Secure knife winrm


#1

Trying to get knife winrm working with SSL enabled. Keep getting error with
winrm validating the servers WinRM certificate. Error: unable to get local
issuer certificate.

I am relativly sure i need to provide a certificate chain but attempts at
providing ca-trust-file have faild. Can anyone provide link to documentation
on how format and content needed for this file.

Thanks
Daniel D.


#2

I’ve been trying to solve the same problem with knife winrm over ssl for a
couple days. Did you get it figured out?

When I knife winrm to my node I get “Error 20 - unable to get local issuer
certificate”. I added our CA to /embedded/ssl/certs/cacert.pem and tried
again. Same. I tried openssl s_client -showcerts against the domain and
got error 20 as expected. Then I tried another openssl s_client
-showcerts but specified the CAfile as /embedded/ssl/certs/cacert.pem.
Success, returned ok.

When knife winrm calls openssl is it not passing along the location
of /embedded/ssl/certs/cacert.pem?

Using ChefDK 0.3.2 on win server 2012 r2.

-Dwayne

On Thu, Aug 14, 2014 at 5:09 AM, d@danield.us wrote:

Trying to get knife winrm working with SSL enabled. Keep getting error
with
winrm validating the servers WinRM certificate. Error: unable to get local
issuer certificate.

I am relativly sure i need to provide a certificate chain but attempts at
providing ca-trust-file have faild. Can anyone provide link to
documentation
on how format and content needed for this file.

Thanks
Daniel D.


“And let us consider how to stir up one another to love and good works . .
.” - Hebrews 10:24


#3

I did resolve this issue by setting the SSL_CERT_FILE env variable
pointing to a file with our internal CA certs before running knife
commands.

As far as I can tell, this location is for ruby libs, not openssl on
itself and that’s why it dies.

I could worth a pull request on knife/chef code, unsure about which
one…

Le 2014-10-30 20:09, Dwayne Forehand a écrit :

I’ve been trying to solve the same problem with knife winrm over ssl for a couple days. Did you get it figured out?

When I knife winrm to my node I get “Error 20 - unable to get local issuer certificate”. I added our CA to /embedded/ssl/certs/cacert.pem and tried again. Same. I tried openssl s_client -showcerts against the domain and got error 20 as expected. Then I tried another openssl s_client -showcerts but specified the CAfile as /embedded/ssl/certs/cacert.pem. Success, returned ok.

When knife winrm calls openssl is it not passing along the location of /embedded/ssl/certs/cacert.pem?

Using ChefDK 0.3.2 on win server 2012 r2.

-Dwayne

On Thu, Aug 14, 2014 at 5:09 AM, d@danield.us wrote:

Trying to get knife winrm working with SSL enabled. Keep getting error with
winrm validating the servers WinRM certificate. Error: unable to get local
issuer certificate.

I am relativly sure i need to provide a certificate chain but attempts at
providing ca-trust-file have faild. Can anyone provide link to documentation
on how format and content needed for this file.

Thanks
Daniel D.


“And let us consider how to stir up one another to love and good works . . .” - Hebrews 10:24


#4

On Thursday, October 30, 2014 at 12:28 PM, Tensibai wrote:

I did resolve this issue by setting the SSL_CERT_FILE env variable pointing to a file with our internal CA certs before running knife commands.
As far as I can tell, this location is for ruby libs, not openssl on itself and that’s why it dies.
I could worth a pull request on knife/chef code, unsure about which one…
Le 2014-10-30 20:09, Dwayne Forehand a écrit :

ChefDK patches openssl.rb so that it will set this environment variable (unless you’ve set it to something else already). I’m not personally very familiar with the ruby winrm library, but I know it uses eventmachine which may have its own SSL socket code (and therefore not trigger the openssl fix in ChefDK). Can you confirm whether other SSL connections (e.g., using knife with ssl_verify_mode :verify_peer in your config file) work correctly? If so, I’d file the bug against knife-winrm to see if some workaround can be added to trigger ChefDK’s openssl fix.


Daniel DeLeo