organizations/berks-api

I’m able to upload cookbooks to the berks-api server.

Now I want to use Berkshelf magic to get cookbooks from it.

My Berkshelf file looks like this

source "https://myserver.domain.com/organizations/berks-api:26200"
metadata

cookbook “linux_role”

When I do a berks install, I get

Fetching cookbook index from https://myserver.domain.com:26200
/opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:in connect': SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A (Faraday::SSLError) from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:inblock in connect’
from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:91:in block in timeout' from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:101:incall’
from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:101:in timeout' from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:inconnect’
from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:863:in do_start' from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:852:instart’
from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:1369:in request' from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:1128:inget’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:80:in perform_request' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:40:inblock in call’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:87:in with_net_http_connection' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:32:incall’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/request/retry.rb:110:in call' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/response.rb:8:incall’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/response.rb:8:in call' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/rack_builder.rb:139:inbuild_response’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/connection.rb:377:in run_request' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/connection.rb:140:inget’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-api-client-1.2.1/lib/berkshelf/api_client/connection.rb:62:in universe' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-3.2.3/lib/berkshelf/source.rb:22:inbuild_universe’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-3.2.3/lib/berkshelf/installer.rb:21:in `block (2 levels) in build_universe’

Is there an SSL setup I’m missing? I just want to disable SSL on the organization, if possible?

Chris

2

Hi,

I had the same error a while ago and --ssl-verify=false solved the issue.

berks upload cookbook_name --ssl-verify=false

Hope it helps
Michel

On Wed, Apr 15, 2015 at 11:30 AM, Fouts, Chris Chris.Fouts@sensus.com
wrote:

I set up an organization called berks-api on my Chef 12 Enterprise
server to act as my Berks API server, and setup berkshelf-api. I then ran
berks-api with

$ berks-api –c ~/.berkshelf/api-server/config.json

..where my config.json file looks like

{

"endpoints": [

{

  "type": "chef_server",

   "options": {

   "url": "https://myserver.domain.com/organizations/berks-api",

   "client_name": "jenkins",

   "client_key": "/etc/berkshelf/api-server/jenkins.pem",

   "ssl_verify" : false

  }

}

]

}

…and see the following on my terminal, so I know it’s working.

[2015-04-14T18:49:12.737950 #10033] INFO -- : Cache manager starting...

I, [2015-04-14T18:49:12.738207 #10033] INFO -- : Loading save from
/root/.berkshelf/api-server/cerch

W, [2015-04-14T18:49:12.739368 #10033] WARN -- : Endpoints in config have
changed - invalidating cache

I, [2015-04-14T18:49:12.739465 #10033] INFO -- : Cache contains 0 items

I, [2015-04-14T18:49:12.740341 #10033] INFO -- : Cache Builder starting...

I, [2015-04-14T18:49:12.846975 #10033] INFO -- : REST Gateway listening on
0.0.0.0:26200

I, [2015-04-14T18:49:12.887143 #10033] INFO -- : Processing chef_server:
https://myserver.domain.com/organizations/berks-api

I, [2015-04-14T18:49:12.963418 #10033] INFO -- : Found 25 cookbooks from
chef_server: https://myserver.domain.com/organizations/berks-api

I, [2015-04-14T18:49:12.964527 #10033] INFO -- : Processing metadata for
25 cookbooks with 0 remaining on chef_server:
https://myserver.domain.com/organizations/berks-api

I’m able to upload cookbooks to the berks-api server.

Now I want to use Berkshelf magic to get cookbooks from it.

My Berkshelf file looks like this

source “https://myserver.domain.com/organizations/berks-api:26200”

metadata

cookbook “linux_role”

When I do a berks install, I get

Fetching cookbook index from https://myserver.domain.com:26200...

/opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:in `connect':
SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
(Faraday::SSLError)

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:in `block in
connect'

from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:91:in `block in timeout'

from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:101:in `call'

from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:101:in `timeout'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:in `connect'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:863:in `do_start'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:852:in `start'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:1369:in `request'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:1128:in `get'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:80:in
`perform_request'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:40:in
`block in call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:87:in
`with_net_http_connection'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:32:in
`call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/request/retry.rb:110:in
`call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/response.rb:8:in
`call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/response.rb:8:in
`call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/rack_builder.rb:139:in
`build_response'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/connection.rb:377:in
`run_request'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/connection.rb:140:in
`get'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-api-client-1.2.1/lib/berkshelf/api_client/connection.rb:62:in
`universe'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-3.2.3/lib/berkshelf/source.rb:22:in
`build_universe'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-3.2.3/lib/berkshelf/installer.rb:21:in
`block (2 levels) in build_universe'

Is there an SSL setup I’m missing? I just want to disable SSL on the
organization, if possible?

