vendatech / chef-cookbook-ssl Goto Github PK
View Code? Open in Web Editor NEWDeploy a Chef-managed Certificate Authority
Deploy a Chef-managed Certificate Authority
Is there support for communicating with chef over https? I have these settings in my $HOME/.chef/knife.rb:
#omit irrelevant stuff
chef_server_url 'https://chef.mydomain.com:4449'
ssl_verify_mode :verify_peer
ssl_client_key 'client.key.pem'
ssl_client_cert 'client.cert.pem'
ssl_ca_file 'ca.pem'
And knife works fine, but chef-ssl won't connect with this error:
# chef-ssl search --trace
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:586:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (Spice::Error::ClientError)
from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:586:in `connect'
from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:553:in `do_start'
from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:542:in `start'
from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:1035:in `request'
from /Library/Ruby/Gems/1.8/gems/faraday-0.8.4/lib/faraday/adapter/net_http.rb:74:in `perform_request'
from /Library/Ruby/Gems/1.8/gems/faraday-0.8.4/lib/faraday/adapter/net_http.rb:37:in `call'
from /Library/Ruby/Gems/1.8/gems/faraday-0.8.4/lib/faraday/response.rb:8:in `call'
from /Library/Ruby/Gems/1.8/gems/faraday-0.8.4/lib/faraday/connection.rb:226:in `run_request'
from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice/request.rb:55:in `request'
from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice/request.rb:11:in `get'
from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice/connection/search.rb:26:in `search'
from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice/connection/nodes.rb:13:in `nodes'
from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice.rb:20:in `send'
from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice.rb:20:in `method_missing'
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:50:in `ca_search'
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/command.rb:115
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:in `call'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:in `call'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:155:in `run'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:402:in `run_active_command'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:78:in `run!'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/delegates.rb:7:in `run!'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/import.rb:10
from /usr/bin/chef-ssl:23
Thoughts?
Seems like this cookbook is no longer being maintained. I use it extensively and am willing to take over ownership.
If @chrisa isn't able to transfer it, I will fork it and start from there.
Upon my very first test I encountered this: The resource fails when there is no "certificates" data bag to search.
Would be nice to either not fail or extend the docs accordingly.
chef-ssl-client 1.1.0 depends on faraday 0.8.9. Berkshelf 3.x depends on faraday 0.9.x:
$ bundle
Bundler could not find compatible versions for gem "faraday":
In Gemfile:
berkshelf (>= 3.0.0) ruby depends on
faraday (~> 0.9.0) ruby
chef-ssl-client (>= 0) ruby depends on
spice (= 1.0.4) ruby depends on
faraday (0.8.9)
Hi,
It would be great if we could specify a custom knife.rb config file (as knife does with -c options), so we can use different chef-servers
Thanks in advance
I'm attempting to set up a new node with x509. I'm getting a very ambiguous error when I run chef-client on the bootstrapped node.
What appears to be happening is that on line 30 of providers/certificate.rb:
# Try to find this certificate in the data bag.
certbag = search(:certificates, "id:#{cert_id}").first
if certbag
# Data bag item found - the CSR was processed, and can be removed
# from the outbox
if node.attribute?('csr_outbox')
if node.set['csr_outbox'].delete(new_resource.name)
new_resource.updated_by_last_action(true)
end
end
else
certbag ||= {}
end
You're doing a search for the certificate. The Chef API returns a 404 exception if it's not found, but you're not capturing the 404 error. Is this correct?
Is this fix as simple as catching an exception?
I was getting this error when running autosign:
$ chef-ssl autosign --ca-path ~/tmp/mysubca --ca-name="Chef Test CA" --trace
Sign this? (yes or no)
/Library/Ruby/Gems/1.8/gems/highline-1.6.15/lib/highline.rb:793:in get_line': The input stream is exhausted. (EOFError) from /Library/Ruby/Gems/1.8/gems/highline-1.6.15/lib/highline.rb:818:in
get_response'
from /Library/Ruby/Gems/1.8/gems/highline-1.6.15/lib/highline.rb:248:in ask' from /Library/Ruby/Gems/1.8/gems/highline-1.6.15/lib/highline.rb:347:in
choose'
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/command.rb:235
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:55:in ca_search' from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:53:in
each'
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:53:in ca_search' from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:52:in
each'
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:52:in ca_search' from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/command.rb:225 from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:in
call'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:in call' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:155:in
run'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:402:in run_active_command' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:78:in
run!'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/delegates.rb:7:in `run!'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/import.rb:10
from /usr/bin/chef-ssl:23
I worked around this by adding this line to client-gem/lib/chef-ssl/command.rb:234
HighLine.track_eof = false
I suspect it's my Mac, lots of articles about this error on mac. My specific environment:
OSX 10.8.2
ruby -v: ruby 1.8.7 (2012-02-08 patchlevel 358) [universal-darwin12.0]
highline: 1.6.15
Not looking for a fix, just putting it here in case anyone else runs into it.
mike
I need to be able to properly revoke certificates (instead of simply deleting them) and publish CRL's in the near future. Has anyone done this already with chef-ssl? If not I may have a go at implementing it.
mike
Using a command like:
chef-ssl autosign --help --ca-path ./myCA --ca-name myCA
will find requests for more than just "myCA". If you're using multiple CAs, it's then very easy to sign requests with the wrong CA.
I created a CA with the command:
and then tried to issue an adhoc certificate:
Enter CA passphrase:
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/erb.rb:719:in initialize': can't convert nil into String (TypeError) from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:22:in
each'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:22:in initialize' from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:22:in
new'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:22:in ssl' from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:34:in
name'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/signing_request.rb:21:in ssl' from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/signing_request.rb:39:in
method_missing'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate.rb:23:in ssl' from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate.rb:56:in
sign'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_authority.rb:42:in create_certificate' from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.3/lib/chef-ssl/client/signing_authority.rb:22:in
sign'
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.3/lib/chef-ssl/command.rb:56
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:in call' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:in
call'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:155:in run' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:402:in
run_active_command'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:78:in run!' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/delegates.rb:7:in
run!'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/import.rb:10
from /usr/bin/chef-ssl:23
I've tried various incantations and all fail on the same line. My ruby is weak but best I can tell it's failing to set 'type' in lib/chef-ssl/client/request.rb in the 'create()' method.
cheers
mike
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.