We Keep Coding

"There was a problem confirming the ssl certificate" when doing pip install on a local artifactory repository

I could use some guidance on what needs to be put in place for resolving this SSL issue to an artifactory server when running
pip install. Is this "self signed certificate" supposed to be replaced by a specific one provided by that server?
Could not fetch URL [our.artifactory.server.name]/simple/hercl/:
There was a problem confirming the ssl certificate: HTTPSConnectionPool
(host='[our.artifactory.server.name]', port=443):
Max retries exceeded with url:
/api/pypi/our.artifactory.server.name-local/simple/hercl/ (Caused by SSLError(SSLCertVerificationError(1,
'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
self signed certificate in certificate chain (_ssl.c:1131)'))) - skipping

Credited to pip.pypa.io:
Starting with v1.3, pip provides SSL certificate verification over
HTTP, to prevent man-in-the-middle attacks against PyPI downloads.
This does not use the system certificate store but instead uses a
bundled CA certificate store. The default bundled CA certificate store
certificate store may be overridden by using --cert option or by using
PIP_CERT, REQUESTS_CA_BUNDLE, or CURL_CA_BUNDLE environment variables.
In regards to the SSL issue, it depends whether you insist on SSL enforcement, if not, you may use an existing flag to ignore this by appending --trusted-host <server_name> ,in the example below: --trusted-host artifactory.
Some suggestions raised to overcome this issue are suggested here as well: pip install fails with "connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)"
Do note, prior to using artifactory as a caching/proxy server for Pypi packages, you should configure the pip.conf and .pypirc files according to the SetMeUp instructions: https://www.jfrog.com/confluence/display/JFROG/PyPI+Repositories#PyPIRepositories-ResolvingfromArtifactoryUsingpip
For example:
pip.conf:
[global]
index-url = http://artifactory:8081/artifactory/api/pypi/pypi-virtual/simple
.pypirc:
[distutils]
index-servers =
virtual
local
remote
devpi
[virtual]
repository: http://artifactory:8081/artifactory/api/pypi/pypi-virtual
username: admin
password: ***
[local]
repository: http://artifactory:8081/artifactory/api/pypi/pypi-local
username: admin
password: ***
[remote]
repository: http://artifactory:8081/artifactory/api/pypi/pypi-org-remote
username: admin
password: ***
[devpi]
repository: http://localhost:3141/admin/dev
username: admin
password: ***

Use Berkshelf with custom CA certificate

I have a custom Chef server on premises with a TLS certificate that is signed by our own CA server. I added the CA certificate to .chef/trusted_certs and now knife ssl verify works fine.
But when I try to upload cookbooks using Berksfile I run into the following error:
$ berks upload
E, [2016-03-26T15:02:18.290419 #8629] ERROR -- : Ridley::Errors::ClientError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
E, [2016-03-26T15:02:18.291025 #8629] ERROR -- : /Users/chbr/.rvm/gems/ruby-2.3-head#global/gems/celluloid-0.16.0/lib/celluloid/responses.rb:29:in `value'
I have tried to append the CA certificate to /ops/chefdk/embedded/ssl/certs/cabundle.pem but it made no difference.

Create a custom CA bundle file and then set $SSL_CERT_FILE (or $SSL_CERT_DIR if you want to use that format) in your environment.

Use --no-ssl-verify. Berkshelf does not respect chef's trusted certs.
Alternatively, there is an option to specify this in berks config file.

Don't ignore certificate validation. That is not the safest choice, especially with news about attackers having recently inserted malware in places like Node Package Manager. You can easily configure Berkshelf to trust the same certificates you trust with Chef.
In your ~/chef-repo/.berkshelf/config.json file, make sure the ca_path is set to point at your Chef trusted certificates, like this (assuming your chef repo is located at ~/chef-repo)
{
"ssl": {
"verify": true,
"ca_path": "~/chef-repo/.chef/trusted_certs"
}
}
Then, use knife to manage your Chef certificates (like this):
$ cd ~/chef-repo
$ knife ssl fetch https://supermarket.chef.io/
$ knife ssl fetch https://my.chef.server.example.org/
All the certificates you trust with Chef will also be trusted by Berks.

