Winrm


#1

Hey guys,

It’s been a while since i started bootstrapping windows machines since I’ve
been doing linux for so long, I’ve enabled winrm and setup the proper
configs for winrm. However, I am getting the following error and was hoping
someone can lead me to the right place:

eset-era01.theorchard.local C:\Users\Administrator>chef-client -c

c:/chef/client.rb -j c:/chef/first-boot.json -E DEVELOPMENT
eset-era01.theorchard.local [2015-08-06T12:44:45-04:00] INFO: *** Chef
12.4.1 ***
eset-era01.theorchard.local [2015-08-06T12:44:45-04:00] INFO: Chef-client
pid: 4104
eset-era01.theorchard.local [2015-08-06T12:45:18-04:00] INFO: Client key
c:/chef/client.pem is not present - registering
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: SSL
Validation failure connecting to host: chef01.theorchard.local -
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed
eset-era01.theorchard.local
eset-era01.theorchard.local

eset-era01.theorchard.local Chef encountered an error attempting to
create the client "eset-era01.TheOrchard.local"
eset-era01.theorchard.local

eset-era01.theorchard.local
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: Running
exception handlers
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: Exception
handlers complete
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] FATAL: Stacktrace
dumped to c:/chef/cache/chef-stacktrace.out
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] FATAL:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed


Nikhil ShahSystem Administrator
nshah@theorchard.comp. (+1) 212 308-5648

THE ORCHARD Distribution Done Right
23 E 4th St Fl 3, New York, NY 10003

Follow us: The Daily Rind http://www.dailyrindblog.com/ • Facebook
http://www.facebook.com/theorchard • Twitter
http://www.twitter.com/orchtweets • YouTube
http://www.youtube.com/user/theorchard • LinkedIn
http://www.linkedin.com/company/the-orchard

Privileged And Confidential Communication. This electronic transmission,
and any documents attached hereto, (a) are protected by the Electronic
Communications Privacy Act (18 USC §§ 2510-2521), (b) may contain
confidential and/or legally privileged information, and © are for the
sole use of the intended recipient named above. If you have received this
electronic message in error, please notify the sender and delete the
electronic message. Any disclosure, copying, distribution, or use of the
contents of the information received in error is strictly prohibited.


#2

Hi Shah,
Please try to run " knife ssl fetch " from the workstation you are bootstrapping new nodes from. So that it has certificates needed for communicating to Chef server. Once workstation has certificates it will send them to newly bootstrapped nodes during bootstrap process as well. And you should not have ssl connection issue anymore.
More details in regards to this you can find here: https://docs.chef.io/knife_ssl_fetch.html

Or you can just turn off ssl check in client.rb on newly bootstrapped node by adding line as follow: ssl_verify_mode :verify_none

More info on client.rb options you will find here: http://docs.chef.io/config_rb_client.html

And just re-run chef-client on bootstrapped node side. From mmy point more preferable and secure is to create and fetch certificates.
Hopefuly you will find my advises helpful. :slight_smile:
Regards, Taras.
— Оригінальне повідомлення —
Від кого: “Nikhil Shah” nshah@theorchard.com
Дата: 6 серпня 2015, 20:03:32

Hey guys,
It’s been a while since i started bootstrapping windows machines since I’ve been doing linux for so long, I’ve enabled winrm and setup the proper configs for winrm. However, I am getting the following error and was hoping someone can lead me to the right place:

