SSLError When Running Berkshelf Behind a Proxy

I found recently that when trying to download cookbooks in an environment that required a proxy, I would encounter the error OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errorno=0 state=SSLv2/v3 read server hello A, even when I had a proxy set for i.e. .example.com:

$ cat Berksfile
source 'https://supermarket.example.com'
depends 'java'
$ echo $http_proxy $https_proxy $HTTP_PROXY $HTTPS_PROXY
http://proxy.example.com
$ echo $no_proxy
.example.com
$ berks
... large stacktrace ...
OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errorno=0 state=SSLv2/v3 read server hello A
...

When Berks attempted to perform an SSL handshake with supermarket.example.com, it would fail with SSL issues which were actually hiding the real problem. Debugging this, I found that the ChefDK was happy with the certificate (as I had already trusted the certificates) and that if I used curl --cacert /opt/chefdk/embedded/ssl/certs/cacert.pem https://supermarket.example.com, I would be able to connect successfully. This proved out that the cert bundle was correct, so the next issue had to be something funky in Berks or Ruby.

I narrowed it down to seeing some hits to supermarket.example.com on my local proxy, realising that this issue was due to a proxy lookup for that hostname failing, as it wasn't a publicly accessible host that the proxy would be able to resolve. It seems like when either Berkshelf or the Ruby code behind it does a hostname lookup, it doesn't expand the .example.com in no_proxy to match supermarket.example.com.

In order to workaround this issue, the solution is to append supermarket.example.com to your no_proxy variable in your shell.

A successful run once you have set this variable will look like:

$ echo $http_proxy $https_proxy $HTTP_PROXY $HTTPS_PROXY
http://proxy.example.com
$ echo $no_proxy
.example.com,supermarket.example.com
$ berks
Using java (x.x.x)

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

Tags
Related Posts

Other posts you may be interested in:

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.