Chef SSL verification failed while setting workstation

I am setting up Chef workstation by configuring knife.rb using "knife configure -i" configure command. After PROPERLY answering all question, I get the following error :
ERROR: SSL Validation failure connecting to host: 172.xx.x.xx - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
ERROR: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
My goal is to disable this SSL certificate verification forever and use knife utility to bootstrap my all nodes.

I had the same issue running chef-client after upgrading to the version 12.xx. Steps to solve:
Pull crt from server. Run on node:
knife ssl fetch -s https://yourchefserver01.com:443
Note: If fetch doesnt work copy from yourchefserver01.com:/var/opt/chef-server/nginx/ca/yourchefserver01.com.crt to client:/root/.chef/trusted_certs/yourchefserver01.com.crt
Verify it pulled:
knife ssl check -s https://yourchefserver01.com:443
export SSL_CERT_FILE="/root/.chef/trusted_certs/yourchefserver01.com.crt"
Run chef-client

Your problem is the validation of the chef server certificate.
Install a proper certificate on the chef server
or add your chef server certificate (located in /etc/chef-server/hostname.crt) to your workstation cacert.pem (located by default in <install path>/opscode/chef/embedded/ssl/certs).
With chef 12 you'll have to ditribute it too on your nodes to validate the chef API server or you'll have a warning at the start of each chef-client run about it.

Issue seems to be concerned with the .pem validator. your validation are misconfigured. Try create new validation key from chef server and place it under the node.

If you are running Chef Server on-premise, it will easier in the long run to install a third-party SSL cert, e.g. Verisign, on the Chef Server (or load balancer). chef-client and knife come with OpenSSL which will trust a valid third-party cert automatically with no configuation required on each node.
Please don't turn off SSL cert validation. SSL validation is additional protection that the server you are trusting with root access to your Chef nodes is the real Chef server, not a man-in-the-middle attack.

puppet ssl failed with message "unknown ca"

I've tried to build a master/agent system with puppet.
My master host name is snspay.cn, I followed the document, and everything was right until I tried to get the catalog from the master. My command is
puppet agent --server snspay.cn --no-daemonize --test onetime --verbose
and the output from the agent
Error: Could not request certificate: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify
failed: [self signed certificate in certificate chain for /CN=Puppet
CA: snspay.cn]
and the master's log is like
[2014-08-11 14:39:14] ERROR OpenSSL::SSL::SSLError: SSL_accept
returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1
alert unknown ca
I think it is wrong with the ssl instead of puppet it self, but I'm not very familiar with ssl, any ideas?
well I have added another agent node(ubuntu) with a total different environment and everything is so well, so the problems is with the original agent node, I am now running yum update in that node and try later

Your agent has not established trust with the master.
What basically needs to happen is for the agent to import the master's CA certificate to the agent. However, since the agent's cert is obviously signed by an obsolete CA, you will have to replace all SSL data.
On the agent, find the $ssldir (usually /var/lib/puppet/ssl) using
puppet agent --configprint ssldir
and rename or remove it.
Upon the next puppet agent --test run, the agent should request a new certificate, and cache th correct CA.

Why does Chef throw SSL error when using knife Command on Chef-Workstation?

SSL error occurs when we use the knife command to verify successful setup of the Chef-Workstation or when we try to upload a Chef-Cookbook. Using the following commands :
knife client list
knife node list
knife cookbook upload cookbookname
we get the following error on the Chef-Workstation:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol
To resolve this error we tried using rackfile software to create following 3 files:
hostname.key
hostname.pem
hostname.crt
on the Chef-Server.
We placed hostname.pem inside the chef folder on the server itself and inside certs folder on the workstation. Finally we tried to run the commands once again but did not succeed. Any help to resolve the SSL error will be sincerely appreciated.

The Chef Server certificate has not yet been pulled into the workstation's trusted_certs directory.
Run the command
knife ssl fetch
from your Chef Workstation.
This will pull the certificate from the Chef Server and place it in the Workstation's trusted_certs directory. The default location of the trusted_certs is in your .chef/trusted_certs directory within your chef-repo directory.
Then run
knife ssl check
to verify the certificate.
Certificates that are in the trusted_certs directory will be trusted by any execution of the knife command.
https://docs.chef.io/workstation/getting_started/#get-ssl-certificates

You need to register that certificate on each workstation. Also, make sure the certificate matches the correct URL (i.e. the API endpoint, not the web interface)