It's been a while since i started bootstrapping windows machines since I've
been doing linux for so long, I've enabled winrm and setup the proper
configs for winrm. However, I am getting the following error and was hoping
someone can lead me to the right place:
Privileged And Confidential Communication. This electronic transmission,
and any documents attached hereto, (a) are protected by the Electronic
Communications Privacy Act (18 USC §§ 2510-2521), (b) may contain
confidential and/or legally privileged information, and (c) are for the
sole use of the intended recipient named above. If you have received this
electronic message in error, please notify the sender and delete the
electronic message. Any disclosure, copying, distribution, or use of the
contents of the information received in error is strictly prohibited.
Hi Shah,
Please try to run " knife ssl fetch " from the workstation you are bootstrapping new nodes from. So that it has certificates needed for communicating to Chef server. Once workstation has certificates it will send them to newly bootstrapped nodes during bootstrap process as well. And you should not have ssl connection issue anymore.
More details in regards to this you can find here: https://docs.chef.io/knife_ssl_fetch.html
Or you can just turn off ssl check in client.rb on newly bootstrapped node by adding line as follow: ssl_verify_mode :verify_none
And just re-run chef-client on bootstrapped node side. From mmy point more preferable and secure is to create and fetch certificates.
Hopefuly you will find my advises helpful.
Regards, Taras.
— Оригінальне повідомлення —
Від кого: “Nikhil Shah” nshah@theorchard.com
Дата: 6 серпня 2015, 20:03:32
Hey guys,
It’s been a while since i started bootstrapping windows machines since I’ve been doing linux for so long, I’ve enabled winrm and setup the proper configs for winrm. However, I am getting the following error and was hoping someone can lead me to the right place:
eset-era01.theorchard.local C:\Users\Administrator>chef-client -c c:/chef/client.rb -j c:/chef/first-boot.json -E DEVELOPMENT
eset-era01.theorchard.local [2015-08-06T12:44:45-04:00] INFO: *** Chef 12.4.1 ***
eset-era01.theorchard.local [2015-08-06T12:44:45-04:00] INFO: Chef-client pid: 4104
eset-era01.theorchard.local [2015-08-06T12:45:18-04:00] INFO: Client key c:/chef/client.pem is not present - registering
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: SSL Validation failure connecting to host: chef01.theorchard.local - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
eset-era01.theorchard.local
eset-era01.theorchard.local ================================================================================
eset-era01.theorchard.local Chef encountered an error attempting to create the client "eset-era01.TheOrchard.local"
eset-era01.theorchard.local ================================================================================
eset-era01.theorchard.local
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: Running exception handlers
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: Exception handlers complete
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] FATAL: Stacktrace dumped to c:/chef/cache/chef-stacktrace.out
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] FATAL: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
That doesn't look like anything to do with WinRM, but that the Chef
client doesn't trust the SSL certificate being presented by your Chef
Server "chef01.theorchard.local".
It's been a while since i started bootstrapping windows machines since I've
been doing linux for so long, I've enabled winrm and setup the proper
configs for winrm. However, I am getting the following error and was hoping
someone can lead me to the right place:
eset-era01.theorchard.local C:\Users\Administrator>chef-client -c
c:/chef/client.rb -j c:/chef/first-boot.json -E DEVELOPMENT
eset-era01.theorchard.local [2015-08-06T12:44:45-04:00] INFO: *** Chef
12.4.1 ***
eset-era01.theorchard.local [2015-08-06T12:44:45-04:00] INFO: Chef-client
pid: 4104
eset-era01.theorchard.local [2015-08-06T12:45:18-04:00] INFO: Client key
c:/chef/client.pem is not present - registering
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: SSL
Validation failure connecting to host: chef01.theorchard.local - SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
failed
eset-era01.theorchard.local
eset-era01.theorchard.local
eset-era01.theorchard.local Chef encountered an error attempting to create
the client "eset-era01.TheOrchard.local"
eset-era01.theorchard.local
Privileged And Confidential Communication. This electronic transmission, and
any documents attached hereto, (a) are protected by the Electronic
Communications Privacy Act (18 USC §§ 2510-2521), (b) may contain
confidential and/or legally privileged information, and (c) are for the sole
use of the intended recipient named above. If you have received this
electronic message in error, please notify the sender and delete the
electronic message. Any disclosure, copying, distribution, or use of the
contents of the information received in error is strictly prohibited.
--
[ Julian C. Dunn jdunn@aquezada.com * Sorry, I'm ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]
Totally agree with Julian.
Either "knife ssl fetch" and re-run chef-client from bootsrtapped node. Or edit/add client.rb and re-run chef-client as well: ssl_verify_mode :verify_none
Regards, Taras.
--- Оригінальне повідомлення ---
Від кого: "Julian C. Dunn" jdunn@aquezada.com
Дата: 6 серпня 2015, 23:19:12
That doesn't look like anything to do with WinRM, but that the Chef
client doesn't trust the SSL certificate being presented by your Chef
Server "chef01.theorchard.local".
It's been a while since i started bootstrapping windows machines since I've
been doing linux for so long, I've enabled winrm and setup the proper
configs for winrm. However, I am getting the following error and was hoping
someone can lead me to the right place:
eset-era01.theorchard.local C:\Users\Administrator>chef-client -c
c:/chef/client.rb -j c:/chef/first-boot.json -E DEVELOPMENT
eset-era01.theorchard.local [2015-08-06T12:44:45-04:00] INFO: *** Chef
12.4.1 ***
eset-era01.theorchard.local [2015-08-06T12:44:45-04:00] INFO: Chef-client
pid: 4104
eset-era01.theorchard.local [2015-08-06T12:45:18-04:00] INFO: Client key
c:/chef/client.pem is not present - registering
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: SSL
Validation failure connecting to host: chef01.theorchard.local - SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
failed
eset-era01.theorchard.local
eset-era01.theorchard.local
eset-era01.theorchard.local Chef encountered an error attempting to create
the client "eset-era01.TheOrchard.local"
eset-era01.theorchard.local
Privileged And Confidential Communication. This electronic transmission, and
any documents attached hereto, (a) are protected by the Electronic
Communications Privacy Act (18 USC §§ 2510-2521), (b) may contain
confidential and/or legally privileged information, and (c) are for the sole
use of the intended recipient named above. If you have received this
electronic message in error, please notify the sender and delete the
electronic message. Any disclosure, copying, distribution, or use of the
contents of the information received in error is strictly prohibited.
--
[ Julian C. Dunn < jdunn@aquezada.com > * Sorry, I'm ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]
If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server’s certificate.
By default, the certificate is stored in the following location on the host
where your chef-server runs:
/var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt
Copy that file to your trusted_certs_dir (currently: C:/Users/codegenagent.chef
\trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server’s certificate is now trusted.
C:\Windows\system32>knife ssl fetch
WARNING: No knife configuration file found
WARNING: Certificates from localhost will be fetched and placed in your trusted_
cert
directory (C:/Users/codegenagent.chef\trusted_certs).
Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.
ERROR: Network Error: No connection could be made because the target machine act
ively refused it. - connect(2)
Check your knife configuration and network settings
ok i see what i was doing wrong as far as the fetch part… So i was able to fetch the SSL cert:
C:\Windows\system32>knife ssl check https://chef01.theorchard.local
WARNING: No knife configuration file found
Connecting to host chef01.theorchard.local:443
Successfully verified certificates from `chef01.theorchard.local’
C:\Windows\system32>
However, when i run chef-client on the node, it still throws that ssl cannot be verified error. Also, why aren’t the certs being shipped to the node.
