Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Chef-15] knife bootstrap winrm fails with option --ca-trust-file. #8533

Closed
Vasu1105 opened this issue May 14, 2019 · 6 comments

Comments

Projects
None yet
3 participants
@Vasu1105
Copy link
Contributor

commented May 14, 2019

Description

knife bootstrap with winrm communication and with --ca-trust-file fails.
To verify I checked the --ca-trust-file option using Chef-14 version on workstation and this runs successfully on Chef-14 version.

/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/httpclient-2.8.3/lib/httpclient/ssl_socket.rb:103:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate) (OpenSSL::SSL::SSLError)
	10: from /usr/bin/knife:154:in `<main>'
	 9: from /usr/bin/knife:154:in `load'
	 8: from /opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.0.293/bin/knife:24:in `<top (required)>'
	 7: from /opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.0.293/lib/chef/application/knife.rb:162:in `run'
	 6: from /opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.0.293/lib/chef/knife.rb:221:in `run'
	 5: from /opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.0.293/lib/chef/knife.rb:473:in `run_with_pretty_exceptions'
	 4: from /opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.0.293/lib/chef/local_mode.rb:41:in `with_server_connectivity'
	 3: from /opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.0.293/lib/chef/knife.rb:474:in `block in run_with_pretty_exceptions'
	 2: from /opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.0.293/lib/chef/knife/bootstrap.rb:548:in `run'
	 1: from /opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.0.293/lib/chef/knife/bootstrap.rb:595:in `connect!'
/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.0.293/lib/chef/knife/bootstrap.rb:599:in `rescue in connect!': uninitialized constant Train::Transports::SSHFailed (NameError)

Chef Version

Chef Infra Client: 15.0.293

Platform Version

Workstation : Ubuntu 18.04
Node: Windows-2012R2

Replication Case

I have in my knife.rb
ssl_ca_file "/opt/chef/embedded/ssl/certs/cacert.pem"

In below command I tried setting --winrm-auth-method as 'negotiate' to but it gives the same result.

knife bootstrap ec2-54-185-185-29.us-west-2.compute.amazonaws.com -o winrm --node-name vj-winrmssl --connection-user 'Administrator' --connection-password 'password' --connection-port 5986 --winrm-auth-method 'ssl' -c ~/workspace/chef-repo/.chef/knife.rb --bootstrap-version '14.12.9' --winrm-ssl -r 'recipe[windows_task::default]' --ca-trust-file server_cert.pem -E developement -VV

Client Output


Stacktrace

Chef-15 run log
https://gist.github.com/Vasu1105/eb323e3cde8d16583a26c4e1ae180e15#file-knife-bootstrap-winrm-ssl-with-ca-trust-file-log

Chef-14 run log
https://gist.github.com/Vasu1105/d1430cc2dba8d4d17042b9bcacb9caf4

@Vasu1105

This comment has been minimized.

Copy link
Contributor Author

commented May 14, 2019

@btm and @marcparadise inspec/train#449 fixed the Fixes Uninitialized constant error Train::Transports::SSHFailed error. Could you please have a look at it.

@marcparadise

This comment has been minimized.

Copy link
Member

commented May 14, 2019

DEBUG: [WinRM] @ec2-54-185-185-29.us-west-2.compute.amazonaws.com<{:transport=>:ssl, :disable_sspi=>false, :basic_auth_only=>false, :endpoint=>"https://ec2-54-185-185-29.us-west-2.compute.amazonaws.com:5986/wsman", :user=>"Administrator", :password=>"<hidden>", :no_ssl_peer_verification=>false, :realm=>nil, :service=>nil, :ca_trust_file=>"server_cert.pem", :ssl_peer_fingerprint=>nil}> (Write-Host '[WinRM] Established ')

I found this interesting. There's no mention of the ca_trust_file in the object capture - perhaps train isn't passing it through?

@marcparadise

This comment has been minimized.

Copy link
Member

commented May 14, 2019

Train is passing this through as ca_trust_path, but WinRM wants ca_trust_file[1]

ca_trust_path was added to train bootstrap support; while it's technically a released API, it's not working because of this. Let's change the name to be correct in train[2][3].

  1. https://github.com/WinRb/WinRM/blob/2a9a2ff55c5bbd903a019d63b1d134ac32ead4c7/lib/winrm/http/transport.rb#L270
  2. https://github.com/inspec/train/blob/master/lib/train/transports/winrm.rb#L66
  3. https://github.com/inspec/train/blob/master/lib/train/transports/winrm.rb#L135
@marcparadise

This comment has been minimized.

Copy link
Member

commented May 14, 2019

inspec/train#450 will address the ca_trust_path/file issue; we still need to rename it in bootstrap.rb.

@marcparadise marcparadise referenced this issue May 14, 2019

Merged

Multiple Bootstrap bug fixes #8539

6 of 10 tasks complete
@marcparadise

This comment has been minimized.

Copy link
Member

commented May 16, 2019

@Vasu1105 could you confirm this is resolved in latest current builds and close this out?

@Vasu1105

This comment has been minimized.

Copy link
Contributor Author

commented May 17, 2019

Yes It's working @marcparadise

@tas50 tas50 closed this May 17, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.