Skip to content
This repository has been archived by the owner on Jul 14, 2021. It is now read-only.

Berks install fails on Windows with SSL v3 verify error #199

Closed
gdavison opened this issue Oct 21, 2014 · 32 comments
Closed

Berks install fails on Windows with SSL v3 verify error #199

gdavison opened this issue Oct 21, 2014 · 32 comments
Labels
Platform: Windows Type: Bug Doesn't work as expected.

Comments

@gdavison
Copy link

Starting October 15, accessing https://supermarket.getchef.com caused berks install to fail. I was able to resolve it by setting the source to http://api.berkshelf.com. As of October 17, this has been failing as well as it now redirects to supermarket.

The index can still be retrieved from api, but fails on supermarket.

The error only occurs on Windows, using the embedded ruby in chefdk 0.3.0. The error does not occur using OS X.

The error is as follows

I, [2014-10-20T23:41:42.072366 #6448]  INFO -- : Installing sysctl (0.6.0)
D, [2014-10-20T23:41:42.076367 #6448] DEBUG -- :   Downloading sysctl (0.6.0) from https://supermarket.getchef.com
D, [2014-10-20T23:41:42.077367 #6448] DEBUG -- :     => #<Berkshelf::APIClient::RemoteCookbook:0x8fd07f8 @name="sysctl", @version="0.6.0", @attributes=#<Hashie::Mash dependencies=#<Hashie::Mash ohai=">= 0.0.0"> download_url="https://supermarket.getchef.com/api/v1/cookbooks/sysctl/versions/0.6.0/download" location_path="https://supermarket.getchef.com/api/v1" location_type="opscode">>
Installing sysctl (0.6.0)
E, [2014-10-20T23:41:42.110370 #6448] ERROR -- : Actor crashed!
Faraday::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
    c:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:918:in `connect'
    c:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
    c:/opscode/chefdk/embedded/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
    c:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:918:in `connect'
    c:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
    c:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:851:in `start'
    c:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:1367:in `request'
    c:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:1126:in `get'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday/adapter/net_http.rb:78:in `perform_request'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday/adapter/net_http.rb:39:in `call'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday/request/retry.rb:87:in `call'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/ridley-4.0.0/lib/ridley/middleware/follow_redirects.rb:67:in `perform_with_redirection'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/ridley-4.0.0/lib/ridley/middleware/follow_redirects.rb:60:in `call'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday/response.rb:8:in `call'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday/response.rb:8:in `call'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday/rack_builder.rb:139:in `build_response'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday/connection.rb:377:in `run_request'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/lib/faraday/connection.rb:140:in `get'
    C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/community_rest.rb:116:in `find'
    C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/community_rest.rb:101:in `download'
    C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/downloader.rb:53:in `try_download'
    C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/downloader.rb:33:in `block in download'
    C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/downloader.rb:32:in `each'
    C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/downloader.rb:32:in `download'
    C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/installer.rb:105:in `install'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/calls.rb:26:in `public_send'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/calls.rb:26:in `dispatch'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/calls.rb:63:in `dispatch'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/cell.rb:60:in `block in invoke'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/cell.rb:71:in `block in task'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:357:in `block in task'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/tasks.rb:57:in `block in initialize'
    c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/tasks/task_fiber.rb:15:in `block in create'
@gdavison gdavison mentioned this issue Oct 21, 2014
Closed
@danielsdeleo
Copy link
Contributor

Can you post the last few lines of your openssl.rb file? You can find it with gem which openssl (in a unix-y shell, tail $(gem which openssl) would work).

@gdavison
Copy link
Author

It's got the openssl env hack. The timing suggests that it's related to Chef disabling SSL v3 keys because of POODLE.

The tail is:

require 'openssl.so'

require 'openssl/bn'
require 'openssl/cipher'
require 'openssl/config'
require 'openssl/digest'
require 'openssl/x509'
require 'openssl/ssl'

require 'ssl_env_hack'

@lamont-granquist
Copy link
Contributor

ruby-2.0.0-p451has the patches to support TLSv1.0/1.1/1.2 so if that's the problem its likely that faraday or ridley are initializing the ssl_context incorrectly.

@lamont-granquist
Copy link
Contributor

with chef-dk on mac berks install/update against supermarket works fine.

