Hello, I am having issues with getting an ec2 instance (windows) to bootstrap. It works when I disable all cert/ssl verification, which is obviously less than ideal. However, when I use the following command, the node errors out when trying to connect to the Chef Infra Server.
Output:
[172.31.112.9] [2021-06-21T18:42:47+00:00] ERROR: SSL Validation failure connecting to host: <http://chef-infra-server.domain.io|chef-infra-server.domain.io> - SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
[172.31.112.9]
[172.31.112.9] ================================================================================
[172.31.112.9] Chef encountered an error attempting to load the node data for "Management"
[172.31.112.9] ================================================================================
[172.31.112.9]```
I have:
• run `knife ssl fetch` on my workstation
• validated that the certificates are being placed on the bootstrapped node
• validated that the `trusted_certs_dir` parameter is appropriately set on the bootstrapped node
• provided the above command with the `-f` flag, and included (one at a time) all the certificates in my `trusted_certs_dir`
Curious to know what else I might be doing wrong? Thanks!
Update: I modified the following line on the bootstrapped node’s client.rb
(This path was set by Chef during the bootstrap process) :
trusted_certs_dir "C:\chef/trusted_certs"
to:
trusted_certs_dir "C:\\chef\\trusted_certs"```
And this allowed for it to work. How can I circumvent this in a bootstrap?
Update 2:
I am able to run the following two commands in succession:
-o winrm \
--winrm-ssl \
--winrm-no-verify-cert \
--node-verify-api-cert \
--node-ssl-verify-mode peer \
<NODE FQDN/IP_ADDRESS> \
-p 5986 \
-N <server_name> \
-U "<domain>\<user>" \
-P <user_pass> \
--policy-group aws_ec2_windows_base \
--policy-name aws_ec2_windows_base```
This installs chef and copies the `trusted_certs` from my workstation to the node. It fails however, because the path directive in `C:\chef\client.rb` is malformed.
I then have to run the above command again, with the last argument tacked on:
```knife bootstrap \
-o winrm \
--winrm-ssl \
--winrm-no-verify-cert \
--node-verify-api-cert \
--node-ssl-verify-mode peer \
<NODE FQDN/IP_ADDRESS> \
-p 5986 \
-N <server_name> \
-U "<domain>\<user>" \
-P <user_pass> \
--policy-group aws_ec2_windows_base \
--policy-name aws_ec2_windows_base \
--config-option "trusted_certs_dir=C:\\chef\\trusted_certs"```
This then completes the bootstrap process. However, I cannot run this command in the initial run, as it fails to copy the `trusted_certs` to the node.
Is there a parameter I can supply for where the certs reside locally on my workstation, and then another parameter I can supply for where the node should look, on itself, when running `chef-client`?
There’s a bug, the path should be c:/chef/trusted_certs (first in yours is a backslash)
So, short of manually modifying the client.rb
file on the node, running those two commands back to back is basically my only option at this point in time?
I don’t exactly remember how the client.rb is rendered before being sent to the node
I guess your local conf plays a role here
Or you can just edit the template in your local install I guess, but we’d need versions to be sure
I.e: chef --version
should give relevant info
Yeah - I am in a weird spot now, where I don’t particularly want to be editing my local conf. I’d rather have a workaround, because I am the only person managing Chef.
Better to have a workaround set of commands, as opposed to a lot of local modifications that I need to document / communicate.
I’d go with bootstraping with ssl verification disabled and have the chef_client resource configure chef properly on first run
Ok - great. Thanks for your suggestions! I’m curious if the bug re: path for trusted_certs_dir
is being tracked anywhere?
Updating Chef Workstation did the trick - you’re a life saver