Reputation: 31
Chef Error - SSL Validation failure connecting to host
My chef-server is COMPUTE1 (in capital letters) and workstation is COMPUTE2 (in capital letters) and I am trying to upload a cookbook to the server.
user@COMPUTE2:~/chef-repo$ sudo knife cookbook upload sudo
Uploading sudo [0.1.0]
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Error connecting to https://compute1/bookshelf/organization-f6706bb676a02d03bc421056986ae96b/checksum-ad104e789f71ad37eed05e4122a4540f?AWSAccessKeyId=548e088de808a684f5e37f97cd23914214c30bf8&Expires=1463546366&Signature=OqudLFc%2BDjjL5jllpCvSdchuLeU%3D, retry 1/5
--------------------------
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: Could not establish a secure connection to the server.
Use `knife ssl check` to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
`knife ssl fetch` to make knife trust the server's certificates.
Original Exception: OpenSSL::SSL::SSLError: SSL Error connecting to https://compute1/bookshelf/organization-f6706bb676a02d03bc421056986ae96b/checksum-1752f5088b4e1ab5a1a872bb87049ae1?AWSAccessKeyId=548e088de808a684f5e37f97cd23914214c30bf8&Expires=1463546371&Signature=IA2GQ%2BfNcc6nm6DCRI/L0NxtkP0%3D - hostname "compute1" does not match the server certificate
user@COMPUTE2:~/chef-repo$
I tried knife ssl check and it returns everything is ok.
user@COMPUTE2:~/chef-repo$ sudo knife ssl check
Connecting to host COMPUTE1:443
Successfully verified certificates from `COMPUTE1'
user@COMPUTE2:~/chef-repo$
knife ssl fetch is working fine too
user@COMPUTE2:~/chef-repo$ sudo knife ssl fetch
WARNING: Certificates from COMPUTE1 will be fetched and placed in your trusted_cert
directory (/home/user/chef-repo/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.
Adding certificate for COMPUTE1 in /home/user/chef-repo/.chef/trusted_certs/COMPUTE1.crt
user@COMPUTE2:~/chef-repo$
My hostnames are in capital letters. Is that the reason why this is not working? I am unable to change the hostname because of some limitations. Could someone please help.
Thanks,
Upvotes: 2
Views: 12838
Answers (5)
Reputation: 1
Remember that certificate belongs to <hostname of the chef infra server>. Hence in the config.rb file please make sure that chef_server_url is assigned a value such as chef_server_url 'https://<hostname of the chef infra server>/organizations/<short_name>'
This also obviously means that it has to be either a FQDN or an IP with entry in the /etc/hosts file.
Upvotes: 0
Reputation: 14527
The Problem: I've created a tunnel and try to upload cookbook to my chef server BUT I was getting an error cannot establish a connection - ERROR: SSL Validation failure connecting to host... certificate verify failed (self signed certificate). seems that the self signed certificate is not trusted.
The following error suggests solution:
ERROR: Could not establish a secure connection to the server.
Use `knife ssl check` to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
knife ssl fetch to make knife trust the server's certificates.
The solution:
knife ssl fetch
Upvotes: 1
Reputation: 41
You need to turn of ssl verification in the knife.rb file with this setting. Just add the following line in knife.rb file:
ssl_verify_mode :verify_none
Upvotes: 2
Reputation: 121
May be a little late but I hope it will help someone.
Adding the below entry in knife.rb:
ssl_verify_mode :verify_none
This would solve the problem temporary, but a permanent solution is to download the certificate from your chef server.
To download the certificate, add the below line to the knife.rb file.
trusted_certs_dir "#{current_dir}/trusted_certs"
Run the below command once you have added the entry:
knife ssl fetch (This fetches the certificates from the chef server and keeps under the directory trusted_certs)
Verify once that the *.cert file is already present and run the below command.
knife ssl check (This command validates the certificate already downloaded from the chef-server)
You can then run knife node list to verify ssl certificates issue is gone.
Upvotes: 8
Reputation: 14779
This article explains the prerequisites to install a Chef server. An IP and FQDN must be used. Do not use uppercase hostnames. After that run:
sudo chef-server-reconfigure
sudo cp /var/opt/opscode/nginx/ca/hostxyz009.crt /home/ec2-user/.chef/trusted_certs
chmod 0644 /home/ec2-user/.chef/trusted_certs/hostxyz009.crt
ls -l /home/ec2-user/.chef/trusted_certs/
knife ssl check
The code above assumes that your user is ec2-user (Amazon Linux) and that knife and ec2-user are in the Chef Server. In that example the host name is hostxyz009 but the FQDN could be hostxyz009.example.com
Upvotes: -2
Related Questions
- Chef : knife.rb ignores ssl_verify_mode :verify_none when bootstrapping a node
- Chef encountered an error attempting to create the client
- knife utility fails - 404 not found
- Host Chef Server 12 on a purchased domain name
- SSL validation failure - knife ec2 with chef 12
- Chef Bootsrapping SSL error for Windows Server 2008 R2
- unable to ssl connect to chef-server from chef-workstation
- Getting a 500 Internal Server Error when uploading cookbooks after updating SSL certificate
- SSL validation failure connecting to host