General discussion about Chef

[chef] Re: Error connecting to SSL URL


Chronological Thread 
  • From: Joshua Timberman < >
  • To:
  • Subject: [chef] Re: Error connecting to SSL URL
  • Date: Mon, 24 Aug 2009 11:54:38 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

On Aug 24, 2009, at 11:38 AM, < > < > wrote:

I'm able to install chef server 7.8 on centos5.3 per wiki guide. I'm also able
to run chef client on a node and then 'validate' registration from the server
web UI. However, subsequent chef-client runs fail. Looks like openid issues.
Am hoping someone can point me in the right direction.  

~ Started request handling: Mon Aug 24 03:26:23 -0700 2009
~ Params: {"submit"=>"Verify", "action"=>"start",
"controller"=>"chef_server_slice/openid_consumer",
"openid_identifier"=>"https://chef001.blah.com:444/openid/server/node/node001_blah_com "}
~ WARNING: making https request to
https://chef001.blah.com:444/openid/server/node/node001_blah_com without
verifying server certificate; no CA path was specified.
~ Discovery failed for
https://chef001.blah.com:444/openid/server/node/node001_blah_com: Failed to
fetch identity URL
https://chef001.blah.com:444/openid/server/node/node001_blah_com : Error
connecting to SSL URL
https://chef001.blah.com:444/openid/server/node/node001_blah_com: hostname does
not match - (Merb::ControllerExceptions::BadRequest)


First, on the server side, you need to make sure all the SSL bits line up properly. For example from my CentOS 5.3 test system:

# grep _url /etc/chef/server.rb
registration_url   "https://centos5test.int.example.com";
openid_url         "https://centos5test.int.example.com:444";
template_url       "https://centos5test.int.example.com";
remotefile_url     "https://centos5test.int.example.com";
search_url         "https://centos5test.int.example.com";
role_url           "https://centos5test.int.example.com";

# grep SSLCert /etc/httpd/sites-enabled/chef_server.conf
SSLCertificateFile /etc/chef/certificates/ centos5test.int.example.com.pem
SSLCertificateKeyFile /etc/chef/certificates/ centos5test.int.example.com.pem
SSLCertificateFile /etc/chef/certificates/ centos5test.int.example.com.pem
SSLCertificateKeyFile /etc/chef/certificates/ centos5test.int.example.com.pem

The first two are for the 443 vhost (webui etc) and the second two 444 vhost (openid). They should both match.

# openssl x509 -noout -text -fingerprint < /etc/chef/certificates/ centos5test.int.example.com.pem | grep Subject:
Subject: C=US, ST=Several, L=Locality, O=Example, OU=Operations, CN=centos5test.int.example.com/

The certificate file is the same as used in the vhosts, and the CN should match the FQDN of the server.

You can regenerate this by editing the JSON data used with the Chef Solo bootstrap and adding an attribute for "server_ssl_req". The configuring server/clients wiki page has an example of how this string should look (hint: similar to the subject line).

- --
Opscode, Inc
Joshua Timberman, Senior Solutions Engineer
C: 720.878.4322 E: 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkqS094ACgkQO97WSdVpzT1X/ACcDlEMQ+Mv42Ol77Wmoh5IXWkX
u0UAnRnkJylkwUqEXgtk0snTc1EKjM+j
=tgd3
-----END PGP SIGNATURE-----

Archive powered by MHonArc 2.6.16.

§