eset-era01.theorchard.local C:\Users\Administrator>chef-client -c c:/chef/client.rb -j c:/chef/first-boot.json -E DEVELOPMENT
eset-era01.theorchard.local [2015-08-06T12:44:45-04:00] INFO: *** Chef 12.4.1 ***
eset-era01.theorchard.local [2015-08-06T12:44:45-04:00] INFO: Chef-client pid: 4104
eset-era01.theorchard.local [2015-08-06T12:45:18-04:00] INFO: Client key c:/chef/client.pem is not present - registering
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: SSL Validation failure connecting to host: chef01.theorchard.local - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
eset-era01.theorchard.local
eset-era01.theorchard.local ================================================================================
eset-era01.theorchard.local Chef encountered an error attempting to create the client "eset-era01.TheOrchard.local"
eset-era01.theorchard.local ================================================================================
eset-era01.theorchard.local
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: Running exception handlers
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: Exception handlers complete
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] FATAL: Stacktrace dumped to c:/chef/cache/chef-stacktrace.out
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] FATAL: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Nikhil Shah • System Administrator nshah@theorchard.com • p. (+1) 212 308-5648
THE ORCHARD Distribution Done Right 23 E 4 th St Fl 3, New York, NY 10003 www.theorchard.com
Follow us: The Daily Rind • Facebook • Twitter • YouTube • LinkedIn
Privileged And Confidential Communication. This electronic transmission, and any documents attached hereto, (a) are protected by the Electronic Communications Privacy Act (18 USC §§ 2510-2521), (b) may contain confidential and/or legally privileged information, and © are for the sole use of the intended recipient named above. If you have received this electronic message in error, please notify the sender and delete the electronic message. Any disclosure, copying, distribution, or use of the contents of the information received in error is strictly prohibited.


#3

That doesn’t look like anything to do with WinRM, but that the Chef
client doesn’t trust the SSL certificate being presented by your Chef
Server “chef01.theorchard.local”.

  • Julian

On Thu, Aug 6, 2015 at 1:02 PM, Nikhil Shah nshah@theorchard.com wrote:

Hey guys,

It’s been a while since i started bootstrapping windows machines since I’ve
been doing linux for so long, I’ve enabled winrm and setup the proper
configs for winrm. However, I am getting the following error and was hoping
someone can lead me to the right place:

eset-era01.theorchard.local C:\Users\Administrator>chef-client -c
c:/chef/client.rb -j c:/chef/first-boot.json -E DEVELOPMENT
eset-era01.theorchard.local [2015-08-06T12:44:45-04:00] INFO: *** Chef
12.4.1 ***
eset-era01.theorchard.local [2015-08-06T12:44:45-04:00] INFO: Chef-client
pid: 4104
eset-era01.theorchard.local [2015-08-06T12:45:18-04:00] INFO: Client key
c:/chef/client.pem is not present - registering
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: SSL
Validation failure connecting to host: chef01.theorchard.local - SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
failed
eset-era01.theorchard.local
eset-era01.theorchard.local

eset-era01.theorchard.local Chef encountered an error attempting to create
the client "eset-era01.TheOrchard.local"
eset-era01.theorchard.local

eset-era01.theorchard.local
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: Running
exception handlers
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: Exception
handlers complete
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] FATAL: Stacktrace
dumped to c:/chef/cache/chef-stacktrace.out
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] FATAL:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed


Nikhil Shah • System Administrator
nshah@theorchard.com • p. (+1) 212 308-5648

THE ORCHARD Distribution Done Right
23 E 4th St Fl 3, New York, NY 10003
www.theorchard.com

Follow us: The Daily Rind • Facebook • Twitter • YouTube • LinkedIn

Privileged And Confidential Communication. This electronic transmission, and
any documents attached hereto, (a) are protected by the Electronic
Communications Privacy Act (18 USC §§ 2510-2521), (b) may contain
confidential and/or legally privileged information, and © are for the sole
use of the intended recipient named above. If you have received this
electronic message in error, please notify the sender and delete the
electronic message. Any disclosure, copying, distribution, or use of the
contents of the information received in error is strictly prohibited.


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#4

Totally agree with Julian. :slight_smile:
Either “knife ssl fetch” and re-run chef-client from bootsrtapped node. Or edit/add client.rb and re-run chef-client as well: ssl_verify_mode :verify_none

Regards, Taras.
— Оригінальне повідомлення —
Від кого: “Julian C. Dunn” jdunn@aquezada.com
Дата: 6 серпня 2015, 23:19:12

That doesn’t look like anything to do with WinRM, but that the Chef
client doesn’t trust the SSL certificate being presented by your Chef
Server “chef01.theorchard.local”.

