- From: Ivan Suftin <
>
- To: <
>
- Subject: [chef] Re: Unable to use SSL cert from in-house Chef Server w/ knife
- Date: Mon, 16 Feb 2015 16:25:13 -0600
| Hi Daniel,
I did not see any messages regarding "There are invalid certificates in your trusted_certs_dir”. Do you have more information regarding the "Subject Alternative Names” issue? I could get more information for you if needed in order to better analyze the issue.
__________________________ (╯°□°)╯︵ ┻━┻ Ivan Suftin - Applications Developer -
" class="">
Office: (608) 821-3825 - Cell : (608) 345-8963 Center for Integrated Data Analytics - http://cida.usgs.gov/ United States Geological Survey 8505 Research Way, Middleton, WI 53562
On Feb 16, 2015, at 2:16 PM, Daniel DeLeo <
" class="">
> wrote:
On Monday, February 16, 2015 at 10:14 AM, Ivan Suftin wrote: Ohai Chefs!
We have a Chef 12 server set up with a self-signed cert. I’m trying to get knife to communicate using peer verification with the server.
First, I run the check:
$ knife ssl check https://chef.owicloud.org/organizations/cida
Connecting to host chef.owicloud.org (http://chef.owicloud.org):443
ERROR: The SSL certificate of chef.owicloud.org (http://chef.owicloud.org) could not be verified
Certificate issuer data: /C=us/L=Middleton, WI/O=OWI USGS/CN=OWI USGS VPN
" class="">CA/
(
" class="">mailto:CA/
)
Configuration Info:
OpenSSL Configuration:
* Version: OpenSSL 1.0.1k 8 Jan 2015
* Certificate file: /opt/chefdk/embedded/ssl/cert.pem
* Certificate directory: /opt/chefdk/embedded/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/Users/isuftin/.chef/trusted_certs"
TO FIX THIS ERROR:
[ … the usual text we know and love …]
Did you get a message about "There are invalid certificates in your trusted_certs_dir.” from `knife ssl check`? (Your certs would have to exist in your trusted_certs_dir before you run that command for `knife ssl check` to detect this issue). There are certain properties on certificates, which if they are not set, will make OpenSSL refuse to verify the certificate against itself. In the past we’ve seen this when users follow an outdated blog post for setting "Subject Alternative Names,” but you could have stumbled upon this issue as well. Ok, so obviously that doesn’t work. I then try to run a knife ssl fetch:
$ knife ssl fetch https://chef.owicloud.org/
WARNING: Certificates from chef.owicloud.org (http://chef.owicloud.org) will be fetched and placed in your trusted_cert
directory (/Users/isuftin/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.
ERROR: knife encountered an unexpected error
This may be a bug in the 'ssl fetch' knife command or plugin
Please collect the output of this command with the `-VV` option before filing a bug report.
Exception: NoMethodError: undefined method `[]' for nil:NilClass
I’ve always had this issue so I’ve never used knife ssl fetch to grab the SSL cert. So I scope the cert into /Users/isuftin/.chef/trusted_certs and run a hash check on them on the server and local:
This looks like an actual bug with `knife ssl fetch`. If you run `knife ssl fetch URL -VV`, it will show the backtrace. You should then copy all of that into a bug report at https://github.com/chef/chef/issues so we can fix the command.
Server:
$ sudo sha256sum /var/opt/opscode/nginx/ca/chef2a.crt
7a876dad9a3f6e59e169d5cb25d2ad64bd362515bbc7f9af2baec5936505ca09 /var/opt/opscode/nginx/ca/chef2a.crt
Local (mac os):
$ shasum -a256 /Users/isuftin/.chef/trusted_certs/chef2a.crt
7a876dad9a3f6e59e169d5cb25d2ad64bd362515bbc7f9af2baec5936505ca09 /Users/isuftin/.chef/trusted_certs/chef2a.crt
Initial thoughts of where I should look?
__________________________ (╯°□°)╯︵ ┻━┻
Ivan Suftin - Applications Developer -
" class="">
(
" class="">mailto:
)
Office: (608) 821-3825 - Cell : (608) 345-8963
Center for Integrated Data Analytics - http://cida.usgs.gov/
United States Geological Survey
8505 Research Way, Middleton, WI 53562
-- Daniel DeLeo
|
Archive powered by MHonArc 2.6.16.