The SSL certificate could not be verified

wasimkham · August 15, 2016, 2:11pm

I have a self hosted chef server. I’m trying to run chef-client on a node after installing it from a bash script. Unfortunately I’m getting the following error

The SSL certificate of chef.domain.com could not be verified

The SSL certificate is a valid SSL certificate, not a self signed one. It’s valid in the browser too.

I’ve followed the instructions and run knife ssl fetch -s https://chef.domain.com and it successfully downloads the certificate to ~/.chef/trusted_certificates but when I try to run chef-client again or even verify the ssl, it still get errors:

WARNING: There are invalid certificates in your trusted_certs_dir.
OpenSSL will not use the following certificates when verifying SSL connections:

/root/.chef/trusted_certs/wildcard_domain_com.crt: unable to get local issuer certificate

What could the problem be?

carlos727 · August 16, 2016, 4:58pm

Hi @wasimkham, when you build your own chef server its certificate is not reconigzed, if you remember you have to download it in your workstation. You can use ssl_verify_mode :verify_none in the client.rb file, which is located in the node, to solve the problem.

If you want to certify your chef server you need to pay for that but is not necessary.

Regards.

wasimkham · August 16, 2016, 5:58pm

Hi @carlos727 as mentioned in my post, it’s not a self signed certificate. It’s a valid wildcard certificate from a certificate authority.

kallistec · August 16, 2016, 6:20pm

Is this an in-house CA or a CA that would have its root certificate in the common CA bundles?

For an in-house CA, you might need to manually concat the certs in the chain in the correct order; I think (but haven't had time to investigate) that OpenSSL can't figure things out when the certs aren't fed to it in topo-sorted order.

For a "trusted" CA, you will want to make sure the certs in your cert chain are using up-to-date crypto; there have been issues in the past where root certs got removed from the bundle because they were using out of date algorithms. The omnibus code that installs the cert file is here: https://github.com/chef/omnibus-software/blob/master/config/software/cacerts.rb which should give you enough pointers to investigate on your own.

wasimkham · August 17, 2016, 10:16am

Thanks for the advice. So I fixed this by placing the ca-bundle file as the trusted certificate instead of the actual crt file. I had to rename it to chef.domain.com.crt but it worked. Thanks for your help.

Topic		Replies	Views
Error: The SSL certificate of "Chef Server name" could not be verified Chef Infra (archive)	2	1396	June 9, 2016
Unable to use SSL cert from in-house Chef Server w/ knife Chef Infra (archive)	4	942	February 17, 2015
CHEF SSL connection issue with Node servers Chef Infra (archive)	4	687	October 6, 2020
How to solve SSL certificate issue? Chef Infra (archive)	2	689	September 9, 2016
Knife ssl check/fetch/check against a self-signed winrm ssl-transport host fails Chef Infra (archive)	1	940	September 29, 2015

The SSL certificate could not be verified

Related Topics