Knife Windows and Self-Signed Certs


#1

Hi chefs,

We’re just starting out using Chef for Windows, which has been interesting, as
I had v. little Windows experience before embarking on this project :slight_smile:

We’ve run into a Knife Windows issue; this is not improper behaviour as such,
though, hence my writing to the list to have others’ opinions.

By policy, we only bootstrap nodes using Omnibus packages previously copied to
an internal repo. The relevant line in our custom bootstrap template looks like
this:

cscript /nologo C:\chef\wget.vbs
/url:https://our.msi.repo/chef-client-latest.msi
/path:%TEMP%\chef-client-latest.msi

By default, this doesn’t work, because our.msi.repo has a self-signed
certificate. So we patch windows_bootstrap_context.rb, where win_wget is
defined, making sure the XMLHTTP object has the proper option set to ignore the
exception caused by the self-signed cert:

objXMLHTTP.setOption 2, SXH_SERVER_CERT_IGNORE_UNKNOWN_CA

From our perspective, it would be nice if Knife Windows had an option to
ignore errors caused by self-signed certificates when bootstrapping :slight_smile: Are we
alone in this?

Thanks,

dsp


#2

no you are not alone in this.
What occurred to me when I was looking into this originally is what
advantage do you get from running an unauthenticated binary repository
(free open source binaries) over https vs running it on http?

-Mat

On 31 January 2013 09:07, dominique.poulain@ext.echa.europa.eu wrote:

Hi chefs,

We’re just starting out using Chef for Windows, which has been
interesting, as
I had v. little Windows experience before embarking on this project :slight_smile:

We’ve run into a Knife Windows issue; this is not improper behaviour as
such,
though, hence my writing to the list to have others’ opinions.

By policy, we only bootstrap nodes using Omnibus packages previously
copied to
an internal repo. The relevant line in our custom bootstrap template looks
like
this:

cscript /nologo C:\chef\wget.vbs
/url:https://our.msi.repo/chef-client-latest.msi
/path:%TEMP%\chef-client-latest.msi

By default, this doesn’t work, because our.msi.repo has a self-signed
certificate. So we patch windows_bootstrap_context.rb, where win_wget is
defined, making sure the XMLHTTP object has the proper option set to
ignore the
exception caused by the self-signed cert:

objXMLHTTP.setOption 2, SXH_SERVER_CERT_IGNORE_UNKNOWN_CA

From our perspective, it would be nice if Knife Windows had an option to
ignore errors caused by self-signed certificates when bootstrapping :slight_smile:
Are we
alone in this?

Thanks,

dsp


#3

It boils down to a matter of policy for us- the packages we use have to be stored in an internal repo/fetched over an encrypted connection & in this particular case we could only use a self-signed cert.

dsp

From: Mat Davies [mailto:ashmere@gmail.com]
Sent: 31 January 2013 16:58
To: chef@lists.opscode.com
Subject: [chef] Re: Knife Windows and Self-Signed Certs

no you are not alone in this.
What occurred to me when I was looking into this originally is what advantage do you get from running an unauthenticated binary repository (free open source binaries) over https vs running it on http?

-Mat
On 31 January 2013 09:07, <dominique.poulain@ext.echa.europa.eumailto:dominique.poulain@ext.echa.europa.eu> wrote:
Hi chefs,

We’re just starting out using Chef for Windows, which has been interesting, as
I had v. little Windows experience before embarking on this project :slight_smile:

We’ve run into a Knife Windows issue; this is not improper behaviour as such,
though, hence my writing to the list to have others’ opinions.

By policy, we only bootstrap nodes using Omnibus packages previously copied to
an internal repo. The relevant line in our custom bootstrap template looks like
this:

cscript /nologo C:\chef\wget.vbs
/url:https://our.msi.repo/chef-client-latest.msi
/path:%TEMP%\chef-client-latest.msi

By default, this doesn’t work, because our.msi.repo has a self-signed
certificate. So we patch windows_bootstrap_context.rb, where win_wget is
defined, making sure the XMLHTTP object has the proper option set to ignore the
exception caused by the self-signed cert:

objXMLHTTP.setOption 2, SXH_SERVER_CERT_IGNORE_UNKNOWN_CA

From our perspective, it would be nice if Knife Windows had an option to
ignore errors caused by self-signed certificates when bootstrapping :slight_smile: Are we
alone in this?

Thanks,

dsp