Chef Server(RHEL 6.5): 11.16.4
Windows endpoint: Windows 2008
The bootstrapping works fine over http (with winrm config allowUnEncrypeted = true and basic auth = true).
Now we are trying same thing over https(but with basic auth = false and AllowUnEncrypted = false)
The self signed certificate is generated(with private key) and I've verified telnet over port 443.
To check connectivity, I've run the following command from my terminal (windows 7),
winrs -r:https://<fqdn Of windows EP>:443 -u:administrator -p:password_1 ipconfig
which works fine after adding the self signed certificate under trusted root certification authorities.
Error while bootstrapping from chef server:
[root@v-ng25-rhel6u5-tpm722 ~]# knife bootstrap windows winrm v-ngibm71tpm7222k8.example.co.in -x Administrator -P 'password_1' -p 443 --bootstrap-version '11.16.4-1'
Waiting for remote response before bootstrap.at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
ERROR: No response received from remote node after 1.84 minutes, giving up.
ERROR: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Ideally if the winrs command works(meaning there is no issue with the self signed cert generation and listener config), so should this.
Any help/pointers is much appreciated.
Updates:
Taken care of removing spaces in thumbprint while creating listener
knife ssl checkis able to verify certificateGave the
--no-ssl-peer-verificationoption a try at link [link]https://github.com/gswallow/knife-windows/commit/d04c835cfff1260017b91a799168e90b931cad6aThe env var
SSL_CERT_FILEpoints to/opt/chef-server/embedded/ssl/certs/cacert.pemwhich contains the remote machine certificateTried an adhoc suggestion to add certificate to keystore at
/opt/opscode/embedded/jre/jre/lib/security/cacerts
Issue still persists.
UPDATE:
This is what worked,
Edit file
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/knife-windows-0.8.0/lib/chef/knife/bootstrap_windows_winrm.rb
and add line,
winrm.config[:no_ssl_peer_verification] = true
Edit file
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/knife-windows-0.8.0/lib/chef/knife/winrm.rb
and add line,
session_opts[:no_ssl_peer_verification] = true if config.has_key?(:no_ssl_peer_verification)
It still gives the self signed error but atleast it bootstraps
OUTPUT:
Waiting for remote response before bootstrap.at depth 0 - 18: self signed certificate
at depth 0 - 18: self signed certificate
tpm72-win2K8R2.example.com .
tpm72-win2K8R2.example.com Response received.
Remote node responded after 0.0 minutes.
Bootstrapping Chef on tpm72-win2K8R2.example.com
at depth 0 - 18: self signed certificate
at depth 0 - 18: self signed certificate
tpm72-win2K8R2.example.com "Rendering "C:\Users\ADMINI~1\AppData\Local\Temp\bootstrap-22620-1423038641.bat" chunk 1"
at depth 0 - 18: self signed certificate
at depth 0 - 18: self signed certificate
tpm72-win2K8R2.example.com "Rendering "C:\Users\ADMINI~1\AppData\Local\Temp\bootstrap-22620-1423038641.bat" chunk 2"
winrm config allowUnEncrypeted = true and basic auth = true). I'll try this to see if it helps [link] gagravarr.org/writing/openssl-certs/… – Ivanwinrm.config[:ca_trust_file] = Chef::Config[:knife][:ca_trust_file] if Chef::Config[:knife][:ca_trust_file]So you may try addingknife[:ca_trust_file] = "/opt/chef-server/embedded/ssl/certs/cacert.pem"to your knife.rb file. – Tensibai