I'm attempting to set up a new node with x509. I'm getting a very ambiguous error when I run chef-client on the bootstrapped node.

What appears to be happening is that on line 30 of providers/certificate.rb:

  # Try to find this certificate in the data bag.
  certbag = search(:certificates, "id:#{cert_id}").first
  if certbag
    # Data bag item found - the CSR was processed, and can be removed
    # from the outbox
    if node.attribute?('csr_outbox')
      if node.set['csr_outbox'].delete(new_resource.name)
        new_resource.updated_by_last_action(true)
      end
    end
  else
    certbag ||= {}
  end

You're doing a search for the certificate. The Chef API returns a 404 exception if it's not found, but you're not capturing the 404 error. Is this correct?

Is this fix as simple as catching an exception?

I created a CA with the command:

chef-ssl makeca --dn '/CN=MyTestCa' --ca-path ~/tmp/mytestca

and then tried to issue an adhoc certificate:

chef-ssl issue --ca-path=$HOME/tmp/awntestca --dn=/CN=foo --type=server --trace

Enter CA passphrase:
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/erb.rb:719:in initialize': can't convert nil into String (TypeError) from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:22:ineach'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:22:in initialize' from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:22:innew'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:22:in ssl' from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:34:inname'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/signing_request.rb:21:in ssl' from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/signing_request.rb:39:inmethod_missing'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate.rb:23:in ssl' from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate.rb:56:insign'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_authority.rb:42:in create_certificate' from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.3/lib/chef-ssl/client/signing_authority.rb:22:insign'
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.3/lib/chef-ssl/command.rb:56
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:in call' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:incall'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:155:in run' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:402:inrun_active_command'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:78:in run!' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/delegates.rb:7:inrun!'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/import.rb:10
from /usr/bin/chef-ssl:23

I've tried various incantations and all fail on the same line. My ruby is weak but best I can tell it's failing to set 'type' in lib/chef-ssl/client/request.rb in the 'create()' method.

cheers
mike

Seems like this cookbook is no longer being maintained. I use it extensively and am willing to take over ownership.

If @chrisa isn't able to transfer it, I will fork it and start from there.

Upon my very first test I encountered this: The resource fails when there is no "certificates" data bag to search.

Would be nice to either not fail or extend the docs accordingly.

Hi,
It would be great if we could specify a custom knife.rb config file (as knife does with -c options), so we can use different chef-servers
Thanks in advance

chef-ssl-client 1.1.0 depends on faraday 0.8.9. Berkshelf 3.x depends on faraday 0.9.x:

$ bundle
Bundler could not find compatible versions for gem "faraday":
 In Gemfile:
   berkshelf (>= 3.0.0) ruby depends on
     faraday (~> 0.9.0) ruby

   chef-ssl-client (>= 0) ruby depends on
     spice (= 1.0.4) ruby depends on
       faraday (0.8.9)

Using a command like:

chef-ssl autosign --help --ca-path ./myCA --ca-name myCA

will find requests for more than just "myCA". If you're using multiple CAs, it's then very easy to sign requests with the wrong CA.

I need to be able to properly revoke certificates (instead of simply deleting them) and publish CRL's in the near future. Has anyone done this already with chef-ssl? If not I may have a go at implementing it.

mike

I was getting this error when running autosign:

$ chef-ssl autosign --ca-path ~/tmp/mysubca --ca-name="Chef Test CA" --trace

Sign this? (yes or no)
/Library/Ruby/Gems/1.8/gems/highline-1.6.15/lib/highline.rb:793:in get_line': The input stream is exhausted. (EOFError) from /Library/Ruby/Gems/1.8/gems/highline-1.6.15/lib/highline.rb:818:inget_response'
from /Library/Ruby/Gems/1.8/gems/highline-1.6.15/lib/highline.rb:248:in ask' from /Library/Ruby/Gems/1.8/gems/highline-1.6.15/lib/highline.rb:347:inchoose'
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/command.rb:235
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:55:in ca_search' from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:53:ineach'
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:53:in ca_search' from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:52:ineach'
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:52:in ca_search' from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/command.rb:225 from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:incall'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:in call' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:155:inrun'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:402:in run_active_command' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:78:inrun!'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/delegates.rb:7:in `run!'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/import.rb:10
from /usr/bin/chef-ssl:23

I worked around this by adding this line to client-gem/lib/chef-ssl/command.rb:234

HighLine.track_eof = false

I suspect it's my Mac, lots of articles about this error on mac. My specific environment:
OSX 10.8.2
ruby -v: ruby 1.8.7 (2012-02-08 patchlevel 358) [universal-darwin12.0]
highline: 1.6.15

Not looking for a fix, just putting it here in case anyone else runs into it.

mike

Is there support for communicating with chef over https? I have these settings in my $HOME/.chef/knife.rb:

#omit irrelevant stuff
chef_server_url 'https://chef.mydomain.com:4449'
ssl_verify_mode :verify_peer
ssl_client_key 'client.key.pem'
ssl_client_cert 'client.cert.pem'
ssl_ca_file 'ca.pem'

And knife works fine, but chef-ssl won't connect with this error:

# chef-ssl search --trace
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:586:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (Spice::Error::ClientError)
    from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:586:in `connect'
    from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:553:in `do_start'
    from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:542:in `start'
    from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:1035:in `request'
    from /Library/Ruby/Gems/1.8/gems/faraday-0.8.4/lib/faraday/adapter/net_http.rb:74:in `perform_request'
    from /Library/Ruby/Gems/1.8/gems/faraday-0.8.4/lib/faraday/adapter/net_http.rb:37:in `call'
    from /Library/Ruby/Gems/1.8/gems/faraday-0.8.4/lib/faraday/response.rb:8:in `call'
    from /Library/Ruby/Gems/1.8/gems/faraday-0.8.4/lib/faraday/connection.rb:226:in `run_request'
    from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice/request.rb:55:in `request'
    from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice/request.rb:11:in `get'
    from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice/connection/search.rb:26:in `search'
    from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice/connection/nodes.rb:13:in `nodes'
    from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice.rb:20:in `send'
    from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice.rb:20:in `method_missing'
    from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:50:in `ca_search'
    from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/command.rb:115
    from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:in `call'
    from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:in `call'
    from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:155:in `run'
    from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:402:in `run_active_command'
    from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:78:in `run!'
    from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/delegates.rb:7:in `run!'
    from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/import.rb:10
    from /usr/bin/chef-ssl:23

Thoughts?