Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Seahorse::Client::NetworkingError #153

Open
toddrosner opened this issue Jun 10, 2015 · 4 comments
Open

Seahorse::Client::NetworkingError #153

toddrosner opened this issue Jun 10, 2015 · 4 comments

Comments

@toddrosner
Copy link

This cookbook works with Linux but doesn't seem to work properly with Windows. I've tried creating EBS volumes and EC2 tags, and no matter what I do the Chef client run always produces the following SSL error:

Seahorse::Client::NetworkingError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I've tried updating the CA bundle certificate, Ruby, Ruby gems, and I've also tried updating aws-sdk to 2.0.48 and nothing seems to fix the issue.

Has anyone else been able to update make this cookbook work on Windows servers?
@toddrosner
Copy link
Author

I just got this to work finally, and after research I've come to the conclusion that the aws-sdk gem for Windows doesn't ship with the proper ca-bundle.crt, which includes the Verisign root cert that AWS uses in it's endpoints as per amazon-archives/aws-sdk-core-ruby#166 (comment). The problem with the comment above is that the link to the ca-bundle.crt doesn't exist, so...

For anyone else having the same issue, here's what I did:

  1. I copied the ca-bundle.crt in the link below to C:\chef\cache
    https://raw.githubusercontent.com/yyuu/aws-sdk-for-ruby/master/ca-bundle.crt
  2. I then added the following to line 27 of the default.rb recipe in the aws cookbook
    Aws.config[:ssl_ca_bundle] = 'C:\chef\cache\ca-bundle.crt'
  3. I then ensured that the following IAM policy was in-place and correct (for EBS)
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Action": [
    "ec2:AttachVolume",
    "ec2:CreateVolume",
    "ec2:ModifyVolumeAttribute",
    "ec2:DescribeVolumeAttribute",
    "ec2:DescribeVolumeStatus",
    "ec2:DescribeVolumes",
    "ec2:DetachVolume",
    "ec2:EnableVolumeIO"
    ],
    "Sid": "Stmt1381536011000",
    "Resource": [
    "*"
    ],
    "Effect": "Allow"
    }
    ]
    }

Note: There is another policy in the aws cookbook documentation for EC2 tags.

@ben-biddington
Copy link

Cheers @toddrosner !

@AdrianMW
Copy link

AdrianMW commented Apr 1, 2016

Hey,

This has become a bigger issue for us, now the aws-sdk as been removed from the default recipe and moved into the providers.

As to set the certificate you need the SDK installed, however to install the SDK you have to run the aws command which fails as it doesn't have the correct certificate.

As a work-around I manually installed the SDK before running any aws commands.

chef_gem "aws-sdk" do
  compile_time false
  action :install
  version node[:aws][:aws_sdk_version]
end

ruby_block "Set the AWS Bundle" do
  block do
    require 'aws-sdk'
    Aws.config[:ssl_ca_bundle] = 'C:\ProgramData\Git\bin\curl-ca-bundle.crt'
  end
  action :run
end

Not sure if this is the best solution?

It would be really nice to have a way of easily setting this in the cookbook

Cheers
Adrian

@tas50 tas50 added the Type: Bug label Jan 4, 2017
@ubirajaramneto
Copy link

ubirajaramneto commented Feb 2, 2017
edited
Loading

Having this problem as well, the workaround above worked nicely for me, but this costed me a few hours.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ben-biddington @tas50 @toddrosner @AdrianMW @ubirajaramneto @xorimabot