Today I used Chef to configure a test sensu-server, but my Hipchat notifications were failing with this snippet in the logs:
/opt/sensu/embedded/lib/ruby/2.0.0/net/http.rb:917:in `connect’‘: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)\n”
I soon determined that the httparty gem was at 0.11.0 on the prod sensu servers, and at 0.12.0 on the new one. Further, that httparty had (wisely) been changed to verify peer certs. No problem, but where to put the CA (Certificate Authority) bundle?
Tracking this down took more of the afternoon than ideal, but eventually I determined that the default SSL cert path can be determined with:
irb(main):001:0> require ‘’openssl’‘ => true irb(main):002:0> File.dirname OpenSSL::Config::DEFAULT_CONFIG_FILE => “/opt/sensu/embedded/ssl”
To get the CA certs into embedded ruby we can update the default sensu install with a bit of Chefery
cookbook_file ‘’/opt/sensu/embedded/ssl/cert.pem’‘ do source “cert.pem” mode 0755 end
Where cert.pem contents are pulled from ‘http://curl.haxx.se/ca/cacert.pem%E2%80%99 so we have a complete list of acceptable Certificate Authorites.
Ideally, would submit a PR to https://github.com/sensu/sensu-build/pulls, but for now I’ll have to content myself with an issue report.
http://www.rdoc.info/stdlib/openssl/OpenSSL/X509/Store:set_default_paths http://www.rubyinside.com/nethttp-cheat-sheet-2940.html https://github.com/emboss/ruby-openssl/blob/282912788da2247d10281988a2c35818ee14912f/ext/openssl/lib/openssl/ssl-internal.rb Update: - https://github.com/sensu/sensu-build/pull/79 has a PR to sensu Omnibus to fix this.