Many enterprise environments use custom certificates (for example, self-signed). For example, an on-premises Chef Habitat Builder Depot might have a self-signed SSL certificate.
Attempting to perform an operation using the Habitat client to communicate with a service that has a custom certificate can produce an error, such as:
✗✗✗ ✗✗✗ the handshake failed: The OpenSSL library reported an error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:: unable to get local issuer certificate ✗✗✗
One option to remediate this error is to define a
SSL_CERT_FILE environment variable pointing to the custom certificate path before performing the client operation.
The Habitat 0.85.0 release in September 2019 improved the handling of custom certificates.
Now Habitat knows to look for custom certificates in the
~/.hab/cache/ssl directory, which is
/hab/cache/ssl when you are running as root.
Copying multiple certificates–for example, a self-signed certificate and a custom certificate authority certificate–to the Chef Habitat cache directory makes them automatically available to the Habitat client.
/hab/cache/ssl directory is also available inside a Habitat Studio. As long as the certificates are inside the cache directory before you enter the Studio, you’ll also find them inside the Studio. In addition, if you’ve set the
SSL_CERT_FILE environment variable, you’ll also find both it and the file that it points to inside the Studio
cert.pem file name is reserved for Habitat. Do not use
cert.pem as a file name when copying certs into the cache directory.