CHEF-5282: add "verify-api-cert true" to be default in bootstrap client config and add ssl peer verify as option.

[yvovandoorn]

Add the "ssl_verify_mode :verify_peer" configuration to the bootstrap client configuration so it no longer produces the warn messages that ships with Chef 11.12.

Incidentally, provide an option to disable this when the user doesn't want this behavior.

[yvovandoorn]

Opened bug on Chef side to track:
https://tickets.opscode.com/browse/CHEF-5282

[yvovandoorn]

Changed behavior to have the peer verification be a feature to be enabled, instead going with the less aggressive verify-api-cert to satisfy the WARN no longer showing during a node bootstrap.

[sersut]

I'm not sure if we would like to provide command line flags for this purpose. Config settings should be fine IMO.

In our roadmap we have an item to "Update the bootstrap to be able to configure SSL verification on nodes". For this we need to give bootstrap the ability to send certificates to the hosts. @danielsdeleo do you think in the context of this roadmap item we will have config configurables to disable the SSL verification on the nodes? If yes how should they look like? Asking because we can implement them now and ease the pain of warning message and we can implement the "enabling SSL verification" part later.

[danielsdeleo]

Yes, we need to be able to disable the verification, in the short term at least. We've encountered a few users with custom CAs that are misconfigured but our debug tools don't show where the problem is, and there's the issue where Net::HTTP (or some lower layer) isn't correctly verifying the hostname of servers with DNS CNAMEs.

I think it's fine to have both a CLI option and configuration option for this, so users can more easily disable it temporarily when debugging or testing.

And finally, we definitely need a way to copy trusted certificates from the host running knife bootstrap to the remote host, otherwise this won't be workable for users with self-signed certificates. We also need to do something to ensure that users will have correctly configured ssl verification on their workstations before bootstrapping, or else we could have a situation where knife is configured for verify_none so we don't have the required certificates on the workstation, but then we bootstrap a machine with verify_api_cert and it fails after a long wait.

[sersut]

Given that we're close to enabling the SSL verification by default in Chef 12, I'm closing this since we're beyond the code freeze point for the next 11 release.