[chef] Re: Re: Fwd: Pass --no-check-certificate to knife?

[Daniel Condomitti < >]

Disabling peer verification is very irresponsible, **especially** when you’re running arbitrary shell scripts off the internet as root. The Chef packages themselves are signed but nothing prevents tampering with the install.sh script.

Ubuntu should already trust the certificate used for www.opscode.com certificate unless something is wrong with the certificate store in your template. You could modify your bootstrap to either include DigiCert’s root in your OS store[0] or just use it for the single curl install[1].

[0] Write the certificate[2] to /usr/local/share/ca-certificates/ and run  ‘update-ca-certificates’

[1] Write the certificate[2] to /tmp/ and pass --cacert /tmp/DigiCertGlobalRootCA.crt to :bootstrap_curl_options

[2] http://cacerts.digicert.com/DigiCertGlobalRootCA.crt (compare the serial/thumbprint https://www.digicert.com/digicert-root-certificates.htm first)

On Friday, October 3, 2014 at 10:52 AM, Julian C. Dunn wrote:

You can configure

:bootstrap_wget_options

or

:bootstrap_curl_options

in your knife.rb to do the needful.

- Julian

On Fri, Oct 3, 2014 at 1:47 PM, Martin Cleaver < "> > wrote:

Hi,

When I try to bootstrap a new node, just like

http://serverfault.com/questions/577062/error-cannot-verify-www-opscode-coms-certificate

, I get cannot verify www.opscode.com's certificate

https://botbot.me/freenode/chef/search/?q=knife+no-check-certificate shows

this question has been asked a couple of times on IRC.

So, without making a special O/S template (Ubuntu in this case), is there a

way of either initializing the certificate store or passing

--no-check-certificate such that it gets to curl / wget?

Thanks,

Martin.

--

[ Julian C. Dunn < "> > * Sorry, I'm ]

[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]

[ gopher://sdf.org/1/users/keymaker/ * compliant! ]

[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]