chef - [chef] Re: Chef Certificates

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Chef Certificates

From: Daniel DeLeo < >
To:
Subject: [chef] Re: Chef Certificates
Date: Tue, 19 May 2015 11:12:33 -0700

--
Daniel DeLeo

On Tuesday, May 19, 2015 at 12:42 AM, Simon Hawkins wrote:

> Hi,
>
> I get the following error in a recipe:
>
> remote_file("my-script.ps1") do
> provider Chef::Provider::RemoteFile
> action "create"
> retries 0
> retry_delay 2
> default_guard_interpreter :default
> path "my-script.ps1"
> backup 5
> atomic_update true
> source
> ["https://myrepo.internal.local/dev/Chef/raw/master/src/BLD/Chef.BLD/Recipes/my-script.ps1";]
> use_etag true
> use_last_modified true
> declared_type :remote_file
> cookbook_name "windows"
> recipe_name "runmyscript"
> end
>
> [2015-05-19T08:34:04+01:00] INFO: Running queued delayed notifications
> before re-raising exception
>
> Running handlers:
> [2015-05-19T08:34:04+01:00] ERROR: Running exception handlers
> Running handlers complete
> [2015-05-19T08:34:04+01:00] ERROR: Exception handlers complete
> [2015-05-19T08:34:04+01:00] FATAL: Stacktrace dumped to
> c:/chef/cache/chef-stacktrace.out
> Chef Client failed. 2 resources updated in 29.838761 seconds
> [2015-05-19T08:34:04+01:00] FATAL: OpenSSL::SSL::SSLError:
> remote_file[my-script.ps1] (windows::runmyscript line
> 8) had an error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0
> state=SSLv3 read server certificate B: certificate verify failed
>
> The source uses a valid certificate (not self-signed) and I have put the
> pem files (full cert chain) under /opt/chef-server/embedded/ssl/certs on my
> chef server.
>
> How do I get the chef-client to use them?
>
> Cheers,
> Simon.

Firstly, you need to configure your server so that the nginx load balancer
will use your certs. To do so, create a chef-server.rb file and configure the
relevant settings, which are described here:
http://docs.chef.io/config_rb_server_optional_settings.html#nginx After doing ;
that, running `chef-server-ctl reconfigure` will apply them.

From the client, you can debug ssl issues with `knife ssl check`. On a server
system, you’ll want to run `knife ssl check -c /etc/chef/client.rb`. When
it’s all working, that command should tell you that.


--
Daniel DeLeo

[chef] Chef Certificates, Simon Hawkins, 05/19/2015
- [chef] Re: Chef Certificates, Daniel DeLeo, 05/19/2015