How do I instruct during bootstrap to ignore SSL errors on Windows?


#1

Hello,

Following through tutorials for Windows and trying to figure out how do I during bootstrap tell client to ignore SSL errors during bootstrapping and subsequent operation. Is there an option for knife command to instruct client to do that?


#2

Adding --winrm-ssl-verify-mode verify_none to your bootstrap command should do it.


#3

This did not work. It did not add chef server certificate to trusted certs on node.

Here is my command and result

knife bootstrap windows winrm mivcustftp1 --winrm-user username --winrm-ssl-verify-mode verify_none --node-name MIVCUSTFTP1

mivcustftp1 [2016-05-16T13:45:41-07:00] ERROR: SSL Validation failure connecting to host: 172.16.218.75 - hostname “172.16.218.75” does not match the server cer
tificate
mivcustftp1 [2016-05-16T13:45:41-07:00] ERROR: SSL Error connecting to https://172.16.218.75/organizations/chef_dsc/nodes/MIVCUSTFTP1, retry 1/5
mivcustftp1 [2016-05-16T13:45:47-07:00] ERROR: SSL Validation failure connecting to host: 172.16.218.75 - hostname “172.16.218.75” does not match the server cer
tificate


#4

Sorry,
Certificate was added just issue as you can see that node does not like non matching server name/SSL certificate. Batch file does not seem to honor parameter supplied to it.
I can see line below being executed with no ssl_verify_mode passed to it

chef-client -c c:/chef/client.rb -j c:/chef/first-boot.json


#5

ok looks like this is an SSL issue between the node and chef server. Adding the parameter I mentioned above is really aimed at SSL between the workstation and the node. You can use --node-ssl-verify-mode none to disable verification between the node and the chef server. Note that this is not recommended in production environments.


#6

Yes, it’s for testing purpouses. Problem is that I have to login to each client and modify client.rb to do that in addition of pushing client via WinRM.