The certificate of ‘omnitruck.chef.io’ is not trusted. While doing kitchen test

[Tichy]

Describe the problem

When launching kichen test to test some recipe, it can't install chef client inside the vagrant box due to certificates issues.

-----> Installing Chef install only if missing package
       Downloading https://omnitruck.chef.io/install.sh to file /tmp/install.sh
       Trying wget...
       Trying curl...
       Trying python...
       Trying perl...
       Unable to download https://omnitruck.chef.io/install.sh to /tmp/install.sh, aborting

       DEBUG OUTPUT FOLLOWS:

       STDERR from wget:

       --2023-02-07 14:59:04--  https://omnitruck.chef.io/install.sh
       Resolving omnitruck.chef.io (omnitruck.chef.io)... 185.236.107.107
       Connecting to omnitruck.chef.io (omnitruck.chef.io)|185.236.107.107|:443... connected.
       ERROR: cannot verify omnitruck.chef.io's certificate, issued by ‘emailAddress=noc@flashstart.com,OU=WebFilter,O=WebFilter SSL Hook,L=ITALY,ST=EUROPE,C=IT,CN=WebFilter CA’:
         Unable to locally verify the issuer's authority.
       To connect to omnitruck.chef.io insecurely, use `--no-check-certificate'.

       STDERR from curl:

       STDERR from python:

       Traceback (most recent call last):
         File "<string>", line 1, in <module>
         File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
           return opener.open(url, data, timeout)
         File "/usr/lib/python2.7/urllib2.py", line 429, in open
           response = self._open(req, data)
         File "/usr/lib/python2.7/urllib2.py", line 447, in _open
           '_open', req)
         File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
           result = func(*args)
         File "/usr/lib/python2.7/urllib2.py", line 1248, in https_open
           context=self._context)
         File "/usr/lib/python2.7/urllib2.py", line 1205, in do_open
           raise URLError(err)
       urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)>

       STDERR from perl:

       Can't locate LWP/Simple.pm in @INC (you may need to install the LWP::Simple module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.26.1 /usr/local/share/perl/5.26.1 /usr/lib/x86_64-linux-gnu/perl5/5.26 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.26 /usr/share/perl/5.26 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at -e line 1.
       BEGIN failed--compilation aborted at -e line 1.

Software Version

chef-workstation 0.4.2 on MacOS 13.1 (intel mac)

Replication Case

I can simply generate a new chef cookbook and try to kitchen test it, to reproduce the issue.

chef generate cookbook test
kitchen test

Execution logs: default-centos-7.log default-ubuntu-1804.log kitchen.log

The same happens when doing the same wget https://omnitruck.chef.io/install.sh inside a vagrant box or directly in macos.

wget https://omnitruck.chef.io/install.sh
--2023-02-07 16:31:52--  https://omnitruck.chef.io/install.sh
Risoluzione di omnitruck.chef.io (omnitruck.chef.io)... 185.236.107.107
Connessione a omnitruck.chef.io (omnitruck.chef.io)|185.236.107.107|:443... connesso.
ERRORE: impossibile verificare il certificato di omnitruck.chef.io, rilasciato da «emailAddress=noc@flashstart.com,OU=WebFilter,O=WebFilter SSL Hook,L=ITALY,ST=EUROPE,C=IT,CN=WebFilter CA»:
  Impossibile verificare localmente l'autorità dell'emittente

curl https://omnitruck.chef.io/install.sh
curl: (60) SSL certificate problem: unable to get local issuer certificate

Maybe related to this: the chef workstation upgrade check can't verify the certificate.

[Tichy]

After some more test, it looked like a DNS related issue. With other DNSs, omnitruck.chef.io resolves to different IPs and in that case there are no certificates issues.

[PravinMohature78]

Hello @Tichy , I am facing the same issue.