set setting reset

インフラ関連の小ネタと備忘録

chef-server からの bootstrap で ERROR: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

ぐぐると多数ヒットしますが、備忘のため。

chef-server から bootstrap すると表題のエラーが出ました。 bootstrap 先のサーバから knife client list とか色々やっても client として登録されないので全部ダメ。

ERROR: Your private key could not be loaded from /etc/chef/client.pem
Check your configuration file and ensure that your private key is readable

下記サイトなどによると knife ssl fetch をしなさいとあったので、chef-server 上で試してみるもまだうまくいきません。

www.creationline.com

bootstrap したいサーバ => 10.0.0.5 , chef-server => 10.0.1.5 です。

Doing old-style registration with the validation key at /etc/chef-server/chef-validator.pem...
Delete your validation key in order to use your user credentials instead

Connecting to 10.0.0.5
10.0.0.5 Starting first Chef Client run...
10.0.0.5 Starting Chef Client, version 12.3.0
#log_level                   :info
10.0.0.5 Creating a new client identity for infra-amazon-linux-test-1 using the validator key.
10.0.0.5 [2015-06-24T02:54:22+00:00] ERROR: SSL Validation failure connecting to host: 10.0.1.5 - hostname "10.0.1.5" does not match the server certificate
10.0.0.5
10.0.0.5 ================================================================================
10.0.0.5 Chef encountered an error attempting to create the client "infra-amazon-linux-test-1"
10.0.0.5 ================================================================================
10.0.0.5
10.0.0.5 [2015-06-24T02:54:22+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
10.0.0.5 Chef Client failed. 0 resources updated in 0.998938885 seconds
10.0.0.5 [2015-06-24T02:54:22+00:00] ERROR: hostname "10.0.1.5" does not match the server certificate
10.0.0.5 [2015-06-24T02:54:22+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

knife ssl check というコマンドもあるので試してみると

Connecting to host 10.0.1.5:443
ERROR: The SSL cert is signed by a trusted authority but is not valid for the given hostname
ERROR: You are attempting to connect to:   '10.0.1.5'
ERROR: The server's certificate belongs to 'chef-server'

TO FIX THIS ERROR:

The solution for this issue depends on your networking configuration. If you
are able to connect to this server using the hostname chef-server
instead of 10.0.1.5, then you can resolve this issue by updating chef_server_url
in your configuration file.

If you are not able to connect to the server using the hostname chef-server
you will have to update the certificate on the server to use the correct hostname.

IP で接続しようとしてエラーになっているようです。 chef-server という名前で接続させなければならないようなので、設定を探すと knife.rb が犯人でした。

#chef_server_url             'https://10.0.1.5'
chef_server_url             'https://chef-server'

上記の様に編集した後に bootstrap したらうまくいきました。 chef 初心者丸出しな内容で我ながら辟易します。。。