Chris

3

Thanks, but the “berks install” (NOT berks upload) does not accept the –ssl-verify=false option.

Chris

From: Michel Blankleder [mailto:michel.blankleder@gmail.com]
Sent: Wednesday, April 15, 2015 10:52 AM
To: chef@lists.opscode.com
Subject: [chef] Re: SSL verification fails on a Berks API server?

Hi,

I had the same error a while ago and --ssl-verify=false solved the issue.

berks upload cookbook_name --ssl-verify=false

Hope it helps
Michel

On Wed, Apr 15, 2015 at 11:30 AM, Fouts, Chris <Chris.Fouts@sensus.commailto:Chris.Fouts@sensus.com> wrote:
I set up an organization called berks-api on my Chef 12 Enterprise server to act as my Berks API server, and setup berkshelf-api. I then ran berks-api with

$ berks-api –c ~/.berkshelf/api-server/config.json

…where my config.json file looks like

{
“endpoints”: [
{
“type”: “chef_server”,
“options”: {
“url”: “https://myserver.domain.com/organizations/berks-api”,
“client_name”: “jenkins”,
“client_key”: “/etc/berkshelf/api-server/jenkins.pem”,
“ssl_verify” : false
}
}
]
}

…and see the following on my terminal, so I know it’s working.

[2015-04-14T18:49:12.737950 #10033] INFO – : Cache manager starting…
I, [2015-04-14T18:49:12.738207 #10033] INFO – : Loading save from /root/.berkshelf/api-server/cerch
W, [2015-04-14T18:49:12.739368 #10033] WARN – : Endpoints in config have changed - invalidating cache
I, [2015-04-14T18:49:12.739465 #10033] INFO – : Cache contains 0 items
I, [2015-04-14T18:49:12.740341 #10033] INFO – : Cache Builder starting…
I, [2015-04-14T18:49:12.846975 #10033] INFO – : REST Gateway listening on 0.0.0.0:26200http://0.0.0.0:26200
I, [2015-04-14T18:49:12.887143 #10033] INFO – : Processing chef_server: https://myserver.domain.com/organizations/berks-api
I, [2015-04-14T18:49:12.963418 #10033] INFO – : Found 25 cookbooks from chef_server: https://myserver.domain.com/organizations/berks-api
I, [2015-04-14T18:49:12.964527 #10033] INFO – : Processing metadata for 25 cookbooks with 0 remaining on chef_server: https://myserver.domain.com/organizations/berks-api

I’m able to upload cookbooks to the berks-api server.

Now I want to use Berkshelf magic to get cookbooks from it.

My Berkshelf file looks like this

source “https://myserver.domain.com/organizations/berks-api:26200”
metadata

cookbook “linux_role”

When I do a berks install, I get

Fetching cookbook index from https://myserver.domain.com:26200
/opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:in connect': SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A (Faraday::SSLError) from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:inblock in connect’
from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:91:in block in timeout' from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:101:incall’
from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:101:in timeout' from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:inconnect’
from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:863:in do_start' from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:852:instart’
from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:1369:in request' from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:1128:inget’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:80:in perform_request' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:40:inblock in call’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:87:in with_net_http_connection' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:32:incall’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/request/retry.rb:110:in call' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/response.rb:8:incall’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/response.rb:8:in call' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/rack_builder.rb:139:inbuild_response’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/connection.rb:377:in run_request' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/connection.rb:140:inget’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-api-client-1.2.1/lib/berkshelf/api_client/connection.rb:62:in universe' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-3.2.3/lib/berkshelf/source.rb:22:inbuild_universe’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-3.2.3/lib/berkshelf/installer.rb:21:in `block (2 levels) in build_universe’

Is there an SSL setup I’m missing? I just want to disable SSL on the organization, if possible?

Chris

4

Is the port in the right location in your URL for the api server? Should
there port number go at the end of the uri?
On Apr 15, 2015 9:30 AM, "Fouts, Chris" Chris.Fouts@sensus.com wrote:

I set up an organization called berks-api on my Chef 12 Enterprise
server to act as my Berks API server, and setup berkshelf-api. I then ran
berks-api with

$ berks-api –c ~/.berkshelf/api-server/config.json

..where my config.json file looks like

{

"endpoints": [

{

  "type": "chef_server",

   "options": {

   "url": "https://myserver.domain.com/organizations/berks-api",

   "client_name": "jenkins",

   "client_key": "/etc/berkshelf/api-server/jenkins.pem",

   "ssl_verify" : false

  }

}

]

}

…and see the following on my terminal, so I know it’s working.

