1

Command I ran: 

knife bootstrap 10.x.x.x-x ec2-x-i xx.pem --sudo -r "role[x]"`

Error:

[2014-12-31T12:07:53+00:00] ERROR: Connection refused connecting to https://chefserver.dsh.com/organizations/digital/clients, retry 1/5`

Logs show this:

Chef encountered an error attempting to create the client "ip-10-x-x-x.ec2.internal"`

I have tired things so far:

  • Edited my knife.rb
  • chef_server_url from FQDN of Chef Server to IP address

Now I getting different error:

Original Exception: OpenSSL::SSL::SSLError: hostname "10.x.x.x" does not match the server certificate`
StephenKing
  • 36,187
  • 11
  • 83
  • 112
user60679
  • 709
  • 14
  • 28

3 Answers3

3

The host name in the SSL certificate is not matching the IP address that you are using.

Is chefserver.dsh.com resolving to the IP address of the instance?

You have to either use the host name (and still ignore the self-signed certificate) or completely disable SSL certificate validation. This and this could help.

StephenKing
  • 36,187
  • 11
  • 83
  • 112
  • Please tell me how to update certificates on chef server to use my ipAddress – user60679 Jan 02 '15 at 05:21
  • command: $knife ssl check Output:Connecting to host chefserver.dsh.com:443 Successfully verified certificates from `chefserver.dsh.com' >>>>> But I want certificates to point myIP – user60679 Jan 02 '15 at 05:40
  • Afaik SSL certificates can't use IP addresses, but only hostnames. – StephenKing Jan 02 '15 at 09:59
  • Okay, it seems like it is [possible to use IP addresses as common name for SSL certificates](http://stackoverflow.com/questions/2043617/is-it-possible-to-have-ssl-certificate-for-ip-address-not-domain-name). – StephenKing Jan 02 '15 at 13:33
  • [Here](http://docs.chef.io/server/server_security.html) is how to replace the Chef Server's SSL certificates. – StephenKing Jan 02 '15 at 13:34
2

On Chef Server:

  • I have changed my hostname from chefserver.dsh.com to https://IPAddress
  • $sudo chef-server-ctl reconfigure

On Chef WorkStation:

  • Edit the knife.rb on workstation @chef_server_url to https://IPAddress:443/organizations/name
  • $sudo knife ssl fetch
user60679
  • 709
  • 14
  • 28
0

I found the below steps extremely useful at multiple instances on AWS when I faced the same error. With these steps you dont have to reconfigure your server based off ipaddress.

On AWS sometimes you might see something like ip-10-x-x-x as the public hostname without the ec2.internal part (from the metadata endpoint). In that case all you need to do is on your workstation add the entry

ipaddress ip-10-x-x-x

to your local /etc/hosts.

This would allow a DNS call to https://ip-10-x-x-x/organizations (Your chef server url) to get routed to that ipaddress (in case your direct DNS routing is not working) and allow the SSL handshake to take place allowing knife to work from local without reconfiguring your chef server using ipaddress

seahorse
  • 2,420
  • 4
  • 31
  • 40