Search code examples
opensslssl-certificatechef-infraknife

Bootstrapping error SSL Validation failure COMODO RSA cert

I can't get chef to bootstrap a node. This is using a self-signed certificate.

Connecting to 10.100.248.13
10.100.248.13 Starting first Chef Client run...
10.100.248.13 Starting Chef Client, version 12.0.1
10.100.248.13 Creating a new client identity for bh-jb using the validator key.
10.100.248.13 [2014-12-15T19:26:03-08:00] ERROR: SSL Validation failure connecting to host: chefserver.domain.com - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:  certificate verify failed
10.100.248.13 
10.100.248.13 ================================================================================
10.100.248.13 Chef encountered an error attempting to create the client "bh-jb"
10.100.248.13 ================================================================================
10.100.248.13 
10.100.248.13 [2014-12-15T19:26:03-08:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
10.100.248.13 Chef Client failed. 0 resources updated in 1.776998404 seconds
10.100.248.13 [2014-12-15T19:26:03-08:00] ERROR: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
10.100.248.13 [2014-12-15T19:26:03-08:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Knife check

$ knife ssl check
Connecting to host chefserver.domain.com:443
Successfully verified certificates from `chefserver.domain.com'

Here is my knife.rb file.

# See http://docs.getchef.com/config_rb_knife.html for more information on knife configuration options

current_dir = File.dirname(__FILE__)
log_level                :info
log_location             STDOUT
node_name                "epardee"
client_key               "#{current_dir}/sysmonuser.pem"
validation_client_name   "sysmon-validator"
validation_key           "#{current_dir}/sysmon-validator.pem"
chef_server_url          "https://chefserver.domain.com/organizations/sysmon"
cache_type               'BasicFile'
cache_options( :path => "#{ENV['HOME']}/.chef/checksums" )
cookbook_path            ["#{current_dir}/../cookbooks"]

Downloaded the latest version of Chef DK

$ chef -v
Chef Development Kit Version: 0.3.5
$ knife -v
Chef: 11.18.0.rc.1

I've just spent an entire day trying to figure this out.

Solution

  • Are you using Chef 12 on your workstation? If so, it should copy over the trusted certs for you. This is a new feature in Chef 12, so if you are still on 11 or a pre-release version of 12 that would do it. Otherwise try running ssl check from the target node, not your workstation.