Re: Problem with clients authentication to the server

[Daniel DeLeo <devnullian@gmail.com>]

Hi Albert,
I'm new to chef as well and had the same issue testing chef on 2 VMs on my laptop. I tracked it down to the SSL certs that chef generated on the server having ``server_fqdn'' in the CN field. 

To fix it, I first corrected my chef.json file so that all of the fields in the "server_ssl_req" property were correct. Next, I had to delete the old certs under /etc/chef/certificates/* (three files here). When I reran the chef-solo command, it regenerated the certs with the correct FQDN and everything started working correctly.

Basically the issue boils down to man in the middle/phishing protection in SSL; I believe the chef server is contacting itself for OpenID stuff using the hostname you declared in the "server_fqdn" field of the chef.json file. When it gets back a certificate, the CN on the cert is expected to match the hostname; if it doesn't, then something fails and you get the 400 error.

Again, I'm new to chef, so I could be wrong about where chef is getting the configuration info, but I'm pretty solid on the SSL part.

OT for this thread, but--for the list managers: Any way the archives could be made available to googlebot and the like? It would surely make the combined knowlege of the list more accessible. I get the bit about spam harvesting, but I consider being able to seach blogs, list archives, etc. simultaneously via one search engine a bigger win than having my email harvested is a loss.

HTH,
Dan DeLeo

On Thu, May 28, 2009 at 1:27 AM, Albert Llop <mrsimo@gmail.com> wrote:

Hi there,

we've been trying to get Chef on and going in my Company since Joshua Sierles' presentation at EuRuKo this month, and we've encountered a brick wall which I'd like to share with you and see if anyone can help.

The problem is explained in this gist http://gist.github.com/118534

--
Albert Llop