我的厨师服务器是COMPUTE1(大写字母),工作站是COMPUTE2(大写字母),我正在尝试将菜谱上传到服务器。
user@COMPUTE2:~/chef-repo$ sudo knife cookbook upload sudo
Uploading sudo [0.1.0]
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Error connecting to https://compute1/bookshelf/organization-f6706bb676a02d03bc421056986ae96b/checksum-ad104e789f71ad37eed05e4122a4540f?AWSAccessKeyId=548e088de808a684f5e37f97cd23914214c30bf8&Expires=1463546366&Signature=OqudLFc%2BDjjL5jllpCvSdchuLeU%3D, retry 1/5
--------------------------
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: SSL Validation failure connecting to host: compute1 - hostname "compute1" does not match the server certificate
ERROR: Could not establish a secure connection to the server.
Use `knife ssl check` to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
`knife ssl fetch` to make knife trust the server's certificates.
Original Exception: OpenSSL::SSL::SSLError: SSL Error connecting to https://compute1/bookshelf/organization-f6706bb676a02d03bc421056986ae96b/checksum-1752f5088b4e1ab5a1a872bb87049ae1?AWSAccessKeyId=548e088de808a684f5e37f97cd23914214c30bf8&Expires=1463546371&Signature=IA2GQ%2BfNcc6nm6DCRI/L0NxtkP0%3D - hostname "compute1" does not match the server certificate
user@COMPUTE2:~/chef-repo$
我尝试了刀ssl检查,它返回一切正常。
user@COMPUTE2:~/chef-repo$ sudo knife ssl check
Connecting to host COMPUTE1:443
Successfully verified certificates from `COMPUTE1'
user@COMPUTE2:~/chef-repo$
刀ssl fetch工作正常
user@COMPUTE2:~/chef-repo$ sudo knife ssl fetch
WARNING: Certificates from COMPUTE1 will be fetched and placed in your trusted_cert
directory (/home/user/chef-repo/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.
Adding certificate for COMPUTE1 in /home/user/chef-repo/.chef/trusted_certs/COMPUTE1.crt
user@COMPUTE2:~/chef-repo$
我的主机名是大写字母。这就是为什么这不起作用的原因?由于某些限制,我无法更改主机名。请有人帮忙。
谢谢,
答案 0 :(得分:4)
可能有点迟,但我希望它能帮助别人。
在knife.rb中添加以下条目:
ssl_verify_mode:verify_none
这可以暂时解决问题,但永久的解决方案是从厨师服务器下载证书。
要下载证书,请将以下行添加到knife.rb文件中。
trusted_certs_dir“#{current_dir} / trusted_certs”
添加条目后运行以下命令:
knife ssl fetch(这从chef服务器获取证书并保存在trusted_certs目录下)
验证* .cert文件已存在并运行以下命令。
knife ssl check(此命令验证已从chef-server下载的证书)
然后,您可以运行“刀节点列表”来验证ssl证书问题是否已经消失。
答案 1 :(得分:2)
您需要使用此设置在knife.rb文件中启用ssl验证。只需在knife.rb文件中添加以下行:
ssl_verify_mode :verify_none
答案 2 :(得分:1)
问题:我创建了一个隧道,并尝试将食谱上传到我的厨师服务器,但遇到错误无法建立连接-ERROR: SSL Validation failure connecting to host... certificate verify failed (self signed certificate). 似乎自签名证书不受信任。
以下错误提示解决方案:
ERROR: Could not establish a secure connection to the server.
Use `knife ssl check` to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
knife ssl fetch to make knife trust the server's certificates.
解决方案:
knife ssl fetch
答案 3 :(得分:0)
请记住,证书属于<hostname of the chef infra server>。因此,请确保在config.rb文件中为Chef_server_url分配了一个值,例如Chef_server_url'https://<hostname of the chef infra server>/organizations/<short_name>'
这显然也意味着它必须是FQDN或/ etc / hosts文件中具有条目的IP。
答案 4 :(得分:-1)
This article解释了安装Chef服务器的先决条件。必须使用IP和FQDN。不要使用大写主机名。在那之后:
sudo chef-server-reconfigure
sudo cp /var/opt/opscode/nginx/ca/hostxyz009.crt /home/ec2-user/.chef/trusted_certs
chmod 0644 /home/ec2-user/.chef/trusted_certs/hostxyz009.crt
ls -l /home/ec2-user/.chef/trusted_certs/
knife ssl check
上面的代码假设您的用户是ec2-user(Amazon Linux),而且刀和ec2用户都在Chef服务器中。在该示例中,主机名是hostxyz009,但FQDN可以是hostxyz009.example.com