Couldn't bootstrap windows machine from linux server

Hi,

I have a chef server in a linux and I could bootstrap linux nodes without an issue while following the https://learn.chef.io/manage-a-node/ubuntu/get-a-node-to-bootstrap/.

But when I tried to add a windows machine with win8.1 I tried to use the below guide
https://learn.chef.io/manage-a-node/windows/get-a-node-to-bootstrap/.

On Win8.1

$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName ‘HOSTNAME’ (I used IP instead of FQDN)

winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
New-Item -Address * -Force -Path wsman:\localhost\listener -Port 5986 -HostName ($cert.subject -split ‘=’)[1] -Transport https -CertificateThumbPrint $cert.Thumbprint

Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB 1024
Set-Item WSMan:\localhost\MaxTimeoutms 1800000

netsh advfirewall firewall add rule name=“WinRM-HTTPS” dir=in localport=5986 protocol=TCP action=allow
Ok.

From Linux

knife wsman test IP_ofWin8 --manual-list --winrm-transport ssl (This showed below error)
WARNING: Failed to connect to x.x.x.x at https://x.x.x.x:5986/wsman.
WARNING: Failure due to an issue with SSL; likely cause would be unsuccesful certificate verification.
WARNING: Either ensure your certificate is valid or use ‘–winrm-ssl-verify-mode verify_none’ to ignore verification failures.
ERROR: Failed to connect to 1 nodes.

so used with --winrm-ssl-verify-mode verify_none and got

WARNING: * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SSL validation of HTTPS requests for the WinRM transport is disabled. HTTPS WinRM
connections are still encrypted, but knife is not able to detect forged replies
or spoofing attacks.

To fix this issue add an entry like this to your knife configuration file:

  # Verify all WinRM HTTPS connections (default, recommended)
  knife[:winrm_ssl_verify_mode] = :verify_peer

Connected successfully to x.x.x.x at https://x.x.x.x:5986/wsman.

While following the steps I created a self-signed certificate and create a listener for winrm and checked the listener from linux by using nc -z -w1 x.x.x.x 5986;echo $? and received 0 which means it is listening.

While bootstrapping using below commands

knife bootstrap windows winrm x.x.x.x --winrm-user Domain\user --winrm-password ‘password’ --node-name winnode --run-list ‘recipe[learn_chef_iis]’ --winrm-transport ssl --winrm-ssl-verify-mode verify_none

The below command worked once and then I couldn’t get it to work

knife winrm -m x.x.x.x ipconfig -x ‘Domain\user’ -P ‘password’ -t ssl --winrm-ssl-verify-mode verify_none

WARNING: * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SSL validation of HTTPS requests for the WinRM transport is disabled. HTTPS WinRM
connections are still encrypted, but knife is not able to detect forged replies
or spoofing attacks.

To fix this issue add an entry like this to your knife configuration file:

  # Verify all WinRM HTTPS connections (default, recommended)
  knife[:winrm_ssl_verify_mode] = :verify_peer

x.x.x.x
x.x.x.x Windows IP Configuration
x.x.x.x
x.x.x.x
x.x.x.x Ethernet adapter Ethernet 3:
x.x.x.x

The networks are in public, I can’t change that.

I tried below settings on wind8.1

winrm set winrm/config/client/auth '@{Basic=“true”}'
winrm set winrm/config/service/auth '@{Basic=“true”}'
winrm set winrm/config/service ‘@{AllowUnencrypted=“true”}’ (This didnt work and got below error)

Error number: -2144108183 0x80338169
WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Chang
e the network connection type to either Domain or Private and try again.

In other post I read The other, and much more secure, alternative is to setup winrm over SSL, But didn’t know how to go ahead.

Targeting client SKUs like Windows 8.1 can be more challenging than server SKUs like 2012R2 that the “Learn Chef” tutorials target. Windows 8.1 does not open the firewall to public traffic by default. You have a few options:

  1. Use a server base version of windows like 2012R2. By default, server versions will allow remote access from public networks in the same local subnet.
  2. On windows 8.1, use Enable-PSRemoting -SkipNetworkProfileCheck which will open public traffic to the local subnet and may be enough if connecting to a machine on a local hypervisor.
  3. Change the network adapter to private: Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private will change public NICs to private.