Skip to content
This repository has been archived by the owner on Jul 14, 2021. It is now read-only.

knife ssl check failure on Windows 7 #319

Closed
joelwilson opened this issue Feb 13, 2015 · 1 comment
Closed

knife ssl check failure on Windows 7 #319

joelwilson opened this issue Feb 13, 2015 · 1 comment

Comments

@joelwilson
Copy link

kniffe ssl fetch works, but knife ssl check fails on Win 7. I'm running ChefDk 0.3.6 against a Chef 12 server running on Ubuntu 14.04 at EC2. U:\ is my home directory.

PS U:\> knife ssl fetch
WARNING: Certificates from chefserv01.companyname.com will be fetched and placed in your trusted_cert
directory (U:/.chef\trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for chefserv01.companyname.com in U:/.chef\trusted_certs/chefserv01_companyname_com.crt

PS U:\> knife ssl check
Connecting to host chefserv01.companyname.com:443
ERROR: The SSL certificate of chefserv01.companyname.com could not be verified
Certificate issuer data: /C=US/ST=WA/L=Seattle/O=YouCorp/OU=Operations/CN=chefserv01.companyname.com/emailAddress=you@example.com

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.0l 6 Jan 2014
* Certificate file: C:/Users/Luis/Code/luislavena/knap-build/var/knapsack/software/x86-windows/openssl/1.0.0n/ssl/cert.pem
* Certificate directory: C:/Users/Luis/Code/luislavena/knap-build/var/knapsack/software/x86-windows/openssl/1.0.0n/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: "C:/opscode/chefdk/embedded/ssl/certs/cacert.pem"
* trusted_certs_dir: "U:/.chef\\trusted_certs"

TO FIX THIS ERROR:

If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server's certificate.

By default, the certificate is stored in the following location on the host
where your chef-server runs:

  /var/opt/chef-server/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to you trusted_certs_dir (currently: U:/.chef\trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server's certificate is now trusted.

FWIW, I had trouble with berks a while back and implemented the SSL_CERT_FILE fix.
@joelwilson
Copy link
Author

Well I just got this working after finding this blog post. The fix was to set the trusted_certs_dir in my knife.rb:

trusted_certs_dir          'U:/.chef/trusted_certs`

PS U:\> knife ssl fetch
WARNING: Certificates from chefserv01.companyname.com will be fetched and placed in your trusted_cert
directory (U:\/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for chefserv01.companyname.com in U:\/.chef/trusted_certs/chefserv01_companyname_com.crt
PS U:\> knife ssl check
Connecting to host chefserv01.companyname.com:443
Successfully verified certificates from `chefserv01.companyname.com'
PS U:\>

My guess is it didn't work with the default path because of my strange home directory setup, but I have not verified.

Please re-open if this is determined to be a bug.

@chef-boneyard chef-boneyard locked and limited conversation to collaborators Feb 14, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joelwilson