General discussion about Chef

[chef] SSL error running workstation/client commands to hosted server


Chronological Thread 
  • From: phil helm < >
  • To: " " < >
  • Subject: [chef] SSL error running workstation/client commands to hosted server
  • Date: Fri, 9 Aug 2013 10:33:57 -0700 (PDT)
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=m1haH6VdnAN4Dp7jT1+NifbjPTJlwaViyu+y0ho7ABPGREsX3llgqwEyLqowjmIDQtUaltak6L8glOjnlx2Hwl3Vaj3JV7Dkjn4YDKtGOH/gBRhPetC9lflC4sxhCK9Zo7wr5w6CMdi8thnkzqnQSc8bv3U4nJRT3xO2U6n9SAM=;
Hi all,

I am having some trouble getting anything on my Ubuntu box to connect to my hosted chef server. What I am trying to do (I think) is to set up a workstation and/or a chef client on this same machine (which, I guess is ok?). One example that produces the failure is 'knife client list' which returns:

:/opt/chef/chef-repo# knife client list
ERROR: Errno::ECONNRESET: Connection reset by peer - SSL_connect

I have this config:

:/opt/chef/chef-repo/.chef# ll
total 20
drwxr-xr-x  2 root root 4096 Aug  8 08:53 ./
drwxr-xr-x 10 root root 4096 Aug  8 08:50 ../
-rw-r--r--  1 root root  817 Aug  9 12:41 knife.rb
-rw-r--r--  1 root root 1675 Aug  9 10:38 philhelm.pem
-rwxr-xr-x  1 root root 1675 Aug  9 09:04 phils_hosted_chef_server-validator.pem*

and my knife.rb looks like this:
# See http://docs.opscode.com/config_rb_knife.html for more information on knife configuration options

current_dir = File.dirname(__FILE__)
log_level                :info
log_location             STDOUT
node_name                "philhelm"
client_key               "/opt/chef/chef-repo/.chef/philhelm.pem"
validation_client_name   "phils_hosted_chef_server-validator"
validation_key           "/opt/chef/chef-repo/.chef/phils_hosted_chef_server-validator.pem"
chef_server_url          "https://api.opscode.com/organizations/phils_hosted_chef_server"
cache_type               'BasicFile'
cache_options( :path => "#{ENV['HOME']}/.chef/checksums" )
cookbook_path            ["#{current_dir}/../cookbooks"]
ssl_ca_path              '/etc/ssl/certs'
ssl_verify_mode          'verify_none'
ssl_version              'SSLv3'

(the last three lines here were added by me after doing some googling - it didnt seem to change anything)..

I tried some manual openssl commands on my Ubuntu box:

 >openssl s_client -connect api.opscode.com:443 -key /opt/chef/chef-repo/.chef/philhelm.pem
 which returns this output:

CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Opscode, Inc/CN=*.opscode.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGqjCCBZKgAwIBAgIQCJlQhNSTz1z3zHZb972KvDANBgkqhkiG9w0BAQUFADBI
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSIwIAYDVQQDExlE
aWdpQ2VydCBTZWN1cmUgU2VydmVyIENBMB4XDTEzMDQxMjAwMDAwMFoXDTE0MDYx
NjEyMDAwMFowYzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
BgNVBAcTB1NlYXR0bGUxFTATBgNVBAoTDE9wc2NvZGUsIEluYzEWMBQGA1UEAwwN
Ki5vcHNjb2RlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+U
HLAzObPRlmchlkJ2JFeReJRPXj5F27HuX8SXT+5WhVGunQf1swjASJ0utk1x9wGT
f9tnF8fYiwJIqWJopaPiwzNw1cD6CnIfhM3z4T3EzLAWWu2ZhfuaQk9Z6jhItkm7
upO4CsFq1xw7IjqOq09PCAklYC/Y/8Qq5Qj8VoTp0ldVv6hbqTNkezhWcKU/07si
jAX1O+DYN6dlVNezfl4Xt5ccsu8Mp0s92IMVYLgY6bpb1b91ez9+XBE1v7zjaR0V
EP7Ix9av/pXjqMqHgjlsg46UpLa30f4FEi2xmXpCBpOP94rCrT7g+u8UlIrJ/QK/
/lHyKBpCm0R9ftDbppsCAwEAAaOCA3MwggNvMB8GA1UdIwQYMBaAFJBx2zfrc8jv
3NUeErY0uitaoKaSMB0GA1UdDgQWBBTdhCU7MvQblxtWHlfHG4jPUTuh5DBLBgNV
HREERDBCgg0qLm9wc2NvZGUuY29tggtvcHNjb2RlLmNvbYIQY29ycC5vcHNjb2 Rl
LmNvbYISKi5jb3JwLm9wc2NvZGUuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwYQYDVR0fBFowWDAqoCigJoYkaHR0cDov
L2NybDMuZGlnaWNlcnQuY29tL3NzY2EtZzEuY3JsMCqgKKAmhiRodHRwOi8vY3Js
NC5kaWdpY2VydC5jb20vc3NjYS1nMS5jcmwwggHEBgNVHSAEggG7MIIBtzCCAbMG
CWCGSAGG/WwBATCCAaQwOgYIKwYBBQUHAgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQu
Y29tL3NzbC1jcHMtcmVwb3NpdG9yeS5odG0wggFkBggrBgEFBQcCAjCCAVYeggFS
AEEAbgB5ACAAdQBzAGUAIABvAGYAIAB0AGgAaQBzACAAQwBlAHIAdABpAGYAaQBj
AGEAdABlACAAYwBvAG4AcwB0AGkAdAB1AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBu
AGMAZQAgAG8AZgAgAHQAaABlACAARABpAGcAaQBDAGUAcgB0ACAAQwBQAC8AQwBQ
AFMAIABhAG4AZAAgAHQAaABlACAAUgBlAGwAeQBpAG4AZwAgAFAAYQByAHQAeQAg
AEEAZwByAGUAZQBtAGUAbgB0ACAAdwBoAGkAYwBoACAAbABpAG0AaQB0ACAAbABp
AGEAYgBpAGwAaQB0AHkAIABhAG4AZAAgAGEAcgBlACAAaQBuAGMAbwByAHAAbwBy
AGEAdABlAGQAIABoAGUAcgBlAGkAbgAgAGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBl
AC4weAYIKwYBBQUHAQEEbDBqMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb 20wQgYIKwYBBQUHMAKGNmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv
bS9EaWdpQ2VydFNlY3VyZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqG
SIb3DQEBBQUAA4IBAQCNk1+7l+VlAZrKov7ugP7WuKS7IEUZRk8CVAFPtIrp+jFB
6W0ta1qMpYyItp5enTBCGOkTfPly06hZnFRQw3ZnkSsWDKIvCRks4kZt3oHLd3nO
G671JGRJI/qbs6F5l6c96kotlZkolYIPMhyK8Ex4LjMW6UrPWdpJrXTWPvLq4c85
ZaN52yKu6tsLrBTPwPmK9t+zQ2drb1g8Eq9B+cuwD3Row6njsDQ1Ltry+KCnivki
E/ptgwyCkS4brkhjHMz5l5Co0KMsHylAb2XcBxFVFSl0aJIqK5Gr0nTlg26pNG7O
qxv6ncOHl3tmArETi36TQbTYvFc+6cNb8CqdWe95
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Opscode, Inc/CN=*.opscode.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3200 bytes and written 551 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: B572D6CBE3B0E35D9E071B61F99C69C257A4724E7127E9A727E90695FA0DF61D
    Session-ID-ctx:
    Master-Key: A35B6F5141086833168B7837829F78A5F502C5B09606BD668ECA069BE8E1F7E01F055EA16766CCBDD1220CDF920D28BF
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 18 68 75 3a 27 c2 3d ec-97 bf 87 ed 9e eb 0b e9   .hu:'.=.........
    0010 - 36 ef 1f 8f 24 71 f8 f7-46 ae 91 aa 33 56 56 5d   6...$q..F...3VV]
    0020 - 21 25 b6 2e 8b 69 ec ba-f4 e6 76 12 31 55 79 9a   !%...i....v.1Uy.
    0030 - 1e fa 60 43 42 6a 40 42-3f a6 28 9f 16 2d 62 47   (..-bG
    0040 - 88 47 ea 23 c2 fb a9 3a-4d 43 5a 2b be 39 c3 43   .G.#...:MCZ+.9.C
    0050 - da c7 ba 10 9d 97 e4 04-8d 2d c5 2a d7 3f d4 9f   .........-.*.?..
    0060 - 2b 02 47 eb a0 63 7c 30-f6 e2 1a 0d 54 dd 62 e5   +.G..c|0....T.b.
    0070 - 25 db 1b 6c 7c 58 c2 be-23 af f9 c9 9e 44 fd 10   %..l|X..#....D..
    0080 - a2 8b 6d 5f d3 08 dd a0-8d 82 b3 60 48 d0 a9 0c   ..m_.......`H...
    0090 - 07 53 cf ae a8 3b de 50-09 1b b0 24 3c 26 b6 c0   .S...;.P...$<&..

    Start Time: 1376069258
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0

I dont know if this really tells me anything. I have tried countless google suggestions to no success. Does anyone have any thoughts on this?

Chef version 11.6
Ruby 1.8 and Ruby 1.9.1 installed (not sure why - maybe this is a problem?)
Ubuntu 12.04

Thanks
Phil


Archive powered by MHonArc 2.6.16.

§