Hi,
I have a chef server in a linux and I could bootstrap linux nodes without an issue while following the https://learn.chef.io/manage-a-node/ubuntu/get-a-node-to-bootstrap/.
But when I tried to add a windows machine with win8.1 I tried to use the below guide
https://learn.chef.io/manage-a-node/windows/get-a-node-to-bootstrap/.
On Win8.1
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName 'HOSTNAME' (I used IP instead of FQDN)
winrm delete winrm/config/Listener?Address=*+Transport=HTTPS
New-Item -Address * -Force -Path wsman:\localhost\listener -Port 5986 -HostName ($cert.subject -split '=')[1] -Transport https -CertificateThumbPrint $cert.Thumbprint
Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB 1024
Set-Item WSMan:\localhost\MaxTimeoutms 1800000
netsh advfirewall firewall add rule name="WinRM-HTTPS" dir=in localport=5986 protocol=TCP action=allow
Ok.
From Linux
knife wsman test IP_ofWin8 --manual-list --winrm-transport ssl (This showed below error)
WARNING: Failed to connect to x.x.x.x at https://x.x.x.x:5986/wsman.
WARNING: Failure due to an issue with SSL; likely cause would be unsuccesful certificate verification.
WARNING: Either ensure your certificate is valid or use '--winrm-ssl-verify-mode verify_none' to ignore verification failures.
ERROR: Failed to connect to 1 nodes.
so used with --winrm-ssl-verify-mode verify_none and got
WARNING: * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SSL validation of HTTPS requests for the WinRM transport is disabled. HTTPS WinRM
connections are still encrypted, but knife is not able to detect forged replies
or spoofing attacks.
To fix this issue add an entry like this to your knife configuration file:
# Verify all WinRM HTTPS connections (default, recommended) knife[:winrm_ssl_verify_mode] = :verify_peer
Connected successfully to x.x.x.x at https://x.x.x.x:5986/wsman.
While following the steps I created a self-signed certificate and create a listener for winrm and checked the listener from linux by using nc -z -w1 x.x.x.x 5986;echo $? and received 0 which means it is listening.
While bootstrapping using below commands
knife bootstrap windows winrm x.x.x.x --winrm-user Domain\user --winrm-password 'password' --node-name winnode --run-list 'recipe[learn_chef_iis]' --winrm-transport ssl --winrm-ssl-verify-mode verify_none
The below command worked once and then I couldn't get it to work
knife winrm -m x.x.x.x ipconfig -x 'Domain\user' -P 'password' -t ssl --winrm-ssl-verify-mode verify_none
WARNING: * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SSL validation of HTTPS requests for the WinRM transport is disabled. HTTPS WinRM
connections are still encrypted, but knife is not able to detect forged replies
or spoofing attacks.
To fix this issue add an entry like this to your knife configuration file:
# Verify all WinRM HTTPS connections (default, recommended) knife[:winrm_ssl_verify_mode] = :verify_peer
x.x.x.x
x.x.x.x Windows IP Configuration
x.x.x.x
x.x.x.x
x.x.x.x Ethernet adapter Ethernet 3:
x.x.x.x
....
The networks are in public, I can't change that.
I tried below settings on wind8.1
winrm set winrm/config/client/auth '@{Basic="true"}'
winrm set winrm/config/service/auth '@{Basic="true"}'
winrm set winrm/config/service '@{AllowUnencrypted="true"}' (This didnt work and got below error)
Error number: -2144108183 0x80338169
WinRM firewall exception will not work since one of the network connection types on this machine is set to Public. Chang
e the network connection type to either Domain or Private and try again.
In other post I read The other, and much more secure, alternative is to setup winrm over SSL, But didn't know how to go ahead.