[chef] Re: Knife Windows and Self-Signed Certs


Chronological Thread 
  • From: Mat Davies < >
  • To:
  • Subject: [chef] Re: Knife Windows and Self-Signed Certs
  • Date: Thu, 31 Jan 2013 14:57:43 +0000

no you are not alone in this. 
What occurred to me when I was looking into this originally is what advantage do you get from running an unauthenticated binary repository (free open source binaries) over https vs running it on http? 

-Mat

On 31 January 2013 09:07, < " target="_blank"> > wrote:
Hi chefs,

We're just starting out using Chef for Windows, which has been interesting, as
I had v. little Windows experience before embarking on this project :-)

We've run into a Knife Windows issue; this is not improper behaviour as such,
though, hence my writing to the list to have others' opinions.

By policy, we only bootstrap nodes using Omnibus packages previously copied to
an internal repo. The relevant line in our custom bootstrap template looks like
this:

cscript /nologo C:\chef\wget.vbs
/url:https://our.msi.repo/chef-client-latest.msi
/path:%TEMP%\chef-client-latest.msi

By default, this doesn't work, because our.msi.repo has a self-signed
certificate. So we patch windows_bootstrap_context.rb, where win_wget is
defined, making sure the XMLHTTP object has the proper option set to ignore the
exception caused by the self-signed cert:

objXMLHTTP.setOption 2, SXH_SERVER_CERT_IGNORE_UNKNOWN_CA

From our perspective,  it would be nice if Knife Windows had an option to
ignore errors caused by self-signed certificates when bootstrapping :-) Are we
alone in this?

Thanks,

dsp




Archive powered by MHonArc 2.6.16.

§