[2015-04-14T18:49:12.737950 #10033] INFO -- : Cache manager starting...

I, [2015-04-14T18:49:12.738207 #10033] INFO -- : Loading save from
/root/.berkshelf/api-server/cerch

W, [2015-04-14T18:49:12.739368 #10033] WARN -- : Endpoints in config have
changed - invalidating cache

I, [2015-04-14T18:49:12.739465 #10033] INFO -- : Cache contains 0 items

I, [2015-04-14T18:49:12.740341 #10033] INFO -- : Cache Builder starting...

I, [2015-04-14T18:49:12.846975 #10033] INFO -- : REST Gateway listening on
0.0.0.0:26200

I, [2015-04-14T18:49:12.887143 #10033] INFO -- : Processing chef_server:
https://myserver.domain.com/organizations/berks-api

I, [2015-04-14T18:49:12.963418 #10033] INFO -- : Found 25 cookbooks from
chef_server: https://myserver.domain.com/organizations/berks-api

I, [2015-04-14T18:49:12.964527 #10033] INFO -- : Processing metadata for
25 cookbooks with 0 remaining on chef_server:
https://myserver.domain.com/organizations/berks-api

I’m able to upload cookbooks to the berks-api server.

Now I want to use Berkshelf magic to get cookbooks from it.

My Berkshelf file looks like this

source “https://myserver.domain.com/organizations/berks-api:26200”

metadata

cookbook “linux_role”

When I do a berks install, I get

Fetching cookbook index from https://myserver.domain.com:26200...

/opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:in `connect':
SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
(Faraday::SSLError)

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:in `block in
connect'

from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:91:in `block in timeout'

from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:101:in `call'

from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:101:in `timeout'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:in `connect'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:863:in `do_start'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:852:in `start'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:1369:in `request'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:1128:in `get'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:80:in
`perform_request'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:40:in
`block in call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:87:in
`with_net_http_connection'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:32:in
`call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/request/retry.rb:110:in
`call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/response.rb:8:in
`call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/response.rb:8:in
`call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/rack_builder.rb:139:in
`build_response'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/connection.rb:377:in
`run_request'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/connection.rb:140:in
`get'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-api-client-1.2.1/lib/berkshelf/api_client/connection.rb:62:in
`universe'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-3.2.3/lib/berkshelf/source.rb:22:in
`build_universe'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-3.2.3/lib/berkshelf/installer.rb:21:in
`block (2 levels) in build_universe'

Is there an SSL setup I’m missing? I just want to disable SSL on the
organization, if possible?

Chris

5

Hi Chris,

  1. get the ssl cert from your chef server with:

    knife ssl fetch https://my.chefserver.net

and it will be stored in .chef/trusted_certs/my_chef_server.pem

  1. then use that pem file as the CA for your berks stuff by putting the
    following as the first line of your Berksfile:

    ENV['SSL_CERT_FILE'] = '.chef/trusted_certs/my_chef_server.pem'

That may help,

-Peter

On Wed, Apr 15, 2015 at 11:08 AM, Fouts, Chris Chris.Fouts@sensus.com
wrote:

Thanks, but the “berks install” (NOT berks upload) does not accept the
–ssl-verify=false option.

Chris

From: Michel Blankleder [mailto:michel.blankleder@gmail.com]
Sent: Wednesday, April 15, 2015 10:52 AM
To: chef@lists.opscode.com
Subject: [chef] Re: SSL verification fails on a Berks API server?

Hi,

I had the same error a while ago and --ssl-verify=false solved the issue.

berks upload cookbook_name --ssl-verify=false

Hope it helps

Michel

On Wed, Apr 15, 2015 at 11:30 AM, Fouts, Chris Chris.Fouts@sensus.com
wrote:

I set up an organization called berks-api on my Chef 12 Enterprise server
to act as my Berks API server, and setup berkshelf-api. I then ran
berks-api with

$ berks-api –c ~/.berkshelf/api-server/config.json

..where my config.json file looks like

{

"endpoints": [

{

  "type": "chef_server",

   "options": {

   "url": "https://myserver.domain.com/organizations/berks-api",

   "client_name": "jenkins",

   "client_key": "/etc/berkshelf/api-server/jenkins.pem",

   "ssl_verify" : false

  }

}

]

}

…and see the following on my terminal, so I know it’s working.

