Tiered Chef 11 (2 front end, 1 back end servers) - knife ssl check error

My Chef 11 environment has 2 front end and 1 back end servers. I ran “knife ssl fetch” on my Chef workstation and it completed successfully. When I run “knife ssl check”, sometimes it says “Connecting to host chef11.mycompany.com:443 Successfully verified certificates from chef11.mycompany.com”, but most of the time, it gives an error. When I ran 'knife client list" from my workstation, it always says “ERROR: SSL Validation failure connecting to host: chef11.mycompany.com - SSL_connect returned=1 errno=0 state=error: certificate verify failed”. I tested with shutting down one front end server and keeping the other one running, but I got similar errors. nslookup shows chef11.mycompany.com resolves to the 2 IP addresses for the 2 front end servers. The self-signed certificate belongs to chef11.mycompany.com. It seems my workstation can’t use this certificate to establish a secure connection with either of the 2 front end servers.
Thanks in advance for any insights how to fix this.

What error?

Is it a straight-up self-signed cert (i.e., it's its own root) or do you have a CA with a separate root?

Error when I ran “knife ssl check”:
Connecting to host chef11.mycompany.com:443
ERROR: The SSL certificate of chef11.mycompany.com could not be verified
Certificate issuer data: /C=US/ST=WA/L=Seattle/O=YouCorp/OU=Operations/CN=chef11.mycompany.com/emailAddress=you@example.com
Configuration Info:
OpenSSL Configuration:

  • Version: OpenSSL 1.0.1p 9 Jul 2015
  • Certificate file: /opt/chefdk/embedded/ssl/cert.pem
  • Certificate directory: /opt/chefdk/embedded/ssl/certs
    Chef SSL Configuration:
  • ssl_ca_path: nil
  • ssl_ca_file: nil
  • trusted_certs_dir: "/home/vx/chef-repo/.chef/trusted_certs"
    If the server you are connecting to uses a self-signed certificate, you must
    configure chef to trust that server’s certificate.
    By default, the certificate is stored in the following location on the host
    where your chef-server runs:
    Copy that file to your trusted_certs_dir (currently: /home/vx/chef-repo/.chef/trusted_certs)
    using SSH/SCP or some other secure method, then re-run this command to confirm
    that the server’s certificate is now trusted.

Note: the .crt was already in the trusted_certs folder after I ran knife ssl fetch. It’s a straight-up self-signed cert (its own root). I don’t have a CA with a separate root.

Some more info:
knife --version on ChefDK workstation gives Chef: 12.5.1. pc-version.txt on the Chef server says Opscode Private Chef I also tried ssl_verify_mode :verify_none in knife.rb but same errors remain.

The only thing I can think of is that the two FEs have different self-signed certs. If you run knife ssl fetch it stores the cert with a filename based on the CN (which is the hostname). If you copy the cert from one of the machines to the other one and restart, then I would expect things should work (possibly with another knife ssl fetch needed first).

Also, ssl_verify_mode :verify_none should disable cert verification for normal commands but knife ssl check will still report errors since its purpose is to tell you why you get cert verification errors.

After some more research, it turns out Chef client 10.18.2 works. This is a version without SSL I believe therefore bypassing the self-signed certificate issue.

That version is unsupported, if you really want to just bypass SSL entirely, you can configure your server to serve HTTP (no S).

Daniel DeLeo

Is the following the correct way to bypass ssl?
In private-chef.rb in /etc/opscode, add nginx[‘enable_non_ssl’]=true
Run chef-server-ctl reconfigure
Any other steps?

After that configure your clients (including knife) chef_server_url for http instead of https.

Daniel DeLeo

1 Like

Thanks kallistec.