New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CHEF-5282: add "verify-api-cert true" to be default in bootstrap client config and add ssl peer verify as option. #1416
Conversation
…y by default during bootstrap, provide option to disable at bootstrap
Opened bug on Chef side to track: |
…L certs against the Chef server with option to disable default behavior. Everyone wins
Changed behavior to have the peer verification be a feature to be enabled, instead going with the less aggressive verify-api-cert to satisfy the WARN no longer showing during a node bootstrap. |
I'm not sure if we would like to provide command line flags for this purpose. Config settings should be fine IMO. In our roadmap we have an item to "Update the bootstrap to be able to configure SSL verification on nodes". For this we need to give bootstrap the ability to send certificates to the hosts. @danielsdeleo do you think in the context of this roadmap item we will have config configurables to disable the SSL verification on the nodes? If yes how should they look like? Asking because we can implement them now and ease the pain of warning message and we can implement the "enabling SSL verification" part later. |
Yes, we need to be able to disable the verification, in the short term at least. We've encountered a few users with custom CAs that are misconfigured but our debug tools don't show where the problem is, and there's the issue where I think it's fine to have both a CLI option and configuration option for this, so users can more easily disable it temporarily when debugging or testing. And finally, we definitely need a way to copy trusted certificates from the host running |
Given that we're close to enabling the SSL verification by default in Chef 12, I'm closing this since we're beyond the code freeze point for the next 11 release. |
Add the "ssl_verify_mode :verify_peer" configuration to the bootstrap client configuration so it no longer produces the warn messages that ships with Chef 11.12.
Incidentally, provide an option to disable this when the user doesn't want this behavior.