@danielsdeleo
Copy link
Contributor

Right, so the obvious things that could be causes (AFAICT) are:

  • the ssl env hack is broken (possibly only for some users based on environment)
  • Ruby 2.0 (windows) vs. 2.1 (mac)
  • OpenSSL version differences between mac/windows

@lamont-granquist
Copy link
Contributor

So I had ruby-2.0.0-p451 in rvm on my mac, and i installed:

gem install faraday -v 0.9.0
gem install ridley -v 4.0.0
gem install celluloid -v 0.16.0
gem install berkshelf -v 3.1.5

and that works fine as well, so it doesn't immediately smell like its a ruby-2.0.0-p451 bug that'll be fixed in 2.1.3

the env hack being broken doesn't 'fit' entirely well with the breakage following when we turned off SSLv3 although it does fit the error message.

openssl versions is a variable that i didn't control for.

ohhhhhhh..... i think i reverted the openssl patch when i was trying to get ruby 2.1.3 building for windows and then i wound up reverting ruby 2.1.3 and if that was before chefdk 0.3.0 that maybe i accidentally reverted openssl to whatever shipped with the ancient rubyinstaller?

@lamont-granquist
Copy link
Contributor

("ancient" being, like last march i think, though...)

@lamont-granquist
Copy link
Contributor

@gdavison what do you get for C:\opt\chefdk\embedded\bin\openssl version ?

@lamont-granquist
Copy link
Contributor

On my Mac:

% /opt/chefdk/embedded/bin/openssl version
OpenSSL 1.0.1i 6 Aug 2014

@gdavison
Copy link
Author

There's no embedded openssl in my chefdk. I have an openssl from msysgit, I think, and it's ancient.
OpenSSL 0.9.8e 23 Feb 2007

@gdavison
Copy link
Author

I updated to the latest msysgit, with a maybe newer-ish openssl OpenSSL 0.9.8zb 6 Aug 2014

Same error. I'll investigate using the cygwin openssl from msysgit.

Oh, the joys of using a non-POSIX platform in a POSIX world.

@lamont-granquist
Copy link
Contributor

What about (in powershell):

(Get-Item C:\opscode\chefdk\embedded\bin\ssleay32.dll).VersionInfo

That prints 1.0.0n on 0.2.2

@gdavison
Copy link
Author

I've installed the cygwin version OpenSSL 1.0.1j 15 Oct 2014 and tried using it: no change. I'll try powershell

@gdavison
Copy link
Author

There is no ssleay32.dll in C:\opscode\chef\embedded\bin in chefdk 0.3.0

@lamont-granquist
Copy link
Contributor

Yeah, so I suspect that's the bug.

lamont-granquist referenced this issue in chef-boneyard/omnibus-chef Oct 22, 2014
@lamont-granquist
ruby 2.1.3 inc windows, plus bundle update
79e4daf
@lamont-granquist
Copy link
Contributor

paging @sersut to make sure this gets fixed correctly in future releases.

@gdavison
Copy link
Author

Thanks for your help, @lamont-grandquist.
In the meantime, where should I grab code from to patch it on my machine?

@lamont-granquist
Copy link
Contributor

This is the missing code:

https://github.com/opscode/omnibus-software/blob/master/config/software/openssl-windows.rb

@sersut sersut modified the milestone: 0.3.0 Oct 22, 2014
@gdavison
Copy link
Author

I'm having some PEBCAK issues in rolling my own MSI. Will there be an updated installer on https://downloads.getchef.com/chef-dk/windows/#/ ?

@danielsdeleo
Copy link
Contributor

Working on a 0.3.1 which restores the OpenSSL upgrade in the omnibus packages. Should be ready tomorrow if the build cluster stays stable.

@gdavison
Copy link
Author

Awesome! Thanks so much

@danielsdeleo
Copy link
Contributor

Can you try this build? https://s3.amazonaws.com/opscode-omnibus-packages/windows/2008r2/x86_64/chefdk-0.3.1-1.msi

Thanks in advance

@gdavison
Copy link
Author

No luck. Same error.

