Chef Error - SSL Validation failure connecting to host
Solution 1
May be a little late but I hope it will help someone.
Adding the below entry in knife.rb
:
ssl_verify_mode :verify_none
This would solve the problem temporary, but a permanent solution is to download the certificate from your chef server.
To download the certificate, add the below line to the knife.rb
file.
trusted_certs_dir "#{current_dir}/trusted_certs"
Run the below command once you have added the entry:
knife ssl fetch
(This fetches the certificates from the chef server and keeps under the directory trusted_certs)
Verify once that the *.cert file is already present and run the below command.
knife ssl check
(This command validates the certificate already downloaded from the chef-server)
You can then run knife node list
to verify ssl certificates issue is gone.
Solution 2
You need to turn of ssl verification in the knife.rb
file with this setting. Just add the following line in knife.rb
file:
ssl_verify_mode :verify_none
Solution 3
The Problem: I've created a tunnel and try to upload cookbook to my chef server BUT I was getting an error cannot establish a connection - ERROR: SSL Validation failure connecting to host... certificate verify failed (self signed certificate).
seems that the self signed certificate is not trusted.
The following error suggests solution:
ERROR: Could not establish a secure connection to the server.
Use `knife ssl check` to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
knife ssl fetch to make knife trust the server's certificates.
The solution:
knife ssl fetch
Related videos on Youtube
Arun V
Updated on June 08, 2022Comments
-
Arun V almost 2 years
My chef-server is COMPUTE1 (in capital letters) and workstation is COMPUTE2 (in capital letters) and I am trying to upload a cookbook to the server.
user@COMPUTE2:~/chef-repo$ sudo knife cookbook upload sudo Uploading sudo [0.1.0] ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate ERROR: SSL Error connecting to https://compute1/bookshelf/organization-f6706bb676a02d03bc421056986ae96b/checksum-ad104e789f71ad37eed05e4122a4540f?AWSAccessKeyId=548e088de808a684f5e37f97cd23914214c30bf8&Expires=1463546366&Signature=OqudLFc%2BDjjL5jllpCvSdchuLeU%3D, retry 1/5 -------------------------- ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate ERROR: Could not establish a secure connection to the server. Use `knife ssl check` to troubleshoot your SSL configuration. If your Chef Server uses a self-signed certificate, you can use `knife ssl fetch` to make knife trust the server's certificates. Original Exception: OpenSSL::SSL::SSLError: SSL Error connecting to https://compute1/bookshelf/organization-f6706bb676a02d03bc421056986ae96b/checksum-1752f5088b4e1ab5a1a872bb87049ae1?AWSAccessKeyId=548e088de808a684f5e37f97cd23914214c30bf8&Expires=1463546371&Signature=IA2GQ%2BfNcc6nm6DCRI/L0NxtkP0%3D - hostname "compute1" does not match the server certificate user@COMPUTE2:~/chef-repo$
I tried knife ssl check and it returns everything is ok.
user@COMPUTE2:~/chef-repo$ sudo knife ssl check Connecting to host COMPUTE1:443 Successfully verified certificates from `COMPUTE1' user@COMPUTE2:~/chef-repo$
knife ssl fetch is working fine too
user@COMPUTE2:~/chef-repo$ sudo knife ssl fetch WARNING: Certificates from COMPUTE1 will be fetched and placed in your trusted_cert directory (/home/user/chef-repo/.chef/trusted_certs). Knife has no means to verify these are the correct certificates. You should verify the authenticity of these certificates after downloading. Adding certificate for COMPUTE1 in /home/user/chef-repo/.chef/trusted_certs/COMPUTE1.crt user@COMPUTE2:~/chef-repo$
My hostnames are in capital letters. Is that the reason why this is not working? I am unable to change the hostname because of some limitations. Could someone please help.
Thanks,
-
Martin almost 8 yearsDo you have a knife configuration file you haven't shown us here?
-
Tensibai almost 8 yearsUse the fqdn of your chef server in your knife.rb instead of the shortname and all will be ok (or update the chef_server.rb file to ask it to generate a certificate for long and short name, docs.chef.io ahs a paragraph about it)
-
-
Nitul over 6 yearsI have provided trusted_certs_dir "#{current_dir}/trusted_certs" but still getting same error. However ssl_verify_mode :verify_none works, but it is not permanent solution.
-
tux4linux over 6 yearsonce you have added trusted_certs_dir "#{current_dir}/trusted_certs", you should do a knife ssl fetch and knife ssl check.