chef - [chef] Re: Open Source Chef: server as workstation in dmz

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Open Source Chef: server as workstation in dmz

From: Daniel DeLeo < >
To:
Subject: [chef] Re: Open Source Chef: server as workstation in dmz
Date: Tue, 17 Jun 2014 22:12:07 -0700

On Monday, June 16, 2014 at 6:25 AM,

wrote:

>
> Hello community,
>
> I'm quite new to chef and I have to set up a chef server and now I am
> totally
> stuck. I hope I can find some help here because I found nothing about my
> problem in the documentation and I'm working on this since 3 weeks :(
>
> First of all the describtion of the situation:
>
> The server resides in the dmz subnet of the office lan (as a vm, Ubuntu
> 14.04).
> It has a private IP (192.168.0.2) and local name/fqdn (chef.dmz.loc). From
> the
> internet the server is accessible via an external FQDN and IP (example.com
> (http://example.com),
> 93.184.216.119) by the appropriate firewall rules/port-forwarding.
>
> It is also used as workstation and a special user account (chefdev) is
> designated to create, modify and upload cookbooks as well as bootstrap
> nodes.
> This setup (dmz, special account, server = workstation) can be seen as
> constraints.
>
> The problem is that I either can't upload cookbooks or I can't bootstrap
> nodes.
> If I configure everything for the local FQDN it's possible to upload
> cookboks,
> but bootstrapping nodes does not work because from the internet the local
> name
> is not resolveable (of course!). If I configure the server for it's
> external IP
> I can't upload cookbooks because of ssl handshake failure.
>
> Is there any solution for this under the constraints mentioned above?
> Thanks in
> advance.
>
> Below are some configurations and error messages which might be neede for
> you
> to help me. If you need some more, please tell me.
>
> configuration (ext. IP): http://pastebin.com/3uwMYutz
>
> error messages
> knife: http://pastebin.com/gAfsYiej
> erchef: http://pastebin.com/Rc5UDvj4

The most general solution is to use an SSL certificate with a SubjectAltName
field that contains both the FQDN and the IP address.

You could also use split-horizon DNS or configure the chef-server’s hostname
in your etc/hosts.

The least good solution is to disable SSL certificate verification for hosts
on the local network.

--
Daniel DeLeo

[chef] Open Source Chef: server as workstation in dmz, chefsrv, 06/16/2014
- [chef] Re: Open Source Chef: server as workstation in dmz, Daniel DeLeo, 06/17/2014
  - [chef] Re: Re: Open Source Chef: server as workstation in dmz, Ranjib Dey, 06/17/2014
  - [chef] Re: Re: Open Source Chef: server as workstation in dmz, Indra k, 06/18/2014