1

I'm using chef for Jenkins slaves and chef-client execution is failing on apt_repository resource. using java cookbook from marketplace version 3.1.2 Chef-client version: 12.17.44

OS: Ubuntu 16.04

See below error from chef-client execution.

Recipe: java::openjdk
* apt_repository[openjdk-r-ppa] action add[2021-10-08T12:18:20-07:00] ERROR: SSL Validation failure connecting to host: launchpad.net - SSL_connect returned=1 errno=0 state=error: certificate verify failed


           ================================================================================
           Error executing action `add` on resource 'apt_repository[openjdk-r-ppa]'
           ================================================================================

           OpenSSL::SSL::SSLError
           ----------------------
           SSL Error connecting to https://launchpad.net/api/1.0/~openjdk-r/+archive/ppa/signing_key_fingerprint - SSL_connect returned=1 errno=0 state=error: certificate verify failed

           Resource Declaration:
           ---------------------
           # In /tmp/kitchen/cache/cookbooks/java/recipes/openjdk.rb

            46:   apt_repository 'openjdk-r-ppa' do
            47:     uri 'ppa:openjdk-r'
            48:     distribution node['lsb']['codename']
            49:   end
            50: end

           Compiled Resource:
           ------------------
           # Declared in /tmp/kitchen/cache/cookbooks/java/recipes/openjdk.rb:46:in `from_file'

           apt_repository("openjdk-r-ppa") do
             action [:add]
             retries 0
             retry_delay 2
             default_guard_interpreter :default
             declared_type :apt_repository
             cookbook_name "java"
             recipe_name "openjdk"
             uri "ppa:openjdk-r"
             distribution "xenial"
           end

           Platform:
           ---------
           x86_64-linux


       Running handlers:
       [2021-10-08T12:18:20-07:00] ERROR: Running exception handlers
       Running handlers complete
       [2021-10-08T12:18:20-07:00] ERROR: Exception handlers complete
       Chef Client failed. 17 resources updated in 27 seconds
       [2021-10-08T12:18:20-07:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
       [2021-10-08T12:18:20-07:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2021-10-08T12:18:20-07:00] ERROR: apt_repository[openjdk-r-ppa] (java::openjdk line 46) had an error: OpenSSL::SSL::SSLError: SSL Error connecting to https://launchpad.net/api/1.0/~openjdk-r/+archive/ppa/signing_key_fingerprint - SSL_connect returned=1 errno=0 state=error: certificate verify failed
       [2021-10-08T12:18:21-07:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
Garry
  • 11
  • 2
  • hi, perhaps this might be of interest https://discourse.chef.io/t/openssl-ssl-sslerror-certificate-verify-failed/8921/10 – jspcal Oct 08 '21 at 19:32
  • (1) Try `openssl s_client -connect launchpad.net:443` and see if `Verify return code` is more specifically `unable to get local issuer` (2) check version of package ca-certificates and/or check /etc/ssl/certs to make sure ISRG_Root_X1.pem is present – dave_thompson_085 Oct 08 '21 at 20:01
  • @dave_thompson_085 Return code is 0 with `openssl s_client -connect launchpad.net:443` and I do have ISRG_Root_X1.pem present under /etc/ssl/certs – Garry Oct 08 '21 at 20:11
  • This [question and answer](https://stackoverflow.com/questions/69438264/chef-apt-repository-started-failing-with-ssl-verification-errors) might be related. – seshadri_c Oct 09 '21 at 04:20
  • The answer linked by @seshadri_c says chef uses its own truststore, not the standard one I pointd you to, so that explains the difference. I had already found https://docs.chef.io/chef_client_security/#ssl-certificates which basically agrees. So that chef store is where you need to fix.. launchpad.net uses the alternate chain without the DST bridge, so you shouldn't actually need to remove DST for this case, but you may need to for others so you might as well do it now. You do need to add ISRG. – dave_thompson_085 Oct 09 '21 at 08:47

0 Answers0