Issue with bootstrapping windows instance

Hello, I am having issues with getting an ec2 instance (windows) to bootstrap. It works when I disable all cert/ssl verification, which is obviously less than ideal. However, when I use the following command, the node errors out when trying to connect to the Chef Infra Server.


Output:
 [172.31.112.9] [2021-06-21T18:42:47+00:00] ERROR: SSL Validation failure connecting to host: <http://chef-infra-server.domain.io|chef-infra-server.domain.io> - SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
 [172.31.112.9]
 [172.31.112.9] ================================================================================
 [172.31.112.9] Chef encountered an error attempting to load the node data for "Management"
 [172.31.112.9] ================================================================================
 [172.31.112.9]```
I have:
• run `knife ssl fetch` on my workstation
• validated that the certificates are being placed on the bootstrapped node
• validated that the `trusted_certs_dir` parameter is appropriately set on the bootstrapped node
• provided the above command with the `-f` flag, and included (one at a time) all the certificates in my `trusted_certs_dir`
Curious to know what else I might be doing wrong? Thanks!

Update: I modified the following line on the bootstrapped node’s client.rb (This path was set by Chef during the bootstrap process) :

trusted_certs_dir "C:\chef/trusted_certs"
to:
trusted_certs_dir "C:\\chef\\trusted_certs"```
And this allowed for it to work. How can I circumvent this in a bootstrap?

Update 2:

I am able to run the following two commands in succession:

	-o winrm \
	--winrm-ssl \
	--winrm-no-verify-cert \
	--node-verify-api-cert \
	--node-ssl-verify-mode peer \
	&lt;NODE FQDN/IP_ADDRESS&gt; \
	-p 5986 \
	-N &lt;server_name&gt; \
	-U "&lt;domain&gt;\&lt;user&gt;" \
	-P &lt;user_pass&gt; \
	--policy-group aws_ec2_windows_base \
	--policy-name aws_ec2_windows_base```
This installs chef and copies the `trusted_certs` from my workstation to the node. It fails however, because the path directive in `C:\chef\client.rb` is malformed.

I then have to run the above command again, with the last argument tacked on:

```knife bootstrap \
	-o winrm \
	--winrm-ssl \
	--winrm-no-verify-cert \
	--node-verify-api-cert \
	--node-ssl-verify-mode peer \
	&lt;NODE FQDN/IP_ADDRESS&gt; \
	-p 5986 \
	-N &lt;server_name&gt; \
	-U "&lt;domain&gt;\&lt;user&gt;" \
	-P &lt;user_pass&gt; \
	--policy-group aws_ec2_windows_base \
	--policy-name aws_ec2_windows_base \
    --config-option "trusted_certs_dir=C:\\chef\\trusted_certs"```
This then completes the bootstrap process. However, I cannot run this command in the initial run, as it fails to copy the `trusted_certs` to the node.

Is there a parameter I can supply for where the certs reside locally on my workstation, and then another parameter I can supply for where the node should look, on itself, when running `chef-client`?

There’s a bug, the path should be c:/chef/trusted_certs (first in yours is a backslash)

So, short of manually modifying the client.rb file on the node, running those two commands back to back is basically my only option at this point in time?

I don’t exactly remember how the client.rb is rendered before being sent to the node

I guess your local conf plays a role here

Or you can just edit the template in your local install I guess, but we’d need versions to be sure

I.e: chef --version should give relevant info

Yeah - I am in a weird spot now, where I don’t particularly want to be editing my local conf. I’d rather have a workaround, because I am the only person managing Chef.

Better to have a workaround set of commands, as opposed to a lot of local modifications that I need to document / communicate.

I’d go with bootstraping with ssl verification disabled and have the chef_client resource configure chef properly on first run

Ok - great. Thanks for your suggestions! I’m curious if the bug re: path for trusted_certs_dir is being tracked anywhere?

https://github.com/chef/chef/pull/10141#issuecomment-663022394

Seems it’s already fixed

Updating Chef Workstation did the trick - you’re a life saver

You’re welcome :slightly_smiling_face: