chef - [chef] Re: Re: Excon::Errors::SocketError Unable to verify certificate

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: Excon::Errors::SocketError Unable to verify certificate

From: Lamont Granquist < >
To: < >
Subject: [chef] Re: Re: Excon::Errors::SocketError Unable to verify certificate
Date: Fri, 21 Jun 2013 14:16:22 -0700

It looks like excon is now searching for an openssl.cnf, and omnibus ships with the example openssl.cnf which openssl installs by default in the omnibus build at /opt/chef/embedded/ssl/openssl.cnf -- and when it finds that file it goes off and does something using incorrect information that isn't entirely clear to me...

Since the start of openssl.cnf begins with a comment about "This is mostly being used for generation of certificate requests." it isn't clear to me why a client app expects to get something useful out of that. But it also isn't clear to me why openssl isn't installing that as openssl.cnf.example or something.

AFAIK, we could remove that out of the omnibus build and then I think it will fall back to the DEFAULT_CA_FILE in the omnibus build correctly...

If you manually nuke that file does excon 0.25.0 work correctly?

On 6/21/13 12:50 PM,

wrote:

On Fri, 21 Jun 2013,

wrote:

My newly launched nodes started failing in their route53 recipe last nite with
this error:

FATAL: Excon::Errors::SocketError:
route53_record[chef-ci-web.dev.needtogetmyoontzon.com]
(resolver::default line 128) had an error: Excon::Errors::SocketError:
Unable to verify certificate, please set `Excon.defaults[:ssl_ca_path]
= path_to_certs`, `Excon.defaults[:ssl_ca_file] = path_to_file`, or
`Excon.defaults[:ssl_verify_peer] = false` (less secure).

On such a system, I see:

/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/excon-0.25.0

On a system launched only a couple days ago, I see

/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/excon-0.24.0

I see 0.25.0 changed the behavior of how it finds certs:
https://github.com/geemus/excon/blob/master/changelog.txt

I'm not sure if I should bug geemus, or the chef community. In the meantime,
I'm gonna see if I can pin my clients to 0.24.0 so we're not stuck on this.

I was able to prevent excon 0.25.0 from being installed, and instead install
excon 0.24.0 by calling this early in my run_list:

     chef_gem "excon" do
       version "0.24.0"
     end

fwiw.

My deets:

AWS Linux 2012.09, chef 10.24.0

[chef] Excon::Errors::SocketError Unable to verify certificate, kallen, 06/21/2013
- [chef] Re: Excon::Errors::SocketError Unable to verify certificate, kallen, 06/21/2013
  - [chef] Re: Re: Excon::Errors::SocketError Unable to verify certificate, Lamont Granquist, 06/21/2013
    - [chef] Re: Re: Re: Excon::Errors::SocketError Unable to verify certificate, kallen, 06/21/2013
      - [chef] Re: Re: Re: Re: Excon::Errors::SocketError Unable to verify certificate, Lamont Granquist, 06/21/2013
        
        [chef] Re: Re: Re: Re: Re: Excon::Errors::SocketError Unable to verify certificate, kallen, 06/21/2013