Chef Error - SSL Validation failure connecting to host

chef-infra chef-recipe cookbook

10,241

Solution 1

May be a little late but I hope it will help someone.

Adding the below entry in knife.rb:

ssl_verify_mode :verify_none

This would solve the problem temporary, but a permanent solution is to download the certificate from your chef server.

To download the certificate, add the below line to the knife.rb file.

trusted_certs_dir        "#{current_dir}/trusted_certs"

Run the below command once you have added the entry:

knife ssl fetch (This fetches the certificates from the chef server and keeps under the directory trusted_certs)

Verify once that the *.cert file is already present and run the below command.

knife ssl check (This command validates the certificate already downloaded from the chef-server)

You can then run knife node list to verify ssl certificates issue is gone.

Solution 2

You need to turn of ssl verification in the knife.rb file with this setting. Just add the following line in knife.rb file:

ssl_verify_mode    :verify_none

Solution 3

The Problem: I've created a tunnel and try to upload cookbook to my chef server BUT I was getting an error cannot establish a connection - ERROR: SSL Validation failure connecting to host... certificate verify failed (self signed certificate). seems that the self signed certificate is not trusted.

The following error suggests solution:

ERROR: Could not establish a secure connection to the server.
Use `knife ssl check` to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
knife ssl fetch to make knife trust the server's certificates.

The solution:

knife ssl fetch

10,241

Arun V

Updated on June 08, 2022

Comments

Arun V almost 2 years

My chef-server is COMPUTE1 (in capital letters) and workstation is COMPUTE2 (in capital letters) and I am trying to upload a cookbook to the server.

user@COMPUTE2:~/chef-repo$ sudo knife cookbook upload sudo
Uploading sudo         [0.1.0]
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Error connecting to https://compute1/bookshelf/organization-f6706bb676a02d03bc421056986ae96b/checksum-ad104e789f71ad37eed05e4122a4540f?AWSAccessKeyId=548e088de808a684f5e37f97cd23914214c30bf8&Expires=1463546366&Signature=OqudLFc%2BDjjL5jllpCvSdchuLeU%3D, retry 1/5

--------------------------

ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: Could not establish a secure connection to the server.
Use `knife ssl check` to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
`knife ssl fetch` to make knife trust the server's certificates.

Original Exception: OpenSSL::SSL::SSLError: SSL Error connecting to https://compute1/bookshelf/organization-f6706bb676a02d03bc421056986ae96b/checksum-1752f5088b4e1ab5a1a872bb87049ae1?AWSAccessKeyId=548e088de808a684f5e37f97cd23914214c30bf8&Expires=1463546371&Signature=IA2GQ%2BfNcc6nm6DCRI/L0NxtkP0%3D - hostname "compute1" does not match the server certificate
user@COMPUTE2:~/chef-repo$

I tried knife ssl check and it returns everything is ok.

user@COMPUTE2:~/chef-repo$ sudo knife ssl check
Connecting to host COMPUTE1:443
Successfully verified certificates from `COMPUTE1'
user@COMPUTE2:~/chef-repo$

knife ssl fetch is working fine too

user@COMPUTE2:~/chef-repo$ sudo knife ssl fetch 
WARNING: Certificates from COMPUTE1 will be fetched and placed in your trusted_cert
directory (/home/user/chef-repo/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for COMPUTE1 in /home/user/chef-repo/.chef/trusted_certs/COMPUTE1.crt
user@COMPUTE2:~/chef-repo$

My hostnames are in capital letters. Is that the reason why this is not working? I am unable to change the hostname because of some limitations. Could someone please help.

Thanks,

Martin almost 8 years

Do you have a knife configuration file you haven't shown us here?
Tensibai almost 8 years

Use the fqdn of your chef server in your knife.rb instead of the shortname and all will be ok (or update the chef_server.rb file to ask it to generate a certificate for long and short name, docs.chef.io ahs a paragraph about it)

Nitul over 6 years

I have provided trusted_certs_dir "#{current_dir}/trusted_certs" but still getting same error. However ssl_verify_mode :verify_none works, but it is not permanent solution.
tux4linux over 6 years

once you have added trusted_certs_dir "#{current_dir}/trusted_certs", you should do a knife ssl fetch and knife ssl check.