[chef] Re: Re: Secure knife winrm

[Tensibai < >]

I did resolve this issue by setting the SSL_CERT_FILE  env variable pointing to a file with our internal CA certs before running knife commands.

As far as I can tell, this location is for ruby libs, not openssl on itself and that's why it dies.

I could worth a pull request on knife/chef code, unsure about which one...

Le 2014-10-30 20:09, Dwayne Forehand a écrit :

I've been trying to solve the same problem with knife winrm over ssl for a couple days.  Did you get it figured out?

When I knife winrm to my node I get "Error 20 - unable to get local issuer certificate".  I added our CA to /embedded/ssl/certs/cacert.pem and tried again.  Same.  I tried openssl s_client  -showcerts against the domain and got error 20 as expected.  Then I tried another openssl s_client  -showcerts but specified the CAfile as /embedded/ssl/certs/cacert.pem.  Success, returned ok. 

 

When knife winrm calls openssl is it not passing along the location of /embedded/ssl/certs/cacert.pem?

 

Using ChefDK  0.3.2 on win server 2012 r2.

 

-Dwayne

On Thu, Aug 14, 2014 at 5:09 AM, < "> > wrote:

Trying to get knife winrm working with SSL enabled.  Keep getting error with
winrm validating the servers WinRM certificate.  Error: unable to get local
issuer certificate.

I am relativly sure i need to provide a certificate chain but attempts at
providing ca-trust-file have faild.  Can anyone provide link to documentation
on how format and content needed for this file.

Thanks
Daniel D.

 

--
"And let us consider how to stir up one another to love and good works . . ." - Hebrews 10:24