[2015-04-14T18:49:12.737950 #10033] INFO -- : Cache manager starting...

I, [2015-04-14T18:49:12.738207 #10033] INFO -- : Loading save from
/root/.berkshelf/api-server/cerch

W, [2015-04-14T18:49:12.739368 #10033] WARN -- : Endpoints in config have
changed - invalidating cache

I, [2015-04-14T18:49:12.739465 #10033] INFO -- : Cache contains 0 items

I, [2015-04-14T18:49:12.740341 #10033] INFO -- : Cache Builder starting...

I, [2015-04-14T18:49:12.846975 #10033] INFO -- : REST Gateway listening on
0.0.0.0:26200

I, [2015-04-14T18:49:12.887143 #10033] INFO -- : Processing chef_server:
https://myserver.domain.com/organizations/berks-api

I, [2015-04-14T18:49:12.963418 #10033] INFO -- : Found 25 cookbooks from
chef_server: https://myserver.domain.com/organizations/berks-api

I, [2015-04-14T18:49:12.964527 #10033] INFO -- : Processing metadata for
25 cookbooks with 0 remaining on chef_server:
https://myserver.domain.com/organizations/berks-api

I’m able to upload cookbooks to the berks-api server.

Now I want to use Berkshelf magic to get cookbooks from it.

My Berkshelf file looks like this

source “https://myserver.domain.com/organizations/berks-api:26200”

metadata

cookbook “linux_role”

When I do a berks install, I get

Fetching cookbook index from https://myserver.domain.com:26200...

/opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:in `connect':
SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
(Faraday::SSLError)

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:in `block in
connect'

from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:91:in `block in timeout'

from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:101:in `call'

from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:101:in `timeout'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:in `connect'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:863:in `do_start'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:852:in `start'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:1369:in `request'

from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:1128:in `get'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:80:in
`perform_request'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:40:in
`block in call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:87:in
`with_net_http_connection'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:32:in
`call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/request/retry.rb:110:in
`call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/response.rb:8:in
`call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/response.rb:8:in
`call'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/rack_builder.rb:139:in
`build_response'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/connection.rb:377:in
`run_request'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/connection.rb:140:in
`get'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-api-client-1.2.1/lib/berkshelf/api_client/connection.rb:62:in
`universe'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-3.2.3/lib/berkshelf/source.rb:22:in
`build_universe'

from
/opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-3.2.3/lib/berkshelf/installer.rb:21:in
`block (2 levels) in build_universe'

Is there an SSL setup I’m missing? I just want to disable SSL on the
organization, if possible?

Chris

--

Peter Burkholder — Customer Success Engineer

Unavailability: No travel/PTO in April

301-204-5767 – pburkholder@chef.io – *my: *Linkedin
http://www.linkedin.com/in/pburkholder Twitter
http://www.twitter.com/pburkholder Cal
https://www.google.com/calendar/embed?src=pburkholder%40chef.io&mode=WEEK
endar

CHEF

CHEF.IO http://www.chef.io/

TM

chef.io http://www.chef.io/ Blog http://www.chef.io/blog/ Facebook
https://www.facebook.com/getchefdotcom Twitter
https://twitter.com/chef Youtube https://www.youtube.com/getchef

6

Thanks.

I’m running the berks-api service with ssl_verify = false, so I just had to use http instead of https protocol in my source line in the Berksfile and it worked.

source http://myserver.comain.com:26200

I will try running the berks-api service with SSL though, and try your idea.

Chris

From: Peter Burkholder [mailto:pburkholder@chef.io]
Sent: Wednesday, April 15, 2015 10:09 PM
To: chef@lists.opscode.com
Subject: [chef] Re: RE: Re: SSL verification fails on a Berks API server?

Hi Chris,

  1. get the ssl cert from your chef server with:

    knife ssl fetch https://my.chefserver.net

and it will be stored in .chef/trusted_certs/my_chef_server.pem

  1. then use that pem file as the CA for your berks stuff by putting the following as the first line of your Berksfile:

    ENV[‘SSL_CERT_FILE’] = ‘.chef/trusted_certs/my_chef_server.pem’

That may help,

-Peter

On Wed, Apr 15, 2015 at 11:08 AM, Fouts, Chris <Chris.Fouts@sensus.commailto:Chris.Fouts@sensus.com> wrote:
Thanks, but the “berks install” (NOT berks upload) does not accept the –ssl-verify=false option.

Chris

From: Michel Blankleder [mailto:michel.blankleder@gmail.commailto:michel.blankleder@gmail.com]
Sent: Wednesday, April 15, 2015 10:52 AM
To: chef@lists.opscode.commailto:chef@lists.opscode.com
Subject: [chef] Re: SSL verification fails on a Berks API server?

