连接到主机的SSL验证失败

时间:2014-02-20 10:01:07

标签: ssl amazon-web-services openssl chef rackspace

我正在尝试在厨师服务器上上传一些食谱。我使用我的笔记本电脑作为工作站,使用opscode.com上的托管主厨作为主厨服务器。现在,当我尝试将cookbook从我的工作站上传到chef-server时,我收到以下错误:

错误:连接到主机的SSL验证失败:s3-external-1.amazonaws.com - SSL_connect返回= 6 errno = 0状态= SSLv3读取完成A 错误:OpenSSL :: SSL :: SSLError:SSL_connect返回= 6 errno = 0状态= SSLv3读完了A

我正在使用rackspace私有云中的cookbook:http://www.rackspace.com/knowledge_center/article/installing-openstack-with-rackspace-private-cloud-tools

我正在使用烹饪书的v4.2.1。请帮我弄清楚问题所在。

感谢。

2 个答案:

答案 0 :(得分:6)

  

错误:连接到主机的SSL验证失败:   s3-external-1.amazonaws.com - SSL_connect返回= 6 errno = 0   state = SSLv3 read finished A ERROR:OpenSSL :: SSL :: SSLError:SSL_connect   返回= 6 errno = 0状态= SSLv3读完了A

适合我。

确保您拥有并信任Class 3 Public Primary Certification Authority。您可以从赛门铁克Licensing and Use of Root Certificates获取Class 3 Public Primary Certification Authority。特别是,请抓取Root 3 VeriSign Class 3 Primary CA - G5

然后,使用OpenSSL的s_client进行测试。您下载并信任的根目录为PCA-3G5.pem,您可以通过-CAfile选项将其提供给OpenSSL:

$ openssl s_client -CAfile PCA-3G5.pem -connect s3-external-1.amazonaws.com:443
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN = *.s3-external-1.amazonaws.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.s3-external-1.amazonaws.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
...
    Start Time: 1392896325
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

答案 1 :(得分:6)

如果您只是进行临时测试,可以通过在 knife.rb 文件中添加以下两行来禁用SSL验证:

verify_api_cert false
ssl_verify_mode :verify_none

但是,如果你要建立一个真正的服务器,你应该得到一个真正的证书:)