Add --no-ssl-peer-verification option

This allows WinRM to work over HTTPS, when the target node is using a self-signed cert, or using a certificate that doesn't match the host name, etc. Works with commits to em-winrm and WinRM, which I will submit pull requests for also.
gswallow · Jun 26, 2013 · d04c835 · d04c835
1 parent af57c69
commit d04c835
Show file tree

Hide file tree

Showing 8 changed files with 18 additions and 4 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,4 @@
 .bundle
 Gemfile.lock
 pkg/*
+.idea
diff --git a/knife-windows.gemspec b/knife-windows.gemspec
@@ -15,7 +15,7 @@ Gem::Specification.new do |s|
   s.description = s.summary
 
   s.required_ruby_version	= ">= 1.9.1"
-  s.add_dependency "em-winrm", "= 0.5.4"
+  s.add_dependency "em-winrm", "= 0.5.5"
 
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")

diff --git a/lib/chef/knife/bootstrap/windows-shell.erb b/lib/chef/knife/bootstrap/windows-shell.erb
@@ -62,7 +62,7 @@ cmd.exe /C gem install chef --no-rdoc --no-ri --verbose <%= bootstrap_version_st
 )
 
 > C:\chef\first-boot.json (
- <%= run_list %>
+ <%= first_boot %>
 )
 
 <%= start_chef %>
diff --git a/lib/chef/knife/bootstrap_windows_base.rb b/lib/chef/knife/bootstrap_windows_base.rb
@@ -89,6 +89,10 @@ def self.included(includer)
             :long => "--secret-file SECRET_FILE",
             :description => "A file containing the secret key to use to encrypt data bag item values. Will be rendered on the node at c:/chef/encrypted_data_bag_secret and set in the rendered client config."
 
+          option :no_ssl_peer_verification,
+            :long => "--no-ssl-peer-verification",
+            :description => "Do not verify the SSL peer's certificate"
+
         end
       end
 

diff --git a/lib/chef/knife/bootstrap_windows_winrm.rb b/lib/chef/knife/bootstrap_windows_winrm.rb
@@ -51,6 +51,8 @@ def run_command(command = '')
         winrm.config[:kerberos_realm] = Chef::Config[:knife][:kerberos_realm] if Chef::Config[:knife][:kerberos_realm]
         winrm.config[:kerberos_service] = Chef::Config[:knife][:kerberos_service] if Chef::Config[:knife][:kerberos_service]
         winrm.config[:ca_trust_file] = Chef::Config[:knife][:ca_trust_file] if Chef::Config[:knife][:ca_trust_file]
+        winrm.config[:no_ssl_peer_verification] = true if config.has_key?(:no_ssl_peer_verification)
+        Chef::Log.debug "config.has_key?(:no_ssl_peer_verification) = #{config.has_key?(:no_ssl_peer_verification)} (#{config[:no_ssl_peer_verification]})"
         winrm.config[:manual] = true
         winrm.config[:winrm_port] = locate_config_value(:winrm_port)
         winrm.run

diff --git a/lib/chef/knife/core/windows_bootstrap_context.rb b/lib/chef/knife/core/windows_bootstrap_context.rb
@@ -22,10 +22,10 @@ class Chef
   class Knife
     module Core
       # Instances of BootstrapContext are the context objects (i.e., +self+) for
-      # bootstrap templates. For backwards compatability, they +must+ set the
+      # bootstrap templates. For backwards compatibility, they +must+ set the
       # following instance variables:
       # * @config   - a hash of knife's config values
-      # * @run_list - the run list for the node to boostrap
+      # * @run_list - the run list for the node to bootstrap
       #
       class WindowsBootstrapContext < BootstrapContext
 

diff --git a/lib/chef/knife/winrm.rb b/lib/chef/knife/winrm.rb
@@ -113,6 +113,8 @@ def session_from_list(list)
           session_opts[:realm] = Chef::Config[:knife][:kerberos_realm] if Chef::Config[:knife][:kerberos_realm]
           session_opts[:service] = Chef::Config[:knife][:kerberos_service] if Chef::Config[:knife][:kerberos_service]
           session_opts[:ca_trust_path] = Chef::Config[:knife][:ca_trust_file] if Chef::Config[:knife][:ca_trust_file]
+          session_opts[:no_ssl_peer_verification] = true if config.has_key?(:no_ssl_peer_verification)
+          Chef::Log.debug "config.has_key?(:no_ssl_peer_verification) = #{config.has_key?(:no_ssl_peer_verification)} (#{config[:no_ssl_peer_verification]})"
           session_opts[:operation_timeout] = 1800 # 30 min OperationTimeout for long bootstraps fix for KNIFE_WINDOWS-8
 
           ## If you have a \\ in your name you need to use NTLM domain authentication
@@ -135,6 +137,7 @@ def session_from_list(list)
             end
           end
 
+          Chef::Log.debug "session_opts[:no_ssl_peer_verification] = #{session_opts[:no_ssl_peer_verification]}"
           session.use(item, session_opts)
 
           @longest = item.length if item.length > @longest

diff --git a/lib/chef/knife/winrm_base.rb b/lib/chef/knife/winrm_base.rb
@@ -90,6 +90,10 @@ def self.included(includer)
             :description => "The Certificate Authority (CA) trust file used for SSL transport",
             :proc => Proc.new { |trust| Chef::Config[:knife][:ca_trust_file] = trust }
 
+          option :no_ssl_peer_verification,
+            :long => "--no-ssl-peer-verification",
+            :description => "Do not verify the SSL peer's certificate"
+
         end
       end