Unattended Windows bootstrap, SSL issue


#1

Hi all,

Trying to do an unattended Windows bootstrap in EC2 and having some problems (I’m able to add nodes via the WinRM method). I’m trying to manually run it to troubleshoot and getting this SSL error (this is not the “SSL_connect returned=1 errno=0 state=SSLv3” error.

C:\Users\Administrator\Desktop>C:\opscode\chef\bin\chef-client -j c:\chef\bootstrap\initial.json --environment _default
Starting Chef Client, version 12.8.1
[2016-03-24T14:42:03+00:00] INFO: *** Chef 12.8.1 ***
[2016-03-24T14:42:03+00:00] INFO: Chef-client pid: 1436
Creating a new client identity for WIN-T4F96FJBH2G.ec2.internal using the validator key.
[2016-03-24T14:42:06+00:00] INFO: Client key C:\chef\client.pem is not present - registering
[2016-03-24T14:42:06+00:00] ERROR: SSL Validation failure connecting to host: .com - SSL_connect returned=1 errno=0 state=error: certificate verify failed

In my process, I’m downloading the client.rb and validation key (“org”-validator.pem) from S3 to c:\chef, and initial.json to c:\chef\bootstrap\ before running chef-client -j.

This is a DEV environment and the Chef server is using a self-signed key.

I’ve read through https://docs.chef.io/chef_client_security.html but am still having problems: “However, during the first chef-client run, this private key does not
exist. Instead, the chef-client will attempt to use the private key
assigned to the chef-validator, located in /etc/chef/validation.pem

Is validation.pem the same thing as “org”-validator.pem? I don’t have a “validation.pem” file. If I need it, where do I get it?

What am I missing here? Thanks a lot.

Steve


#2

The first thing to note is that your error is occurring in the transport layer, not the application layer. The validator keys (and client.pem, and your user key that you put in ~/.chef) are only relevant to Chef’s authentication system, which happens at the app layer. Problems with these keys show up as HTTP 401 responses from the server.

Your issue is that the system you are bootstrapping doesn’t trust the self-signed certificate of the server at the TLS level. There are two ways around this:

  1. Turn off cert checking, at the cost of making yourself vulnerable to MITM attacks. I strongly recommend against this, since you’re downloading code and running it as root/administrator. But it can be done by setting ssl_verify_mode :verify_none in chef-client’s config file.
  2. Make chef-client trust the server’s certificate. This process can be sorta automated with knife ssl fetch, which is the equivalent of clicking the “trust this certificate for this server from now on” option when you get an SSL error in your browser. If you do that, it’s recommended you verify you got the correct cert before proceeding. Another way to do this is to copy the certificate yourself.

This blog post should be helpful to you: http://jtimberman.housepub.org/blog/2014/12/11/chef-12-fix-untrusted-self-sign-certs/


#3

Thanks. I configured the process to copy the cert down locally from S3 and everything worked great!