Chef remote_file from https site with self signed certificate

Question

I was wondering if Chef can use a remote_file resource form a https source that uses self signed certificate. It doesn't seem to be able to. Documentation does not mention certificates and offer configuration for disable SSL check.

If you have a site with https with self signed certificate this can for example be reproduced with recipe that has

remote_file "/tmp/image.png" do
  source "https://mywebsite.com/image.png"
end

You can of course use knife to fetch the certificate on the target node for example as follows

vagrant@devops:~$ knife ssl fetch https://mywebsite.com/
WARNING: No knife configuration file found
WARNING: Certificates from mywebsite.com will be fetched and placed in your trusted_cert directory (/home/vagrant/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should verify the authenticity of these certificates after downloading.

This doesn't seem to do much/anything. Chef will continue to show message

==> default: [2015-06-08T06:30:33+00:00] ERROR: remote_file[/tmp/image.png] (jenkins::remote_file_test line 1) had an error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Maybe this is a bug? It seems that Chef is ignoring the trusted certs.

Is there a workaround for this? Can we make Chef trust the cert somehow?

Update Correct answer was given by Tensibai. See his comment.

Answer 1

Per tensibai's technique (comment in the original question) I have the following bit of a recipe to install the cert:

bash 'pull certificate from gitlab' do
  code <<-EOH
    openssl s_client -connect hqdevgit01.my.lan:443 -showcerts | openssl x509 -outform PEM > /opt/chef/embedded/ssl/certs/gitlab.pem
    cat /opt/chef/embedded/ssl/certs/gitlab.pem >> /opt/chef/embedded/ssl/certs/cacert.pem
  EOH
  not_if { ::File.exists?('/opt/chef/embedded/ssl/certs/gitlab.pem') }
end

I download and store the pem in a separate file, and trigger the action off of that existance in the future. I suppose I should check the cacert.pem, but there doesn't seem to be much problem should the cert be appended more than once.

Ultimately I need to get some certs for my internal tools servers - but the organization is small, and there isn't a clear indication of what and where we will be in 6 months. This solution is fine (not ideal) for my short term needs (and we are 100% behind firewalls here).