SSL validation failure connecting to host

StackOverflow https://stackoverflow.com/questions/21904335

Question

I am trying to upload some cookbooks on the chef-server. I am using my laptop as workstation, using hosted chef at opscode.com as chef-server. Now, when I try to upload cookbooks from my workstation to the chef-server, I get the following error:

ERROR: SSL Validation failure connecting to host: s3-external-1.amazonaws.com - SSL_connect returned=6 errno=0 state=SSLv3 read finished A ERROR: OpenSSL::SSL::SSLError: SSL_connect returned=6 errno=0 state=SSLv3 read finished A

I am using the cookbooks from rackspace private cloud: http://www.rackspace.com/knowledge_center/article/installing-openstack-with-rackspace-private-cloud-tools

I am using v4.2.1 of cookbooks. Please help me figure out the problem.

Thanks.

Was it helpful?

Solution

ERROR: SSL Validation failure connecting to host: s3-external-1.amazonaws.com - SSL_connect returned=6 errno=0 state=SSLv3 read finished A ERROR: OpenSSL::SSL::SSLError: SSL_connect returned=6 errno=0 state=SSLv3 read finished A

Works for me.

Be sure you have and are trusting Class 3 Public Primary Certification Authority. You can get Class 3 Public Primary Certification Authority from Symantec's Licensing and Use of Root Certificates. In particular, fetch Root 3 VeriSign Class 3 Primary CA - G5.

Then, test it with OpenSSL's s_client. The root you downloaded and trusted is PCA-3G5.pem, and you supply it to OpenSSL via the -CAfile option:

$ openssl s_client -CAfile PCA-3G5.pem -connect s3-external-1.amazonaws.com:443
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN = *.s3-external-1.amazonaws.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.s3-external-1.amazonaws.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
...
    Start Time: 1392896325
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

OTHER TIPS

If you're merely doing a temporary test, you can disable the SSL verification by adding the 2 following lines in your knife.rb file:

verify_api_cert false
ssl_verify_mode :verify_none

But again, if you're setting up a real server, you should get a real certificate :)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top