D, [2014-10-24T12:29:55.130951 #5980] DEBUG -- :     => #<Berkshelf::APIClient::RemoteCookbook:0x8ec
a040 @name="sysctl", @version="0.6.0", @attributes=#<Hashie::Mash dependencies=#<Hashie::Mash ohai="
>= 0.0.0"> download_url="https://supermarket.getchef.com/api/v1/cookbooks/sysctl/versions/0.6.0/down
load" location_path="https://supermarket.getchef.com/api/v1" location_type="opscode">>
Installing sysctl (0.6.0)
D, [2014-10-24T12:29:55.224957 #5980] DEBUG -- : ==> parsing Chef response body as JSON
D, [2014-10-24T12:29:55.235957 #5980] DEBUG -- : ==> parsing Chef response body as JSON
E, [2014-10-24T12:29:55.439969 #5980] ERROR -- : Actor crashed!
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certif
icate verify failed
        c:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:918:in `connect'
        c:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
        c:/opscode/chefdk/embedded/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
        c:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:918:in `connect'
        c:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
        c:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:851:in `start'
        c:/opscode/chefdk/embedded/lib/ruby/2.0.0/open-uri.rb:313:in `open_http'
        c:/opscode/chefdk/embedded/lib/ruby/2.0.0/open-uri.rb:709:in `buffer_open'
        c:/opscode/chefdk/embedded/lib/ruby/2.0.0/open-uri.rb:210:in `block in open_loop'
        c:/opscode/chefdk/embedded/lib/ruby/2.0.0/open-uri.rb:208:in `catch'
        c:/opscode/chefdk/embedded/lib/ruby/2.0.0/open-uri.rb:208:in `open_loop'
        c:/opscode/chefdk/embedded/lib/ruby/2.0.0/open-uri.rb:149:in `open_uri'
        c:/opscode/chefdk/embedded/lib/ruby/2.0.0/open-uri.rb:689:in `open'
        c:/opscode/chefdk/embedded/lib/ruby/2.0.0/open-uri.rb:34:in `open'
        C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/community_rest.rb:183:in `block in s
tream'
        c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/retryable-1.3.6/lib/retryable.rb:17:in `
retryable'
        C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/community_rest.rb:182:in `stream'
        C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/community_rest.rb:101:in `download'
        C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/downloader.rb:53:in `try_download'
        C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/downloader.rb:33:in `block in downlo
ad'
        C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/downloader.rb:32:in `each'
        C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/downloader.rb:32:in `download'
        C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/installer.rb:105:in `install'
        c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/calls.rb:
26:in `public_send'
        c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/calls.rb:
26:in `dispatch'
        c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/calls.rb:
63:in `dispatch'
        c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/cell.rb:6
0:in `block in invoke'
        c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/cell.rb:7
1:in `block in task'
        c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/actor.rb:
357:in `block in task'
        c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/tasks.rb:
57:in `block in initialize'
        c:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/celluloid-0.16.0/lib/celluloid/tasks/tas
k_fiber.rb:15:in `block in create'

(Get-Item C:\opscode\chefdk\embedded\bin\ssleay32.dll).VersionInfo returns 1.0.0n

There is no openssl installed in either C:\opscode\chefdk\embedded\bin or C:\opscode\chefdk\bin

@lamont-granquist
Copy link
Contributor

I can replicate this in Mac 10.9 with chef-dk 0.3.1, and #205 is probably a dup of this.

Problem can be easily recreated with pry using a download url, but the rest of the API works fine:

[18] pry(main)> open("https://supermarket.getchef.com/api/v1/cookbooks/build-essential/versions/2.1.2/download").read
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
from /opt/chefdk/embedded/lib/ruby/2.1.0/net/http.rb:920:in `connect'
[19] pry(main)> open("https://supermarket.getchef.com/api/v1/cookbooks/build-essential/versions/2.1.2/").read
=> "{\"license\":\"Apache 2.0\",\"tarball_file_size\":41001,\"version\":\"2.1.2\",\"average_rating\":null,\"cookbook\":\"https://supermarket.getchef.com/api/v1/cookbooks/build-essential\",\"file\":\"https://supermarket.getchef.com/api/v1/cookbooks/build-essential/versions/2.1.2/download\",\"dependencies\":{}}"

The download urls seem to get a 302 redirect to s3:

