I have a self hosted chef server. I’m trying to run chef-client on a node after installing it from a bash script. Unfortunately I’m getting the following error
The SSL certificate of chef.domain.com could not be verified
The SSL certificate is a valid SSL certificate, not a self signed one. It’s valid in the browser too.
I’ve followed the instructions and run
knife ssl fetch -s https://chef.domain.com and it successfully downloads the certificate to
~/.chef/trusted_certificates but when I try to run chef-client again or even verify the ssl, it still get errors:
WARNING: There are invalid certificates in your trusted_certs_dir.
OpenSSL will not use the following certificates when verifying SSL connections:
/root/.chef/trusted_certs/wildcard_domain_com.crt: unable to get local issuer certificate
What could the problem be?
Hi @wasimkham, when you build your own chef server its certificate is not reconigzed, if you remember you have to download it in your workstation. You can use
ssl_verify_mode :verify_none in the client.rb file, which is located in the node, to solve the problem.
If you want to certify your chef server you need to pay for that but is not necessary.
Hi @carlos727 as mentioned in my post, it’s not a self signed certificate. It’s a valid wildcard certificate from a certificate authority.
Is this an in-house CA or a CA that would have its root certificate in the common CA bundles?
For an in-house CA, you might need to manually concat the certs in the chain in the correct order; I think (but haven’t had time to investigate) that OpenSSL can’t figure things out when the certs aren’t fed to it in topo-sorted order.
For a “trusted” CA, you will want to make sure the certs in your cert chain are using up-to-date crypto; there have been issues in the past where root certs got removed from the bundle because they were using out of date algorithms. The omnibus code that installs the cert file is here: https://github.com/chef/omnibus-software/blob/master/config/software/cacerts.rb which should give you enough pointers to investigate on your own.
Thanks for the advice. So I fixed this by placing the
ca-bundle file as the trusted certificate instead of the actual
crt file. I had to rename it to
chef.domain.com.crt but it worked. Thanks for your help.