问题
I have a custom Chef server on premises with a TLS certificate that is signed by our own CA server. I added the CA certificate to .chef/trusted_certs and now knife ssl verify works fine.
But when I try to upload cookbooks using Berksfile I run into the following error:
$ berks upload
E, [2016-03-26T15:02:18.290419 #8629] ERROR -- : Ridley::Errors::ClientError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
E, [2016-03-26T15:02:18.291025 #8629] ERROR -- : /Users/chbr/.rvm/gems/ruby-2.3-head@global/gems/celluloid-0.16.0/lib/celluloid/responses.rb:29:in `value'
I have tried to append the CA certificate to /ops/chefdk/embedded/ssl/certs/cabundle.pem but it made no difference.
回答1:
Create a custom CA bundle file and then set $SSL_CERT_FILE (or $SSL_CERT_DIR if you want to use that format) in your environment.
回答2:
Use --no-ssl-verify. Berkshelf does not respect chef's trusted certs.
Alternatively, there is an option to specify this in berks config file.
回答3:
Don't ignore certificate validation. That is not the safest choice, especially with news about attackers having recently inserted malware in places like Node Package Manager. You can easily configure Berkshelf to trust the same certificates you trust with Chef.
In your ~/chef-repo/.berkshelf/config.json file, make sure the ca_path is set to point at your Chef trusted certificates, like this (assuming your chef repo is located at ~/chef-repo)
{
"ssl": {
"verify": true,
"ca_path": "~/chef-repo/.chef/trusted_certs"
}
}
Then, use knife to manage your Chef certificates (like this):
$ cd ~/chef-repo
$ knife ssl fetch https://supermarket.chef.io/
$ knife ssl fetch https://my.chef.server.example.org/
All the certificates you trust with Chef will also be trusted by Berks.
来源:https://stackoverflow.com/questions/36236213/use-berkshelf-with-custom-ca-certificate