% wget -v https://supermarket.getchef.com/api/v1/cookbooks/build-essential/versions/2.1.2/download
--2014-10-27 11:07:27--  https://supermarket.getchef.com/api/v1/cookbooks/build-essential/versions/2.1.2/download
Resolving supermarket.getchef.com... 54.201.12.116, 54.201.170.234, 54.200.67.106
Connecting to supermarket.getchef.com|54.201.12.116|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://s3.amazonaws.com/community-files.opscode.com/cookbook_versions/tarballs/8367/original/build-essential.tgz?1413482673 [following]
--2014-10-27 11:07:27--  https://s3.amazonaws.com/community-files.opscode.com/cookbook_versions/tarballs/8367/original/build-essential.tgz?1413482673
Resolving s3.amazonaws.com... 54.231.244.0
Connecting to s3.amazonaws.com|54.231.244.0|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 41001 (40K) [application/octet-stream]
Saving to: 'download'

100%[======================================>] 41,001      --.-K/s   in 0.07s

2014-10-27 11:07:28 (608 KB/s) - 'download' saved [41001/41001]

looks like it is something to do with validating amazon's certs.

@lamont-granquist
Copy link
Contributor

Its something to do with the latest ca-cert bundle from

http://curl.haxx.se/ca/cacert.pem

which breaks s3 urls.

i can swap between the chef-11.16.4 version of the cacert bundle and the current one and it changes from broken to fixed and back again. openssl version, chef-client version, etc all not a problem, not an issue with berks or anything, happens directly from open-uri calls.

@lamont-granquist
Copy link
Contributor

hitting s3 returns the following trust chain:

# openssl s_client -connect s3.amazonaws.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=s3.amazonaws.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

That is somewhat problematic because the Verisign Class 3 Public Primary Certificate Authority was dropped from the cert bundle which simply breaks Amazon:

--- cacert.pem.saved    2014-10-07 15:31:55.000000000 -0700
+++ cacert.pem  2014-10-27 11:19:44.000000000 -0700
@@ -1,18 +1,21 @@
 ##
-## ca-bundle.crt -- Bundle of CA Root Certificates
+## Bundle of CA Root Certificates
 ##
-## Certificate data from Mozilla as of: Tue Jul 15 08:33:20 2014
+## Certificate data from Mozilla downloaded on: Wed Sep  3 03:12:03 2014
 ##
 ## This is a bundle of X.509 certificates of public Certificate Authorities
 ## (CA). These were automatically extracted from Mozilla's root certificates
 ## file (certdata.txt).  This file can be found in the mozilla source tree:
-## http://mxr.mozilla.org/mozilla-release/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
+## http://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
 ##
 ## It contains the certificates in PEM format and therefore
 ## can be directly used with curl / libcurl / php_curl, or with
 ## an Apache+mod_ssl webserver for SSL client authentication.
 ## Just configure this file as the SSLCACertificateFile.
 ##
+## Conversion done with mk-ca-bundle.pl verison 1.22.
+## SHA1: c4540021427a6fa29e5f50db9f12d48c97d33889
+##


 GTE CyberTrust Global Root
@@ -90,22 +93,6 @@
 70+sB3c4
 -----END CERTIFICATE-----

-Verisign Class 3 Public Primary Certification Authority
-=======================================================
------BEGIN CERTIFICATE-----
-MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMx
-FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5
-IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVow
-XzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAz
-IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhEBarsAx94
-f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/isI19wKTakyYbnsZogy1Ol
-hec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0GCSqGSIb3DQEBAgUAA4GBALtMEivPLCYA
-TxQT3ab7/AoRhIzzKBxnki98tsX63/Dolbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59Ah
-WM1pF+NEHJwZRDmJXNycAA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2Omuf
-Tqj/ZA1k
------END CERTIFICATE-----
-
 Verisign Class 3 Public Primary Certification Authority - G2
 ============================================================
 -----BEGIN CERTIFICATE-----

@lamont-granquist
Copy link
Contributor

This was done to retire 1024-bit keys:

https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/

@lamont-granquist
Copy link
Contributor

Cut issue on AWS forums:

https://forums.aws.amazon.com/thread.jspa?threadID=164095

@danielsdeleo danielsdeleo mentioned this issue Oct 29, 2014
Closed
@danielsdeleo
Copy link
Contributor

We've built a new release which fixed the issue in my testing, it's available here: http://opscode-omnibus-packages.s3.amazonaws.com/windows/2008r2/x86_64/chefdk-0.3.2-1.msi Please try it out and let me know if it does not solve the issue for you. We plan to update the download pages tomorrow if no issues are found.

@gdavison
Copy link
Author

It works! Thanks again.

@obeleh
Copy link

obeleh commented Dec 17, 2014

I'm having this message with https://opscode-omnibus-packages.s3.amazonaws.com/windows/2008r2/x86_64/chefdk-0.3.5-1.msi

The following berks command failed to execute:

    C:\opscode\chefdk\bin/berks.BAT vendor C:/cygwin/home/Sjuul/.berkshelf/vagra                             nt-berkshelf/shelves/berkshelf20141217-6400-1651p90-default --berksfile C:/users                             /sjuul/workspace/vagrant-singularity/standalone/Berksfile

The stdout and stderr are shown below:

    stdout: DEPRECATED: Your Berksfile contains a site location pointing to the                              Opscode Community Site (site :opscode). Site locations have been replaced by the                              source location. Change this to: 'source "https://supermarket.getchef.com"' to                              remove this warning. For more information visit https://github.com/berkshelf/ber                             kshelf/wiki/deprecated-locations
Resolving cookbook dependencies...
Fetching 'ark' from git://github.com/eanrollings/ark.git (at master)
Fetching 'maven' from git://github.com/opscode-cookbooks/maven.git (at master)
Fetching 'mesos' from git://github.com/eliast/cookbook-mesos.git (at master)
Fetching 'singularity' from git://github.com/eliast/cookbook-singularity.git (at                              master)
Fetching cookbook index from https://supermarket.getchef.com...

    stderr: C:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:918:in `connec                             t': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certif                             icate verify failed (Faraday::SSLError)
        from C:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:918:in `block                              in connect'
        from C:/opscode/chefdk/embedded/lib/ruby/2.0.0/timeout.rb:66:in `timeout                             '
        from C:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:918:in `conne                             ct'
        from C:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:862:in `do_st                             art'
        from C:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:851:in `start                             '
        from C:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:1367:in `requ                             est'
        from C:/opscode/chefdk/embedded/lib/ruby/2.0.0/net/http.rb:1126:in `get'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/l                             ib/faraday/adapter/net_http.rb:78:in `perform_request'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/l                             ib/faraday/adapter/net_http.rb:39:in `call'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/l                             ib/faraday/request/retry.rb:87:in `call'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/l                             ib/faraday/response.rb:8:in `call'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/l                             ib/faraday/response.rb:8:in `call'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/l                             ib/faraday/rack_builder.rb:139:in `build_response'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/l                             ib/faraday/connection.rb:377:in `run_request'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/faraday-0.9.0/l                             ib/faraday/connection.rb:140:in `get'
        from C:/opscode/chefdk/embedded/lib/ruby/gems/2.0.0/gems/berkshelf-api-c                             lient-1.2.0/lib/berkshelf/api_client/connection.rb:62:in `universe'
        from C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/source.rb:2                             2:in `build_universe'
        from C:/opscode/chefdk/embedded/apps/berkshelf/lib/berkshelf/installer.r                             b:21:in `block (2 levels) in build_universe'

It also throws an openSSL error.
I have openssl 1.0h 32 bit
After installing openssl 1.0j 64 bit still got the same error

@danielsdeleo
Copy link
Contributor

@obeleh can you file a new issue rather than commenting on a closed one please? SSL in particular is a tricky beast and there can be lots of cases that result in identical-looking errors. Feel free to "@" me on the issue and I'll take a look.

Thanks.

@chef-boneyard chef-boneyard locked and limited conversation to collaborators Dec 17, 2014
tknerr added a commit to tknerr/sample-toplevel-cookbook that referenced this issue Dec 30, 2014
@tknerr
use older version of cacert bundle which still supports the 1024-bit …
15415c8 
…keys (see chef-boneyard/chef-dk#199)
schisamo added a commit to chef-boneyard/omnibus that referenced this issue Jun 1, 2015
@schisamo
Use a cacerts bundle that works with the S3 root cert
9f3bf6a 
See the following for more info:

chef-boneyard/chef-dk#199
https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/
https://forums.aws.amazon.com/thread.jspa?threadID=164095
chef-boneyard/omnibus-supermarket@8919702
@thommay thommay added Type: Bug Doesn't work as expected. and removed Bug labels Feb 1, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Platform: Windows Type: Bug Doesn't work as expected.
Milestone
No milestone
Development

No branches or pull requests
7 participants
@thommay @danielsdeleo @obeleh @lamont-granquist @tas50 @gdavison @sersut