Re: Problem with clients authentication to the server


Chronological Thread 
  • From: Daniel DeLeo <devnullian@gmail.com>
  • To: chef@lists.opscode.com
  • Subject: Re: Problem with clients authentication to the server
  • Date: Mon, 1 Jun 2009 11:04:15 -0600
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=Qp9hb5VmzBV+TUDNls/3naX7xm0QKoFvRo+o5LXkV4RYHaGOjmQTWqSd+OnD626cJ6 VwqGAXBc6VPBJVNrs/WTpqvPb5bsSa6ZMjCgsQPz263gi5XDEGecxkyQzlJCs+H5EAgm StJFKPGhzI4VH5oAblA6GhdMi6kBvljZ8SJNo=

Hi Albert,
I'm new to chef as well and had the same issue testing chef on 2 VMs on my laptop. I tracked it down to the SSL certs that chef generated on the server having ``server_fqdn'' in the CN field.

To fix it, I first corrected my chef.json file so that all of the fields in the "server_ssl_req" property were correct. Next, I had to delete the old certs under /etc/chef/certificates/* (three files here). When I reran the chef-solo command, it regenerated the certs with the correct FQDN and everything started working correctly.

Basically the issue boils down to man in the middle/phishing protection in SSL; I believe the chef server is contacting itself for OpenID stuff using the hostname you declared in the "server_fqdn" field of the chef.json file. When it gets back a certificate, the CN on the cert is expected to match the hostname; if it doesn't, then something fails and you get the 400 error.

Again, I'm new to chef, so I could be wrong about where chef is getting the configuration info, but I'm pretty solid on the SSL part.

OT for this thread, but--for the list managers: Any way the archives could be made available to googlebot and the like? It would surely make the combined knowlege of the list more accessible. I get the bit about spam harvesting, but I consider being able to seach blogs, list archives, etc. simultaneously via one search engine a bigger win than having my email harvested is a loss.

HTH,
Dan DeLeo

On Thu, May 28, 2009 at 1:27 AM, Albert Llop <mrsimo@gmail.com> wrote:
Hi there,

we've been trying to get Chef on and going in my Company since Joshua Sierles' presentation at EuRuKo this month, and we've encountered a brick wall which I'd like to share with you and see if anyone can help.

The problem is explained in this gist http://gist.github.com/118534

--
Albert Llop




Archive powered by MHonArc 2.6.16.

§