Chef使用自签名证书使用winrm over https来引导启动Windows VM

时间:2015-01-28 06:32:33

标签: windows chef bootstrapping winrm

Chef Server(RHEL 6.5):11.16.4

Windows端点:Windows 2008

bootstrapping在http(with winrm config allowUnEncrypeted = true and basic auth = true)上运行良好。

现在我们在https(but with basic auth = false and AllowUnEncrypted = false

上尝试相同的事情

生成自签名证书(使用私钥),我通过端口443验证了telnet。

要检查连接,我从终端(Windows 7)运行以下命令,

winrs -r:https://<fqdn Of windows EP>:443 -u:administrator -p:password_1 ipconfig

在受信任的根证书颁发机构下添加自签名证书后工作正常。

从厨师服务器引导时出错:

  [root@v-ng25-rhel6u5-tpm722 ~]# knife bootstrap windows winrm v-ngibm71tpm7222k8.example.co.in -x Administrator -P 'password_1' -p 443 --bootstrap-version '11.16.4-1'

Waiting for remote response before bootstrap.at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate


ERROR: No response received from remote node after 1.84 minutes, giving up.
ERROR: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

理想情况下,如果winrs命令有效(意味着自签名证书生成和监听器配置没有问题),那么应该这样做。

非常感谢任何帮助/指示。

更新

  1. 在创建侦听器

    2. 时注意删除指纹中的空格

  2. knife ssl check可以验证证书

  3. 尝试点击链接[link] https://github.com/gswallow/knife-windows/commit/d04c835cfff1260017b91a799168e90b931cad6a

    4. --no-ssl-peer-verification选项

  4. env var SSL_CERT_FILE指向包含远程计算机证书的/opt/chef-server/embedded/ssl/certs/cacert.pem

  5. 尝试了在/opt/opscode/embedded/jre/jre/lib/security/cacerts

    6. 将证书添加到密钥库的临时建议

    问题仍然存在。

    更新:

    这是有效的,

    编辑文件

    /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/knife-windows-0.8.0/lib/chef/knife/bootstrap_windows_winrm.rb

    并添加行

    winrm.config[:no_ssl_peer_verification] = true

    编辑文件

    /opt/chef/embedded/lib/ruby/gems/1.9.1/gems/knife-windows-0.8.0/lib/chef/knife/winrm.rb

    并添加行

    session_opts[:no_ssl_peer_verification] = true if config.has_key?(:no_ssl_peer_verification)

    它仍然会给出自签名错误,但至少它是bootstraps

    输出:

    Waiting for remote response before bootstrap.at depth 0 - 18: self signed certificate at depth 0 - 18: self signed certificate tpm72-win2K8R2.example.com . tpm72-win2K8R2.example.com Response received. Remote node responded after 0.0 minutes. Bootstrapping Chef on tpm72-win2K8R2.example.com at depth 0 - 18: self signed certificate at depth 0 - 18: self signed certificate tpm72-win2K8R2.example.com "Rendering "C:\Users\ADMINI~1\AppData\Local\Temp\bootstrap-22620-1423038641.bat" chunk 1" at depth 0 - 18: self signed certificate at depth 0 - 18: self signed certificate tpm72-win2K8R2.example.com "Rendering "C:\Users\ADMINI~1\AppData\Local\Temp\bootstrap-22620-1423038641.bat" chunk 2"

1 个答案:

答案 0 :(得分:0)

knife命令使用openssl lib,它不知道你的Windows证书存储,但是使用它自己。

您必须将远程计算机证书添加到<path to chef install>\embedded\ssl\certs\cacert.pem)中的ruby堆栈的cacert.pem文件中

您可能必须添加一个名为SSL_CERT_FILE的环境变量,以指向其他工具的此文件。

相关问题
最新问题