Using the AWS SDK during a chef run errors but running it outside of chef works

Question

I have a helper library that AWS-SDK to pull information so it can return a list of names like so:

def get_load_balancer_names
    self.elb_client.describe_load_balancers[:load_balancer_descriptions].map { |elb| elb[:load_balancer_name] }
end

when this code is run during the chef run I get this error:

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed[0m

But when I run the code outside of the chef run it works (I get a list of ELB names like I expect).

I use an IAM role for authentication.

I did find this that added a (potential) fix so you can do:

AWS.config(:ssl_ca_path => '/...')

but this isn't really an option as I would rather deal with the problem itself (unless there is no other way of course).

I think it might be that AWS-SDK is using the chef SSL cert during the chef run and that this might be the cause.

Why is it erroring like this and how do I fix it?

Answer 1

As far as I know this is related to Mozilla, who removed 1024 bit Root CA certs in late 2014. Technically, this is good but unfortunately broke many legacy certificate chains.

The issue is described here in the section "RSA-1024 removed" http://curl.haxx.se/docs/caextract.html .

And in ChefDK at https://github.com/chef/chef-dk/issues/199#issuecomment-60643682

Recent ChefDK and Chef-Client releases from Omnibus ( https://downloads.chef.io/ ) include a root trust with the old RSA-1024 root certificates.

I suggest you update the chef client.

If you have not used the Omnibus installer from chef.io, you need to manually update the root Certs of your distro/OpenSSL.