Unable to install librarian-chef cookbooks on Windows 7

Question

I am trying to install librarian-chef cookbooks at the Windows prompt. I have already installed librarian-chef using gem install librarian-chef. However I am getting this error:

C:\Users\crmpicco\Documents\vagrant-chef-deploy>librarian-chef install
DL is deprecated, please use Fiddle
Installing iptables (0.14.0)
C:/Ruby200-x64/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned
=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (Ope
nSSL::SSL::SSLError)
        from C:/Ruby200-x64/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'

        from C:/Ruby200-x64/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
        from C:/Ruby200-x64/lib/ruby/2.0.0/net/http.rb:918:in `connect'
        from C:/Ruby200-x64/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
        from C:/Ruby200-x64/lib/ruby/2.0.0/net/http.rb:851:in `start'

Is this an issue with my config?

My Cheffile:

#!/usr/bin/env ruby
#^syntax detection

site 'https://supermarket.getchef.com/api/v1'

# cookbook 'chef-client'

# cookbook 'apache2', '>= 1.0.0'

# cookbook 'rvm',
#   :git => 'https://github.com/fnichol/chef-rvm'

# cookbook 'postgresql',
#   :git => 'https://github.com/findsyou/cookbooks',
#   :ref => 'postgresql-improvements'


# Community cookbooks
#cookbook "apache2"
cookbook 'apache2', '~> 2.0.0'
cookbook "php"
#cookbook "yum"
#cookbook "ant"
cookbook "apt"
cookbook 'mysql', '~> 5.5.2'
cookbook "database"
cookbook "ssh_known_hosts"
cookbook "composer"
cookbook 'git', '~> 4.0.2'
cookbook 'varnish', '~> 0.9.18'
cookbook 'selinux', '~> 0.8.0'
cookbook 'hostsfile',
  :git => 'https://github.com/customink-webops/hostsfile'



cookbook "selenium", :git => 'https://github.com/kohkimakimoto/chef-cookbooks-selenium'

Answer 1

Yes, the site is using an untrusted HTTPS certificate and librarian-chef is doing the right thing by refusing to connect to it. This is likely because you need to update your root trust database. Generally the easiest way to do this with Ruby is to download the cURL CA bundle and then set the environment variable SSL_CERT_FILE to point at the path you downloaded it to. My windows-fu is rusty, but that should get you a more recent CA list.

Answer 2

As an extension of coderanger's answer, in my experience you may have to use an older CA bundle. An explanation (and older certificate) can be found here. However, you should be aware of the security implications of doing this.

Around early September 2014, Mozilla removed the trust bits from the certs in their CA bundle that were still using RSA 1024 bit keys. This may lead to TLS libraries having a hard time to verify some sites if the library in question doesn't properly support "path discovery" as per RFC 4158. (That includes OpenSSL and GnuTLS.)