Migrating chef-client to ssl


#1

We’ve rewired our chef server so it’s sitting behind nginx and we now
have to option of using ssl for chef-client comms (which makes us
corporate proxy/firewall friendly).

I’ve been mulling over a migration strategy to switch from http to
https for existing chef-clients - suggestions/contributions are most
welcome.

We don’t have that many existing chef-clients so we could do it by
hand (eeeeeek!) or via bulk addition to the run list (unfortunately
some of our original servers don’t have a common role, you live and
learn).

One thing I’ve been fiddling with is using a redirect (301) to the https port.

Regardless of if it’s a good idea, it almost works. Almost.

It works well for the first few gets and follows the redirects nicely.
It breaks down when it does a POST to
environments/_default/cookbook_versions. It follows the redirect but
then replays the call as a GET.

I’ve diced and sliced the log below…

Any ideas are welcome, curiosity has got the better of me now. I had
half hoped that the chef-client might adapt to the permanent redirect
and use https forever :slight_smile:


[2012-10-01T12:35:48+01:00] DEBUG: Sending HTTP Request via GET to
my.chef-server.com:4001/nodes/my.node.com

[2012-10-01T12:35:48+01:00] DEBUG: Sending HTTP Request via GET to
my.chef-server.com:443/nodes/my.node.com

[2012-10-01T12:35:48+01:00] DEBUG: Sending HTTP Request via GET to
my.chef-server.com:4001/roles/chef-client

[2012-10-01T12:35:48+01:00] DEBUG: Sending HTTP Request via GET to
my.chef-server.com:443/roles/chef-client

[2012-10-01T12:35:48+01:00] DEBUG: Sending HTTP Request via POST to
my.chef-server.com:4001/environments/_default/cookbook_versions
[2012-10-01T12:35:48+01:00] DEBUG: ---- HTTP Status and Header Data: ----
[2012-10-01T12:35:48+01:00] DEBUG: HTTP 1.1 301 Moved Permanently
[2012-10-01T12:35:48+01:00] DEBUG: location:
https://my.chef-server.com/environments/_default/cookbook_versions
[2012-10-01T12:35:48+01:00] DEBUG: connection: close
[2012-10-01T12:35:48+01:00] DEBUG: content-length: 178
[2012-10-01T12:35:48+01:00] DEBUG: date: Mon, 01 Oct 2012 11:38:48 GMT
[2012-10-01T12:35:48+01:00] DEBUG: content-type: text/html
[2012-10-01T12:35:48+01:00] DEBUG: server: nginx
[2012-10-01T12:35:48+01:00] DEBUG: ---- End HTTP Status/Header Data ----
[2012-10-01T12:35:48+01:00] DEBUG: Following redirect 1/10
[2012-10-01T12:35:48+01:00] DEBUG: Signing the request as my.node.com
[2012-10-01T12:35:48+01:00] DEBUG: String to sign: 'Method:GET
[2012-10-01T12:35:48+01:00] DEBUG: Sending HTTP Request via GET to
my.chef-server.com:443/environments/_default/cookbook_versions
[2012-10-01T12:35:48+01:00] DEBUG: ---- HTTP Status and Header Data: ----
[2012-10-01T12:35:48+01:00] DEBUG: HTTP 1.1 404 Not Found
[2012-10-01T12:35:49+01:00] DEBUG: connection: close
[2012-10-01T12:35:49+01:00] DEBUG: transfer-encoding: chunked
[2012-10-01T12:35:49+01:00] DEBUG: date: Mon, 01 Oct 2012 11:38:48 GMT
[2012-10-01T12:35:49+01:00] DEBUG: content-type: application/json; charset=utf-8
[2012-10-01T12:35:49+01:00] DEBUG: server: nginx
[2012-10-01T12:35:49+01:00] DEBUG: ---- End HTTP Status/Header Data ----
[2012-10-01T12:35:49+01:00] INFO: HTTP Request Returned 404 Not Found:
No routes match the request: /environments/_default/cookbook_versions

nginx access.log

[01/Oct/2012:12:38:48 +0100] “GET /nodes/my.node.com HTTP/1.1” 200
36914 “-” “Chef Client/10.14.2 (ruby-1.8.7-p352; ohai-6.14.0;
x86_64-linux; +http://opscode.com)”
[01/Oct/2012:12:38:48 +0100] “GET /roles/chef-client HTTP/1.1” 200 312
"-" “Chef Client/10.14.2 (ruby-1.8.7-p352; ohai-6.14.0; x86_64-linux;
+http://opscode.com)”
[01/Oct/2012:12:38:48 +0100] “GET
/environments/_default/cookbook_versions HTTP/1.1” 404 94 “-” “Chef
Client/10.14.2 (ruby-1.8.7-p352; ohai-6.14.0; x86_64-linux;
+http://opscode.com)”


#2

On Mon, Oct 1, 2012 at 7:53 AM, Luke Biddell luke.biddell@gmail.com wrote:

I’ve been mulling over a migration strategy to switch from http to
https for existing chef-clients - suggestions/contributions are most
welcome.

I think the cheap way would be to use ‘knife ssh : sudo sed -i
s_http://https:// /etc/chef/client.rb && sudo
/etc/init.d/chef-client restart’

Bryan


#3

@Bryan - love it.

On 1 October 2012 15:00, Bryan McLellan btm@loftninjas.org wrote:

On Mon, Oct 1, 2012 at 7:53 AM, Luke Biddell luke.biddell@gmail.com wrote:

I’ve been mulling over a migration strategy to switch from http to
https for existing chef-clients - suggestions/contributions are most
welcome.

I think the cheap way would be to use ‘knife ssh : sudo sed -i
s_http://https:// /etc/chef/client.rb && sudo
/etc/init.d/chef-client restart’

Bryan


#4

We did this several months back, and we used that as an opportunity to
make sure our /etc/chef/client.rb is controlled by Chef.

I suggest you do the same–it might take a bit of scripting if you
have many nodes without a “base” role you could stick this into, but
that effort will repay for itself many times over.

Andrea


#5

Thanks Andrea - I know that’s the right way to go. Just got curious…

On 1 October 2012 13:08, Andrea Campi andrea.campi@zephirworks.com wrote:

We did this several months back, and we used that as an opportunity to
make sure our /etc/chef/client.rb is controlled by Chef.

I suggest you do the same–it might take a bit of scripting if you
have many nodes without a “base” role you could stick this into, but
that effort will repay for itself many times over.

Andrea