-
Notifications
You must be signed in to change notification settings - Fork 170
Berks install fails on Windows with SSL v3 verify error #199
Comments
Can you post the last few lines of your |
It's got the openssl env hack. The timing suggests that it's related to Chef disabling SSL v3 keys because of POODLE. The tail is:
|
ruby-2.0.0-p451has the patches to support TLSv1.0/1.1/1.2 so if that's the problem its likely that faraday or ridley are initializing the ssl_context incorrectly. |
with chef-dk on mac berks install/update against supermarket works fine. |
Right, so the obvious things that could be causes (AFAICT) are:
|
So I had ruby-2.0.0-p451 in rvm on my mac, and i installed:
and that works fine as well, so it doesn't immediately smell like its a ruby-2.0.0-p451 bug that'll be fixed in 2.1.3 the env hack being broken doesn't 'fit' entirely well with the breakage following when we turned off SSLv3 although it does fit the error message. openssl versions is a variable that i didn't control for. ohhhhhhh..... i think i reverted the openssl patch when i was trying to get ruby 2.1.3 building for windows and then i wound up reverting ruby 2.1.3 and if that was before chefdk 0.3.0 that maybe i accidentally reverted openssl to whatever shipped with the ancient rubyinstaller? |
("ancient" being, like last march i think, though...) |
@gdavison what do you get for |
On my Mac:
|
There's no embedded openssl in my chefdk. I have an openssl from msysgit, I think, and it's ancient. |
I updated to the latest msysgit, with a maybe newer-ish openssl Same error. I'll investigate using the cygwin openssl from msysgit. Oh, the joys of using a non-POSIX platform in a POSIX world. |
What about (in powershell):
That prints 1.0.0n on 0.2.2 |
I've installed the cygwin version |
There is no |
Yeah, so I suspect that's the bug. |
paging @sersut to make sure this gets fixed correctly in future releases. |
Thanks for your help, @lamont-grandquist. |
This is the missing code: https://github.com/opscode/omnibus-software/blob/master/config/software/openssl-windows.rb |
I'm having some PEBCAK issues in rolling my own MSI. Will there be an updated installer on https://downloads.getchef.com/chef-dk/windows/#/ ? |
Working on a 0.3.1 which restores the OpenSSL upgrade in the omnibus packages. Should be ready tomorrow if the build cluster stays stable. |
Awesome! Thanks so much |
Can you try this build? https://s3.amazonaws.com/opscode-omnibus-packages/windows/2008r2/x86_64/chefdk-0.3.1-1.msi Thanks in advance |
No luck. Same error.
There is no openssl installed in either |
I can replicate this in Mac 10.9 with chef-dk 0.3.1, and #205 is probably a dup of this. Problem can be easily recreated with pry using a download url, but the rest of the API works fine:
The download urls seem to get a 302 redirect to s3:
looks like it is something to do with validating amazon's certs. |
Its something to do with the latest ca-cert bundle from http://curl.haxx.se/ca/cacert.pem which breaks s3 urls. i can swap between the chef-11.16.4 version of the cacert bundle and the current one and it changes from broken to fixed and back again. openssl version, chef-client version, etc all not a problem, not an issue with berks or anything, happens directly from open-uri calls. |
hitting s3 returns the following trust chain:
That is somewhat problematic because the Verisign Class 3 Public Primary Certificate Authority was dropped from the cert bundle which simply breaks Amazon:
|
This was done to retire 1024-bit keys: https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/ |
Cut issue on AWS forums: |
We've built a new release which fixed the issue in my testing, it's available here: http://opscode-omnibus-packages.s3.amazonaws.com/windows/2008r2/x86_64/chefdk-0.3.2-1.msi Please try it out and let me know if it does not solve the issue for you. We plan to update the download pages tomorrow if no issues are found. |
It works! Thanks again. |
I'm having this message with https://opscode-omnibus-packages.s3.amazonaws.com/windows/2008r2/x86_64/chefdk-0.3.5-1.msi
It also throws an openSSL error. |
@obeleh can you file a new issue rather than commenting on a closed one please? SSL in particular is a tricky beast and there can be lots of cases that result in identical-looking errors. Feel free to "@" me on the issue and I'll take a look. Thanks. |
Starting October 15, accessing https://supermarket.getchef.com caused
berks install
to fail. I was able to resolve it by setting the source to http://api.berkshelf.com. As of October 17, this has been failing as well as it now redirects to supermarket.The index can still be retrieved from api, but fails on supermarket.
The error only occurs on Windows, using the embedded ruby in chefdk 0.3.0. The error does not occur using OS X.
The error is as follows
The text was updated successfully, but these errors were encountered: