Pivotal Knowledge Base

Follow

Ops Manager S3 blobstore configuration error: 'Unable to verify certificate'

Environment

Pivotal Cloud Foundry: 1.8, 1.9, 1.10

Symptom

When attempting to add S3 Compatible Blobstore to Ops Manager -> Director Tile -> Director Config, apply changes fail with "Unable to verify certificate."

Error Message:

Errors::CertificateError SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed (OpenSSL::SSL::SSLError) Unable to verify certificate 

Cause 

Custom certs for the external S3 blobstore of a director are currently not supported. Additionally, Ops Manager may not source the oscerts in some cases. 

Resolution

Firstly, confirm if you are using a self-signed or a public CA certificate when configuring S3.

If using Self-Signed CA

There is no way to install a custom CA cert on the Bosh director up until the 1.12 version. For now, the options are switching to the internal blobstore or choosing a S3 with a publicly trusted cert.

If using a Public CA Signed certificate

1. Only server certificates signed by a publicly signed Certificate Authority whose public cert exist in the /etc/ssl/certs/ on the ubuntu stemcell will work

2. Check this directory for the listings of the server certificates of known Certificate Authorities

ubuntu@<opsmanager>:# ls /etc/ssl/certs 
...
Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
Verisign_Class_3_Public_Primary_Certification_Authority.pem
VeriSign_Universal_Root_Certification_Authority.pem
Visa_eCommerce_Root.pem
WellsSecure_Public_Root_Certificate_Authority.pem
WoSign_China.pem
WoSign.pem
XRamp_Global_CA_Root.pem

3. Verify that the certificate configured for Ops Manager S3 blobstore is signed by a known Certificate Authority above.

Additional Information 

Full error stacktrace:

Excon::Errors::CertificateError SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError) Unable to verify certificate.
This may be an issue with the remote host or with Excon.Excon has certificates bundled, but these
can be customized.`Excon.defaults[:ssl_ca_path] = path_to_certs`, `ENV['SSL_CERT_DIR'] =
path_to_certs`, `Excon.defaults[:ssl_ca_file] = path_to_file`, `ENV['SSL_CERT_FILE'] =
path_to_file`, `Excon.defaults[:ssl_verify_callback] = callback` (see
OpenSSL::SSL::SSLContext#verify_callback), or `Excon.defaults[:ssl_verify_peer] = false`
(less secure). /home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/ssl_socket.rb:120:in `connect_nonblock' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/ssl_socket.rb:120:in `initialize' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/connection.rb:404:in `new' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/connection.rb:404:in `socket' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/connection.rb:106:in `request_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/middlewares/mock.rb:47:in `request_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/middlewares/instrumentor.rb:25:in `request_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/middlewares/base.rb:15:in `request_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/middlewares/base.rb:15:in `request_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/middlewares/base.rb:15:in `request_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/connection.rb:250:in `request' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/middlewares/idempotent.rb:26:in `error_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/middlewares/base.rb:10:in `error_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon
0.49.0/lib/excon/middlewares/base.rb:10:in `error_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/connection.rb:273:in `rescue in request' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/connection.rb:221:in `request' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/middlewares/idempotent.rb:26:in `error_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/middlewares/base.rb:10:in `error_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/middlewares/base.rb:10:in `error_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/connection.rb:273:in `rescue in request' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/connection.rb:221:in `request' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/middlewares/idempotent.rb:26:in `error_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/middlewares/base.rb:10:in `error_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/middlewares/base.rb:10:in `error_call' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/connection.rb:273:in `rescue in request' /home/tempest-
web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-
0.49.0/lib/excon/connection.rb:221:in `request' . 

Comments

Powered by Zendesk