  • Julian

On Thu, Aug 6, 2015 at 1:02 PM, Nikhil Shah < nshah@theorchard.com > wrote:

Hey guys,

It’s been a while since i started bootstrapping windows machines since I’ve
been doing linux for so long, I’ve enabled winrm and setup the proper
configs for winrm. However, I am getting the following error and was hoping
someone can lead me to the right place:

eset-era01.theorchard.local C:\Users\Administrator>chef-client -c
c:/chef/client.rb -j c:/chef/first-boot.json -E DEVELOPMENT
eset-era01.theorchard.local [2015-08-06T12:44:45-04:00] INFO: *** Chef
12.4.1 ***
eset-era01.theorchard.local [2015-08-06T12:44:45-04:00] INFO: Chef-client
pid: 4104
eset-era01.theorchard.local [2015-08-06T12:45:18-04:00] INFO: Client key
c:/chef/client.pem is not present - registering
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: SSL
Validation failure connecting to host: chef01.theorchard.local - SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify
failed
eset-era01.theorchard.local
eset-era01.theorchard.local

eset-era01.theorchard.local Chef encountered an error attempting to create
the client "eset-era01.TheOrchard.local"
eset-era01.theorchard.local

eset-era01.theorchard.local
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: Running
exception handlers
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] ERROR: Exception
handlers complete
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] FATAL: Stacktrace
dumped to c:/chef/cache/chef-stacktrace.out
eset-era01.theorchard.local [2015-08-06T12:45:19-04:00] FATAL:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed


Nikhil Shah • System Administrator
nshah@theorchard.com • p. (+1) 212 308-5648

THE ORCHARD Distribution Done Right
23 E 4th St Fl 3, New York, NY 10003
www.theorchard.com

Follow us: The Daily Rind • Facebook • Twitter • YouTube • LinkedIn

Privileged And Confidential Communication. This electronic transmission, and
any documents attached hereto, (a) are protected by the Electronic
Communications Privacy Act (18 USC §§ 2510-2521), (b) may contain
confidential and/or legally privileged information, and © are for the sole
use of the intended recipient named above. If you have received this
electronic message in error, please notify the sender and delete the
electronic message. Any disclosure, copying, distribution, or use of the
contents of the information received in error is strictly prohibited.


[ Julian C. Dunn < jdunn@aquezada.com > * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]


#5

Tried to run knife ssl fetch, but got the following error. There isn’t anything block (e.g firewall, iptalbes,etc):

OpenSSL Configuration:

  • Version: OpenSSL 1.0.1l 15 Jan 2015
  • Certificate file: C:/projects/openssl/knap-build/var/knapsack/software/x86-win
    dows/openssl/1.0.1q/ssl/cert.pem
  • Certificate directory: C:/projects/openssl/knap-build/var/knapsack/software/x8
    6-windows/openssl/1.0.1q/ssl/certs
    Chef SSL Configuration:
  • ssl_ca_path: nil
  • ssl_ca_file: “C:/opscode/chef/embedded/ssl/certs/cacert.pem”
  • trusted_certs_dir: “C:/Users/codegenagent\.chef\trusted_certs”

TO FIX THIS ERROR:

If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server’s certificate.

By default, the certificate is stored in the following location on the host
where your chef-server runs:

/var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to your trusted_certs_dir (currently: C:/Users/codegenagent.chef
\trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server’s certificate is now trusted.

C:\Windows\system32>knife ssl fetch
WARNING: No knife configuration file found
WARNING: Certificates from localhost will be fetched and placed in your trusted_
cert
directory (C:/Users/codegenagent.chef\trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

ERROR: Network Error: No connection could be made because the target machine act
ively refused it. - connect(2)
Check your knife configuration and network settings


#6

ok i see what i was doing wrong as far as the fetch part… So i was able to fetch the SSL cert:

C:\Windows\system32>knife ssl check https://chef01.theorchard.local
WARNING: No knife configuration file found
Connecting to host chef01.theorchard.local:443
Successfully verified certificates from `chef01.theorchard.local’

C:\Windows\system32>

However, when i run chef-client on the node, it still throws that ssl cannot be verified error. Also, why aren’t the certs being shipped to the node.