- From: Daniel DeLeo <
>
- To:
- Subject: [chef] Re: Unable to use SSL cert from in-house Chef Server w/ knife
- Date: Mon, 16 Feb 2015 12:16:41 -0800
On Monday, February 16, 2015 at 10:14 AM, Ivan Suftin wrote:
>
Ohai Chefs!
>
>
We have a Chef 12 server set up with a self-signed cert. I’m trying to get
>
knife to communicate using peer verification with the server.
>
>
First, I run the check:
>
> $ knife ssl check https://chef.owicloud.org/organizations/cida
>
> Connecting to host chef.owicloud.org (http://chef.owicloud.org):443
>
> ERROR: The SSL certificate of chef.owicloud.org
>
> (http://chef.owicloud.org) could not be verified
>
> Certificate issuer data: /C=us/L=Middleton, WI/O=OWI USGS/CN=OWI USGS VPN
>
> CA/
>
>
>
> (mailto:CA/
)
>
>
>
> Configuration Info:
>
>
>
> OpenSSL Configuration:
>
> * Version: OpenSSL 1.0.1k 8 Jan 2015
>
> * Certificate file: /opt/chefdk/embedded/ssl/cert.pem
>
> * Certificate directory: /opt/chefdk/embedded/ssl/certs
>
> Chef SSL Configuration:
>
> * ssl_ca_path: nil
>
> * ssl_ca_file: nil
>
> * trusted_certs_dir: "/Users/isuftin/.chef/trusted_certs"
>
>
>
> TO FIX THIS ERROR:
>
>
>
> [ … the usual text we know and love …]
Did you get a message about "There are invalid certificates in your
trusted_certs_dir.” from `knife ssl check`? (Your certs would have to exist
in your trusted_certs_dir before you run that command for `knife ssl check`
to detect this issue). There are certain properties on certificates, which if
they are not set, will make OpenSSL refuse to verify the certificate against
itself. In the past we’ve seen this when users follow an outdated blog post
for setting "Subject Alternative Names,” but you could have stumbled upon
this issue as well.
>
Ok, so obviously that doesn’t work. I then try to run a knife ssl fetch:
>
> $ knife ssl fetch https://chef.owicloud.org/
>
> WARNING: Certificates from chef.owicloud.org (http://chef.owicloud.org)
>
> will be fetched and placed in your trusted_cert
>
> directory (/Users/isuftin/.chef/trusted_certs).
>
>
>
> Knife has no means to verify these are the correct certificates. You
>
> should
>
> verify the authenticity of these certificates after downloading.
>
>
>
> ERROR: knife encountered an unexpected error
>
> This may be a bug in the 'ssl fetch' knife command or plugin
>
> Please collect the output of this command with the `-VV` option before
>
> filing a bug report.
>
> Exception: NoMethodError: undefined method `[]' for nil:NilClass
>
>
I’ve always had this issue so I’ve never used knife ssl fetch to grab the
>
SSL cert. So I scope the cert into /Users/isuftin/.chef/trusted_certs and
>
run a hash check on them on the server and local:
This looks like an actual bug with `knife ssl fetch`. If you run `knife ssl
fetch URL -VV`, it will show the backtrace. You should then copy all of that
into a bug report at
https://github.com/chef/chef/issues so we can fix the
command.
>
>
Server:
>
> $ sudo sha256sum /var/opt/opscode/nginx/ca/chef2a.crt
>
> 7a876dad9a3f6e59e169d5cb25d2ad64bd362515bbc7f9af2baec5936505ca09
>
> /var/opt/opscode/nginx/ca/chef2a.crt
>
>
>
>
Local (mac os):
>
> $ shasum -a256 /Users/isuftin/.chef/trusted_certs/chef2a.crt
>
> 7a876dad9a3f6e59e169d5cb25d2ad64bd362515bbc7f9af2baec5936505ca09
>
> /Users/isuftin/.chef/trusted_certs/chef2a.crt
>
>
Initial thoughts of where I should look?
>
>
__________________________ (╯°□°)╯︵ ┻━┻
>
Ivan Suftin - Applications Developer -
>
>
>
(mailto:
)
>
Office: (608) 821-3825 - Cell : (608) 345-8963
>
Center for Integrated Data Analytics - http://cida.usgs.gov/
>
United States Geological Survey
>
8505 Research Way, Middleton, WI 53562
--
Daniel DeLeo
Archive powered by MHonArc 2.6.16.