Problem scenario
You have installed Chef server on a RedHat Enterprise Linux (RHEL) server in AWS. You have installed Chef client on another RHEL instance in AWS. You simply want your Chef client to receive configuration management changes (e.g., you want Chef recipes to work). The command "chef node list" on your Chef client server returns no servers. You ran this command from the Chef client:
sudo chef-client -S https://<FQDN of Chef server>/organization/contint
But you received an error like this:
Chef encountered an error attempting to create the client "<FQDN of Chef Client computer>"
================================================================================
System Info:
------------
chef_version=13.4.19
ruby=ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]
program_name=chef-client worker: ppid=5156;start=14:10:31;
executable=/opt/chef/bin/chef-client
[2017-09-13T14:10:31+00:00] WARN: *****************************************
[2017-09-13T14:10:31+00:00] WARN: Did not find config file: /etc/chef/client.rb, using command line options.
[2017-09-13T14:10:31+00:00] WARN: *****************************************
Starting Chef Client, version 13.4.19
Creating a new client identity for ip-172-31-10-187.us-west-1.compute.internal using the validator key.
[2017-09-13T14:10:32+00:00] ERROR: SSL Validation failure connecting to host: <FQDN of Chef server> - SSL_connect returned=1 errno=0 state=error: certificate verify failed
[2017-09-13T14:10:32+00:00] ERROR: SSL Validation failure connecting to host: <FQDN of Chef server> - SSL_connect returned=1 errno=0 state=error: certificate verify failed
Running handlers:
[2017-09-13T14:10:32+00:00] ERROR: Running exception handlers
[2017-09-13T14:10:32+00:00] ERROR: Running exception handlers
Running handlers complete
[2017-09-13T14:10:32+00:00] ERROR: Exception handlers complete
[2017-09-13T14:10:32+00:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 01 seconds
[2017-09-13T14:10:32+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
You examined /var/chef/cache/chef-stacktrace.out. It shows
"OpenSSL::SSL::SSLError: SSL Error connecting to https://<FQDN of Chef server>/organization/contint/clients - SSL_connect returned=1 errno=0 state=error: certificate verify failed
...
>>>> Caused by OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed"
On the Chef server you could not find a "trusted_certs" file or folder besides these:
"/opt/opscode/embedded/lib/ruby/gems/2.2.0/gems/berkshelf-5.6.5/spec/data/trusted_certs
/opt/opscode/embedded/lib/ruby/gems/2.2.0/gems/chef-12.19.36/spec/data/trusted_certs
/opt/opscode/embedded/service/gem/ruby/2.2.0/gems/chef-12.19.36/spec/data/trusted_certs
/opt/chef-manage/embedded/lib/ruby/gems/2.3.0/gems/berkshelf-6.1.0/spec/data/trusted_certs
/opt/chef-manage/embedded/lib/ruby/gems/2.3.0/gems/chef-12.19.36/spec/data/trusted_certs
/opt/chef-manage/embedded/service/gem/ruby/2.3.0/gems/chef-11.16.2/spec/data/trusted_certs
/opt/opscode-push-jobs-server/embedded/lib/ruby/gems/2.2.0/gems/chef-12.13.37/spec/data/trusted_certs
/opt/opscode-push-jobs-server/embedded/service/gem/ruby/2.2.0/gems/chef-12.12.15/spec/data/trusted_certs
/opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/berkshelf-6.3.1/spec/data/trusted_certs
/opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/chef-13.3.42/spec/data/trusted_certs"
On the chef server a run of "knife ssl fetch" does not fix the problem. How do you solve this problem so your Chef client can register with the Chef server and eventually work?
Solution
The command "chef node list" may not work if ChefDK is installed. Use "knife node list" instead (from a workstation with knife or the Chef sever itself). To see if ChefDK is installed, run "chef -v". If ChefDK is not installed on the Chef server, keep reading.
On the Chef client, create a client.rb file in /etc/chef/ directory. Here is a minimal example (with just three lines) that you could modify and adapt to your own needs:
chef_server_url 'https://<FQDN of Chef server>/organizations/contint'
validation_client_name 'contint-validator'
ssl_verify_mode :verify_none
Replace <FQDN of Chef Server> with the FQDN of the Chef server. Replace "contint" with your organization name (e.g., the company nickname). Now this command from your Chef client should work:
sudo chef-client -S https://<FQDN of Chef server>/organization/contint
Now "chef node list" should work from Chef server.