Open Source Chef: server as workstation in dmz

Chef Infra (archive)
1

Hello community,

I’m quite new to chef and I have to set up a chef server and now I am totally
stuck. I hope I can find some help here because I found nothing about my
problem in the documentation and I’m working on this since 3 weeks :frowning:

First of all the describtion of the situation:

The server resides in the dmz subnet of the office lan (as a vm, Ubuntu 14.04).
It has a private IP (192.168.0.2) and local name/fqdn (chef.dmz.loc). From the
internet the server is accessible via an external FQDN and IP (example.com,
93.184.216.119) by the appropriate firewall rules/port-forwarding.

It is also used as workstation and a special user account (chefdev) is
designated to create, modify and upload cookbooks as well as bootstrap nodes.
This setup (dmz, special account, server = workstation) can be seen as
constraints.

The problem is that I either can’t upload cookbooks or I can’t bootstrap nodes.
If I configure everything for the local FQDN it’s possible to upload cookboks,
but bootstrapping nodes does not work because from the internet the local name
is not resolveable (of course!). If I configure the server for it’s external IP
I can’t upload cookbooks because of ssl handshake failure.

Is there any solution for this under the constraints mentioned above? Thanks in
advance.

Below are some configurations and error messages which might be neede for you
to help me. If you need some more, please tell me.

configuration (ext. IP): http://pastebin.com/3uwMYutz

error messages
knife: http://pastebin.com/gAfsYiej
erchef: http://pastebin.com/Rc5UDvj4

2

On Monday, June 16, 2014 at 6:25 AM, chefsrv@buerotiger.de wrote:

Hello community,

I'm quite new to chef and I have to set up a chef server and now I am totally
stuck. I hope I can find some help here because I found nothing about my
problem in the documentation and I'm working on this since 3 weeks :frowning:

First of all the describtion of the situation:

The server resides in the dmz subnet of the office lan (as a vm, Ubuntu 14.04).
It has a private IP (192.168.0.2) and local name/fqdn (chef.dmz.loc). From the
internet the server is accessible via an external FQDN and IP (example.com (http://example.com),
93.184.216.119) by the appropriate firewall rules/port-forwarding.

It is also used as workstation and a special user account (chefdev) is
designated to create, modify and upload cookbooks as well as bootstrap nodes.
This setup (dmz, special account, server = workstation) can be seen as
constraints.

The problem is that I either can't upload cookbooks or I can't bootstrap nodes.
If I configure everything for the local FQDN it's possible to upload cookboks,
but bootstrapping nodes does not work because from the internet the local name
is not resolveable (of course!). If I configure the server for it's external IP
I can't upload cookbooks because of ssl handshake failure.

Is there any solution for this under the constraints mentioned above? Thanks in
advance.

Below are some configurations and error messages which might be neede for you
to help me. If you need some more, please tell me.

configuration (ext. IP): http://pastebin.com/3uwMYutz

error messages
knife: http://pastebin.com/gAfsYiej
erchef: http://pastebin.com/Rc5UDvj4

The most general solution is to use an SSL certificate with a SubjectAltName field that contains both the FQDN and the IP address.

You could also use split-horizon DNS or configure the chef-server’s hostname in your etc/hosts.

The least good solution is to disable SSL certificate verification for hosts on the local network.

--
Daniel DeLeo

3

chef server uses nginx for ssl termination, config can be found here:
/var/opt/chef-server/nginx/etc/chef_https_lb.conf
you can tune nginx to use different certs and ip using different names (one
for internal, one for external). when you trigger bootstrap, make sure you
use the knife config with external name for bootstrap and another config
with the internal name for cookbook upload..etc..

note. afaik, these configs are generated by chef-server-ctl, and will be
overwritten if you invoke chef-server-ctl reconfigure.

