[chef] Re: Chef * + bundled SSL cert bundles are not delightful

[Tensibai < >]

Just a guess (unverified), but for bundler I had to use the environment variable SSL_CERT_FILE and point it to embedded/ssl/certs for it to work under windows. Maybe httpclient could take this env variable too ?

Le 2015-10-01 23:14, Jeff Blaine a écrit :

We are perpetually playing whack-a-mole with /opt/{chef,chefdk} SSL cert
bundles.

We put our CA chain certs in /etc/chef/trusted_certs. Great, chef-client
can talk to the server.

Then there's /opt/*/embedded/ssl/certs/cacert.pem

We append our CA chain certs there. That's pretty "cheap" due to the
consistent path name and can be targeted easily via our custom certs
cookbook.

Great. Now chef_gem works when talking to internet https endpoints
through our company's mandated SSL inspection device.

Now ChefDK 0.8.1 has
/opt/chefdk/embedded/ruby/gems/ruby/gems/ruby/gems/2.1.0/chef/bundles/apps/2.1.0/chef/ruby/stuff/noodles/rake/httpclient-2.something
which has its own cacert.p7s file and a completely expensive cost to
solving cleanly (read: not embedded that huge fragile path in some
recipe). That is, we're reduced to running 'find /opt/chefdk -name
cacert.p7s' + other crap in an execute resource.

We sure would like to hear peoples' ideas, cause this is madness.