Role NOT being applied?


#1

I have the following in one of my *.json roles, and I have uploaded the role to my chef-server, and have assigned that role to my node (I’m very sure of this!).

“default_attributes”: {
“chef_client” : {
“ssl_verify_mode” : “:verify_peer”,
“log_level” : “:debug”,
“logfile” : “/var/log/chef-client/chef.log”
}
}

But yet, I still see this during my chef-client runs

SSL validation of HTTPS requests is disabled. HTTPS connections are still
encrypted, but chef is not able to detect forged replies or man in the middle
attacks.

To fix this issue add an entry like this to your configuration file:

  # Verify all HTTPS connections (recommended)
  ssl_verify_mode :verify_peer

  # OR, Verify only connections to chef-server
  verify_api_cert true


Of course I don't see the log file either.

Any clues?

Chris

#2

Do you have chef_client::config I’m the node runlist ? (You did not specify that)

---- Fouts, Chris a écrit ----

I have the following in one of my *.json roles, and I have uploaded the role to my chef-server, and have assigned that role to my node (I’m very sure of this!).

“default_attributes”: {

“chef_client” : {

“ssl_verify_mode” : “:verify_peer”,

“log_level” : “:debug”,

“logfile” : “/var/log/chef-client/chef.log”

}

}

But yet, I still see this during my chef-client runs

SSL validation of HTTPS requests is disabled. HTTPS connections are still

encrypted, but chef is not able to detect forged replies or man in the middle

attacks.

To fix this issue add an entry like this to your configuration file:


 # Verify all HTTPS connections (recommended)

 ssl_verify_mode :verify_peer



 # OR, Verify only connections to chef-server

 verify_api_cert true





Of course I don’t see the log file either.



Any clues?



Chris

#3

That ssl_verify_mode :verify_peer line should be in your client.rb chef config file. The recipe that Tensibai mentions will create & manage that file for you. What does your client.rb file look like on one of the nodes?

What log file are you missing?

-T

On Nov 3, 2014, at 11:21 AM, Tensibai Zhaoying tensibai@iabis.net wrote:

Do you have chef_client::config I’m the node runlist ? (You did not specify that)

---- Fouts, Chris a écrit ----

I have the following in one of my *.json roles, and I have uploaded the role to my chef-server, and have assigned that role to my node (I’m very sure of this!).

“default_attributes”: {

“chef_client” : {

“ssl_verify_mode” : “:verify_peer”,

“log_level” : “:debug”,

“logfile” : “/var/log/chef-client/chef.log”

}

}

But yet, I still see this during my chef-client runs

SSL validation of HTTPS requests is disabled. HTTPS connections are still

encrypted, but chef is not able to detect forged replies or man in the middle

attacks.

To fix this issue add an entry like this to your configuration file:


  # Verify all HTTPS connections (recommended)

  ssl_verify_mode :verify_peer

 

  # OR, Verify only connections to chef-server

  verify_api_cert true

 

 

Of course I don’t see the log file either.

 

Any clues?

 

Chris

#4

No I don’t. I’ll try that, thanks!

From: Tensibai Zhaoying [mailto:tensibai@iabis.net]
Sent: Monday, November 03, 2014 2:21 PM
To: chef@lists.opscode.com
Subject: [chef] Re: role NOT being applied?

Do you have chef_client::config I’m the node runlist ? (You did not specify that)

---- Fouts, Chris a écrit ----
I have the following in one of my *.json roles, and I have uploaded the role to my chef-server, and have assigned that role to my node (I’m very sure of this!).

“default_attributes”: {
“chef_client” : {
“ssl_verify_mode” : “:verify_peer”,
“log_level” : “:debug”,
“logfile” : “/var/log/chef-client/chef.log”
}
}

But yet, I still see this during my chef-client runs

SSL validation of HTTPS requests is disabled. HTTPS connections are still
encrypted, but chef is not able to detect forged replies or man in the middle
attacks.

To fix this issue add an entry like this to your configuration file:

  # Verify all HTTPS connections (recommended)
  ssl_verify_mode :verify_peer

  # OR, Verify only connections to chef-server
  verify_api_cert true


Of course I don’t see the log file either.

Any clues?

Chris

#5

Yes, but chef-client run should “put” it there – that’s what I’m trying to accomplish.

From: Tyler [mailto:tball@getchef.com]
Sent: Tuesday, November 04, 2014 9:35 AM
To: chef@lists.opscode.com
Subject: [chef] Re: role NOT being applied?

That ssl_verify_mode :verify_peer line should be in your client.rb chef config file. The recipe that Tensibai mentions will create & manage that file for you. What does your client.rb file look like on one of the nodes?

What log file are you missing?

-T

On Nov 3, 2014, at 11:21 AM, Tensibai Zhaoying <tensibai@iabis.netmailto:tensibai@iabis.net> wrote:

Do you have chef_client::config I’m the node runlist ? (You did not specify that)

---- Fouts, Chris a écrit ----
I have the following in one of my *.json roles, and I have uploaded the role to my chef-server, and have assigned that role to my node (I’m very sure of this!).

“default_attributes”: {
“chef_client” : {
“ssl_verify_mode” : “:verify_peer”,
“log_level” : “:debug”,
“logfile” : “/var/log/chef-client/chef.log”
}
}

But yet, I still see this during my chef-client runs

SSL validation of HTTPS requests is disabled. HTTPS connections are still
encrypted, but chef is not able to detect forged replies or man in the middle
attacks.

To fix this issue add an entry like this to your configuration file:

  # Verify all HTTPS connections (recommended)
  ssl_verify_mode :verify_peer

  # OR, Verify only connections to chef-server
  verify_api_cert true


Of course I don’t see the log file either.

Any clues?

Chris

#6

Attributes in themselves won’t do anything, what will do something is a
recipe consuming thoose atrtibutes to choose what to set in templates or
what to do.

Here the set of attributes in your role is to drive chef_client::config
recipe, without this recipe, your just have attributes on your nodes an
nothing in the runlist takes care about it.

Le 2014-11-04 16:42, Fouts, Chris a écrit :

Yes, but chef-client run should “put” it there - that’s what I’m trying to accomplish.

FROM: Tyler [mailto:tball@getchef.com]
SENT: Tuesday, November 04, 2014 9:35 AM
TO: chef@lists.opscode.com
SUBJECT: [chef] Re: role NOT being applied?

That ssl_verify_mode :verify_peer line should be in your client.rb chef config file. The recipe that Tensibai mentions will create & manage that file for you. What does your client.rb file look like on one of the nodes?

What log file are you missing?

-T

On Nov 3, 2014, at 11:21 AM, Tensibai Zhaoying tensibai@iabis.net wrote:

Do you have chef_client::config I’m the node runlist ? (You did not specify that)

---- Fouts, Chris a écrit ----

I have the following in one of my *.json roles, and I have uploaded the role to my chef-server, and have assigned that role to my node (I’m very sure of this!).

“default_attributes”: {

“chef_client” : {

“ssl_verify_mode” : “:verify_peer”,

“log_level” : “:debug”,

“logfile” : “/var/log/chef-client/chef.log”

}

}

But yet, I still see this during my chef-client runs

SSL validation of HTTPS requests is disabled. HTTPS connections are still

encrypted, but chef is not able to detect forged replies or man in the middle

attacks.

To fix this issue add an entry like this to your configuration file:


# Verify all HTTPS connections (recommended) 

ssl_verify_mode :verify_peer 

# OR, Verify only connections to chef-server 

verify_api_cert true 

Of course I don't see the log file either. 

Any clues? 

Chris