On Tue, Jun 17, 2014 at 10:12 PM, Daniel DeLeo dan@kallistec.com wrote:

On Monday, June 16, 2014 at 6:25 AM, chefsrv@buerotiger.de wrote:

Hello community,

I'm quite new to chef and I have to set up a chef server and now I am
totally
stuck. I hope I can find some help here because I found nothing about my
problem in the documentation and I'm working on this since 3 weeks :frowning:

First of all the describtion of the situation:

The server resides in the dmz subnet of the office lan (as a vm, Ubuntu
14.04).
It has a private IP (192.168.0.2) and local name/fqdn (chef.dmz.loc).
From the
internet the server is accessible via an external FQDN and IP (
example.com (http://example.com),
93.184.216.119) by the appropriate firewall rules/port-forwarding.

It is also used as workstation and a special user account (chefdev) is
designated to create, modify and upload cookbooks as well as bootstrap
nodes.
This setup (dmz, special account, server = workstation) can be seen as
constraints.

The problem is that I either can't upload cookbooks or I can't bootstrap
nodes.
If I configure everything for the local FQDN it's possible to upload
cookboks,
but bootstrapping nodes does not work because from the internet the
local name
is not resolveable (of course!). If I configure the server for it's
external IP
I can't upload cookbooks because of ssl handshake failure.

Is there any solution for this under the constraints mentioned above?
Thanks in
advance.

Below are some configurations and error messages which might be neede
for you
to help me. If you need some more, please tell me.

configuration (ext. IP): http://pastebin.com/3uwMYutz

error messages
knife: http://pastebin.com/gAfsYiej
erchef: http://pastebin.com/Rc5UDvj4

The most general solution is to use an SSL certificate with a
SubjectAltName field that contains both the FQDN and the IP address.

You could also use split-horizon DNS or configure the chef-server’s
hostname in your etc/hosts.

The least good solution is to disable SSL certificate verification for
hosts on the local network.

--
Daniel DeLeo

4

Hi,

    As far as i know,only chefserver only need public ip to connect with private or public ip of node.

           If we have private ip for chef-server then we can connect only with private ip of node.
       Are you using open source chef?

Thanks,
Indra

From: Daniel DeLeo dan@kallistec.com
To: chef@lists.opscode.com
Sent: Wednesday, 18 June 2014 10:42 AM
Subject: [chef] Re: Open Source Chef: server as workstation in dmz

On Monday, June 16, 2014 at 6:25 AM, chefsrv@buerotiger.de wrote:

Hello community,

I'm quite new to chef and I have to set up a chef server and now I am totally
stuck. I hope I can find some help here because I found nothing about my
problem in the documentation and I'm working on this since 3 weeks :frowning:

First of all the describtion of the situation:

The server resides in the dmz subnet of the office lan (as a vm, Ubuntu 14.04).
It has a private IP (192.168.0.2) and local name/fqdn (chef.dmz.loc). From the
internet the server is accessible via an external FQDN and IP (example.com (http://example.com),

93.184.216.119) by the appropriate firewall rules/port-forwarding.

It is also used as workstation and a special user account (chefdev) is
designated to create, modify and upload cookbooks as well as bootstrap nodes.
This setup (dmz, special account, server = workstation) can be seen as
constraints.

The problem is that I either can't upload cookbooks or I can't bootstrap nodes.
If I configure everything for the local FQDN it's possible to upload cookboks,
but bootstrapping nodes does not work because from the internet the local name
is not resolveable (of course!). If I configure the server for it's external IP
I can't upload cookbooks because of ssl handshake failure.

Is there any solution for this under the constraints mentioned above? Thanks in
advance.

Below are some configurations and error messages which might be neede for you
to help me. If you need some more, please tell me.

configuration (ext. IP): http://pastebin.com/3uwMYutz

error messages
knife: http://pastebin.com/gAfsYiej
erchef: http://pastebin.com/Rc5UDvj4

The most general solution is to use an SSL certificate with a SubjectAltName field that contains both the FQDN and the IP address.

You could also use split-horizon DNS or configure the chef-server’s hostname in your etc/hosts.

The least good solution is to disable SSL certificate verification for hosts on the local network.

--
Daniel DeLeo