chef - [chef] knife ssl check/fetch/check against a self-signed winrm ssl-transport host fails

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] knife ssl check/fetch/check against a self-signed winrm ssl-transport host fails

From: Chris McClimans < >
To:
Subject: [chef] knife ssl check/fetch/check against a self-signed winrm ssl-transport host fails
Date: Tue, 29 Sep 2015 06:09:28 -0400

My goal is to securely connect to windows boxes from chef-provisioning (aws),
but I thought I'd try and connect via knife first.

I noticed that even after the knife ssl fetch, knife refuses to use
the self-signed-cert.

'''
* trusted_certs_dir: "/home/hh/provisioning/.chef/trusted_certs"
WARNING: There are invalid certificates in your trusted_certs_dir.
OpenSSL will not use the following certificates when verifying SSL
connections:

/home/hh/provisioning/.chef/trusted_certs/ip-0A7146CD.crt: self signed
certificate
'''

knife ssl check/fetch/check followed by openssl s_client check:

'''
$ knife ssl check https://10.113.70.205:5986
Connecting to host 10.113.70.205:5986
ERROR: The SSL certificate of 10.113.70.205 could not be verified
Certificate issuer data: /CN=ip-0A7146CD

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.2a 19 Mar 2015
* Certificate file: /etc/ssl/cert.pem
* Certificate directory: /etc/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/home/hh/provisioning/.chef/trusted_certs"

TO FIX THIS ERROR:

If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server's certificate.

By default, the certificate is stored in the following location on the host
where your chef-server runs:

  /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to your trusted_certs_dir (currently:
/home/hh/stratalux/lifelock/misc/provisioning/.chef/trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server's certificate is now trusted.
'''

'''
$ knife ssl fetch https://10.113.70.205:5986
WARNING: Certificates from 10.113.70.205 will be fetched and placed in
your trusted_cert
directory (/home/hh/provisioning/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for ip-0A7146CD in
/home/hh/provisioning/.chef/trusted_certs/ip-0A7146CD.crt
'''

'''
$ knife ssl check https://10.113.70.205:5986

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.2a 19 Mar 2015
* Certificate file: /etc/ssl/cert.pem
* Certificate directory: /etc/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/home/hh/provisioning/.chef/trusted_certs"
WARNING: There are invalid certificates in your trusted_certs_dir.
OpenSSL will not use the following certificates when verifying SSL
connections:

/home/hh/provisioning/.chef/trusted_certs/ip-0A7146CD.crt: self signed
certificate

TO FIX THESE WARNINGS:

We are working on documentation for resolving common issues uncovered here.

* If the certificate is generated by the server, you may try redownloading the
server's certificate. By default, the certificate is stored in the following
location on the host where your chef-server runs:

  /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to your trusted_certs_dir (currently:
/home/hh/misc/provisioning/.chef/trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server's certificate is now trusted.

Connecting to host 10.113.70.205:5986
ERROR: The SSL certificate of 10.113.70.205 could not be verified
Certificate issuer data: /CN=ip-0A7146CD
Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.2a 19 Mar 2015
* Certificate file: /etc/ssl/cert.pem
* Certificate directory: /etc/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/home/hh/provisioning/.chef/trusted_certs"

TO FIX THIS ERROR:

If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server's certificate.

By default, the certificate is stored in the following location on the host
where your chef-server runs:

  /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to your trusted_certs_dir (currently:
/home/hh/provisioning/.chef/trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server's certificate is now trusted.
'''

'''
$ openssl s_client -connect 10.113.70.205:5986 -CAfile
.chef/trusted_certs/ip-0A7146CD.crt -verify_return_error
CONNECTED(00000003)
depth=0 CN = ip-0A7146CD
verify error:num=18:self signed certificate
---
Certificate chain
0 s:/CN=ip-0A7146CD
   i:/CN=ip-0A7146CD
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC2jCCAcKgAwIBAgIQYoe1RTcKKbZBnf3F2D8uKTANBgkqhkiG9w0BAQUFADAW
MRQwEgYDVQQDEwtpcC0wQTcxNDZDRDAeFw0xNTA5MjgwOTQxMDZaFw0xNjAzMjkw
OTQxMDZaMBYxFDASBgNVBAMTC2lwLTBBNzE0NkNEMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA3wXVQvW7WMeFyMSG0rW6cKHNLcmrgGENYT7AqLZeAGGk
8DELNAOJ69/4OBuJy79WLapEXhkSvp4W1IvrV44tkYPh427thuuaYMJdETrTtoFy
x+RxON1DWyfxQmXeDt/DKQH5V7S96IJ/5CylqR5+nVYwVQRXq0PkVfZmoJgZGgCT
e84bbdvGc/TZk9iuuMT+Y483tRRY+OtpPWjm+WB3ReJq88p+e2PASqknowHhv9Jk
1M2IRFbDMe9QpPCnb/Ysv/v6wxJlgVAxk5DYcuzH4sjRxbsyIxtcTah/qHZu6y9l
+Wu6o9rGaVb/Zn2zugpU8LQbJCC4qecUT2bNLDJ+2wIDAQABoyQwIjATBgNVHSUE
DDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQEFBQADggEBAGUk
aZ6rrVF71QYnY9eKrLH4N/an+UokUf2uroIzioebOskgBmBwgbCHxMf4q2QvFtUw
DTH2J3kc1l7sYIAbOcmbTjCXf+w0jxx0IkNtyGCcXNLCnnjHfGuKM4YAMWHlGyU1
SPm3LmSm5pQUtaw/SULJ7kq0jGmoN3e4OefonNFXWDYMznvq8l7DQgGip2xo8B9O
fb9s1XDxNE7NMBq8YSWvmZMUa7WRuNZ0xP0N25chjkVTE85ZV15Gpsa3MSTMpKby
uPL/1RjalhU0gmFBelHWl2HrLNZ+08V9Y/9NY54CwbgmRn3mMYjeRVKRVR4qeuR0
tDRU7VSnkOWTmCeFR5c=
-----END CERTIFICATE-----
subject=/CN=ip-0A7146CD
issuer=/CN=ip-0A7146CD
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1274 bytes and written 500 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID:
233700001E82A6DBE277D444B7BA326E8F228A5E23C083CB4477C57FBE72EFCF
    Session-ID-ctx:
    Master-Key:
6F5A06DF8BB1E271D078C7BFDFDC04AEAE6914808F305A3876277B89067E5325BFF11ECDE0AC3ECAB977DADAE17AA139
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1443521077
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

'''

[chef] knife ssl check/fetch/check against a self-signed winrm ssl-transport host fails, Chris McClimans, 09/29/2015
- [chef] Re: knife ssl check/fetch/check against a self-signed winrm ssl-transport host fails, Daniel DeLeo, 09/29/2015