Knife-windows, winrm, ssl and an internal PKI


#1

I’m having some problems getting knife-windows and winrm to work over ssl. I’m using certificates from an internal PKI (ADCS). I’ve appended the public key of the root and issuing certs to cacert.pem (on my workstation), but:

knife winrm -m <fqdn> "ipconfig /all" -t ssl -x $username -P $password -f .\<fqdn>.crt

ERROR: Could not establish a secure connection to the server.

Use `knife ssl check` to troubleshoot your SSL configuration.

If your Chef Server uses a self-signed certificate, you can use

`knife ssl fetch` to make knife trust the server's certificates.

Original Exception: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed

The above works with :verify_none.

However:

knife ssl check https://<fqdn>:5986

Connecting to host <fqdn>:5986

Successfully verified certificates from `<fqdn>'

[bool](Test-WSMan <fqdn> -UseSSL)

True

Suggestions? How do I make knife trust my ADCS PKI?


#2

We’re using internal PKI as well. Fetching the certs with

knife ssl fetch

works just fine for us. Berkshelf will present another issue, and you’ll have to export the SSL_CERT_FILE environment variable and point it to the cert that knife ssl fetch stored.


#3

Jeff,

Unfortunately that doesn’t resolve the issue. knife ssl check still successfully verifies, but any knife winrm command fails to do so.


#4

Ah yes, I see what you mean. I have to add --winrm-ssl-verify verify_none to my winrm commands. I had forgotten about that. I was thinking about our Chef server also having an internal PKI cert.


#5

Yeah, I was hoping to avoid verify_none :slight_smile:


#6

My apologies for the delay in responding to this thread. Today I set out to investigate this issue. To be honest I had never explored this use case and was not exactly sure how it worked myself. Unfortunately what I discovered is that it doesn’t work. While the core chef code ensures that all certificates in your trusted_certs_dir are added to the SSL cert store it builds for all HTTP calls, this is not the case for the underlying HTTPClient used by the winrm instance that knife-windows calls into.

I have just now submitted a fix for this that I hope will release soon. Once released, knife windows will honor trusted certificates in all winrm calls.


#7

The above mentioned fix was just released in knife-windows 1.4.1.