Arun V
Arun V

Reputation: 31

Chef Error - SSL Validation failure connecting to host

My chef-server is COMPUTE1 (in capital letters) and workstation is COMPUTE2 (in capital letters) and I am trying to upload a cookbook to the server.

user@COMPUTE2:~/chef-repo$ sudo knife cookbook upload sudo
Uploading sudo         [0.1.0]
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Error connecting to https://compute1/bookshelf/organization-f6706bb676a02d03bc421056986ae96b/checksum-ad104e789f71ad37eed05e4122a4540f?AWSAccessKeyId=548e088de808a684f5e37f97cd23914214c30bf8&Expires=1463546366&Signature=OqudLFc%2BDjjL5jllpCvSdchuLeU%3D, retry 1/5

--------------------------

ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: Could not establish a secure connection to the server.
Use `knife ssl check` to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
`knife ssl fetch` to make knife trust the server's certificates.

Original Exception: OpenSSL::SSL::SSLError: SSL Error connecting to https://compute1/bookshelf/organization-f6706bb676a02d03bc421056986ae96b/checksum-1752f5088b4e1ab5a1a872bb87049ae1?AWSAccessKeyId=548e088de808a684f5e37f97cd23914214c30bf8&Expires=1463546371&Signature=IA2GQ%2BfNcc6nm6DCRI/L0NxtkP0%3D - hostname "compute1" does not match the server certificate
user@COMPUTE2:~/chef-repo$ 

I tried knife ssl check and it returns everything is ok.

user@COMPUTE2:~/chef-repo$ sudo knife ssl check
Connecting to host COMPUTE1:443
Successfully verified certificates from `COMPUTE1'
user@COMPUTE2:~/chef-repo$ 

knife ssl fetch is working fine too

user@COMPUTE2:~/chef-repo$ sudo knife ssl fetch 
WARNING: Certificates from COMPUTE1 will be fetched and placed in your trusted_cert
directory (/home/user/chef-repo/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for COMPUTE1 in /home/user/chef-repo/.chef/trusted_certs/COMPUTE1.crt
user@COMPUTE2:~/chef-repo$ 

My hostnames are in capital letters. Is that the reason why this is not working? I am unable to change the hostname because of some limitations. Could someone please help.

Thanks,

Upvotes: 2

Views: 12834

Answers (5)

Siddharth Singh
Siddharth Singh

Reputation: 1

Remember that certificate belongs to <hostname of the chef infra server>. Hence in the config.rb file please make sure that chef_server_url is assigned a value such as chef_server_url 'https://<hostname of the chef infra server>/organizations/<short_name>'

This also obviously means that it has to be either a FQDN or an IP with entry in the /etc/hosts file.

Upvotes: 0

Aviv
Aviv

Reputation: 14527

The Problem: I've created a tunnel and try to upload cookbook to my chef server BUT I was getting an error cannot establish a connection - ERROR: SSL Validation failure connecting to host... certificate verify failed (self signed certificate). seems that the self signed certificate is not trusted.

The following error suggests solution:

ERROR: Could not establish a secure connection to the server.
Use `knife ssl check` to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
knife ssl fetch to make knife trust the server's certificates.

The solution:

knife ssl fetch

Upvotes: 1

Ganesh Pawane
Ganesh Pawane

Reputation: 41

You need to turn of ssl verification in the knife.rb file with this setting. Just add the following line in knife.rb file:

ssl_verify_mode    :verify_none

Upvotes: 2

tux4linux
tux4linux

Reputation: 121

May be a little late but I hope it will help someone.

Adding the below entry in knife.rb:

ssl_verify_mode :verify_none 

This would solve the problem temporary, but a permanent solution is to download the certificate from your chef server.

To download the certificate, add the below line to the knife.rb file.

trusted_certs_dir        "#{current_dir}/trusted_certs"

Run the below command once you have added the entry:

knife ssl fetch (This fetches the certificates from the chef server and keeps under the directory trusted_certs)

Verify once that the *.cert file is already present and run the below command.

knife ssl check (This command validates the certificate already downloaded from the chef-server)

You can then run knife node list to verify ssl certificates issue is gone.

Upvotes: 8

rtacconi
rtacconi

Reputation: 14779

This article explains the prerequisites to install a Chef server. An IP and FQDN must be used. Do not use uppercase hostnames. After that run:

sudo chef-server-reconfigure
sudo cp /var/opt/opscode/nginx/ca/hostxyz009.crt /home/ec2-user/.chef/trusted_certs
chmod 0644 /home/ec2-user/.chef/trusted_certs/hostxyz009.crt
ls -l /home/ec2-user/.chef/trusted_certs/
knife ssl check

The code above assumes that your user is ec2-user (Amazon Linux) and that knife and ec2-user are in the Chef Server. In that example the host name is hostxyz009 but the FQDN could be hostxyz009.example.com

Upvotes: -2

Related Questions