Hi,

I had the same error a while ago and --ssl-verify=false solved the issue.

berks upload cookbook_name --ssl-verify=false

Hope it helps
Michel

On Wed, Apr 15, 2015 at 11:30 AM, Fouts, Chris <Chris.Fouts@sensus.commailto:Chris.Fouts@sensus.com> wrote:
I set up an organization called berks-api on my Chef 12 Enterprise server to act as my Berks API server, and setup berkshelf-api. I then ran berks-api with

$ berks-api –c ~/.berkshelf/api-server/config.json

…where my config.json file looks like

{
“endpoints”: [
{
“type”: “chef_server”,
“options”: {
“url”: “https://myserver.domain.com/organizations/berks-api”,
“client_name”: “jenkins”,
“client_key”: “/etc/berkshelf/api-server/jenkins.pem”,
“ssl_verify” : false
}
}
]
}

…and see the following on my terminal, so I know it’s working.

[2015-04-14T18:49:12.737950 #10033] INFO – : Cache manager starting…
I, [2015-04-14T18:49:12.738207 #10033] INFO – : Loading save from /root/.berkshelf/api-server/cerch
W, [2015-04-14T18:49:12.739368 #10033] WARN – : Endpoints in config have changed - invalidating cache
I, [2015-04-14T18:49:12.739465 #10033] INFO – : Cache contains 0 items
I, [2015-04-14T18:49:12.740341 #10033] INFO – : Cache Builder starting…
I, [2015-04-14T18:49:12.846975 #10033] INFO – : REST Gateway listening on 0.0.0.0:26200http://0.0.0.0:26200
I, [2015-04-14T18:49:12.887143 #10033] INFO – : Processing chef_server: https://myserver.domain.com/organizations/berks-api
I, [2015-04-14T18:49:12.963418 #10033] INFO – : Found 25 cookbooks from chef_server: https://myserver.domain.com/organizations/berks-api
I, [2015-04-14T18:49:12.964527 #10033] INFO – : Processing metadata for 25 cookbooks with 0 remaining on chef_server: https://myserver.domain.com/organizations/berks-api

I’m able to upload cookbooks to the berks-api server.

Now I want to use Berkshelf magic to get cookbooks from it.

My Berkshelf file looks like this

source “https://myserver.domain.com/organizations/berks-api:26200”
metadata

cookbook “linux_role”

When I do a berks install, I get

Fetching cookbook index from https://myserver.domain.com:26200
/opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:in connect': SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A (Faraday::SSLError) from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:inblock in connect’
from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:91:in block in timeout' from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:101:incall’
from /opt/chef/embedded/lib/ruby/2.1.0/timeout.rb:101:in timeout' from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:920:inconnect’
from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:863:in do_start' from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:852:instart’
from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:1369:in request' from /opt/chef/embedded/lib/ruby/2.1.0/net/http.rb:1128:inget’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:80:in perform_request' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:40:inblock in call’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:87:in with_net_http_connection' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/adapter/net_http.rb:32:incall’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/request/retry.rb:110:in call' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/response.rb:8:incall’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/response.rb:8:in call' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/rack_builder.rb:139:inbuild_response’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/connection.rb:377:in run_request' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/faraday-0.9.1/lib/faraday/connection.rb:140:inget’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-api-client-1.2.1/lib/berkshelf/api_client/connection.rb:62:in universe' from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-3.2.3/lib/berkshelf/source.rb:22:inbuild_universe’
from /opt/chef/embedded/lib/ruby/gems/2.1.0/gems/berkshelf-3.2.3/lib/berkshelf/installer.rb:21:in `block (2 levels) in build_universe’

Is there an SSL setup I’m missing? I just want to disable SSL on the organization, if possible?

Chris

Peter Burkholder — Customer Success Engineer

Unavailability: No travel/PTO in April

301-204-5767 – pburkholder@chef.iomailto:pburkholder@chef.io – my: Linkedinhttp://www.linkedin.com/in/pburkholder Twitterhttp://www.twitter.com/pburkholder Calhttps://www.google.com/calendar/embed?src=pburkholder%40chef.io&mode=WEEKendar

CHEF

CHEF.IOhttp://www.chef.io/

TM

chef.iohttp://www.chef.io/ Bloghttp://www.chef.io/blog/ Facebookhttps://www.facebook.com/getchefdotcom Twitterhttps://twitter.com/chef Youtubehttps://www.youtube.com/getchef