1

厨师服务器(RHEL 6.5):11.16.4

Windows 端点:Windows 2008

引导在 http ( with winrm config allowUnEncrypeted = true and basic auth = true) 上运行良好。

现在我们在 https( but with basic auth = false and AllowUnEncrypted = false)上尝试同样的事情

生成自签名证书(使用私钥),我已经通过端口 443 验证了 telnet。

为了检查连接性,我从终端(Windows 7)运行了以下命令,

winrs -r:https://<fqdn Of windows EP>:443 -u:administrator -p:password_1 ipconfig

在受信任的根证书颁发机构下添加自签名证书后工作正常。

从厨师服务器引导时出错:

  [root@v-ng25-rhel6u5-tpm722 ~]# knife bootstrap windows winrm v-ngibm71tpm7222k8.example.co.in -x Administrator -P 'password_1' -p 443 --bootstrap-version '11.16.4-1'

Waiting for remote response before bootstrap.at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate


ERROR: No response received from remote node after 1.84 minutes, giving up.
ERROR: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

理想情况下,如果 winrs 命令有效(意味着自签名证书生成和侦听器配置没有问题),那么应该这样。

非常感谢任何帮助/指针。

更新:

  1. 在创建侦听器时注意删除指纹中的空格

  2. knife ssl check能够验证证书

  3. 在链接 [链接] https://github.com/gswallow/knife-windows/commit/d04c835cfff1260017b91a799168e90b931cad6a--no-ssl-peer-verification上尝试了该选项

  4. env varSSL_CERT_FILE指向的/opt/chef-server/embedded/ssl/certs/cacert.pem包含远程机器证书

  5. 尝试了一个临时建议,将证书添加到密钥库/opt/opscode/embedded/jre/jre/lib/security/cacerts

问题仍然存在。

更新:

这是有效的,

编辑文件

/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/knife-windows-0.8.0/lib/chef/knife/bootstrap_windows_winrm.rb

并添加行,

winrm.config[:no_ssl_peer_verification] = true

编辑文件

/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/knife-windows-0.8.0/lib/chef/knife/winrm.rb

并添加行,

session_opts[:no_ssl_peer_verification] = true if config.has_key?(:no_ssl_peer_verification)

它仍然给出自签名错误,但至少它引导

输出:

Waiting for remote response before bootstrap.at depth 0 - 18: self signed certificate at depth 0 - 18: self signed certificate tpm72-win2K8R2.example.com . tpm72-win2K8R2.example.com Response received. Remote node responded after 0.0 minutes. Bootstrapping Chef on tpm72-win2K8R2.example.com at depth 0 - 18: self signed certificate at depth 0 - 18: self signed certificate tpm72-win2K8R2.example.com "Rendering "C:\Users\ADMINI~1\AppData\Local\Temp\bootstrap-22620-1423038641.bat" chunk 1" at depth 0 - 18: self signed certificate at depth 0 - 18: self signed certificate tpm72-win2K8R2.example.com "Rendering "C:\Users\ADMINI~1\AppData\Local\Temp\bootstrap-22620-1423038641.bat" chunk 2"

4

1 回答 1

0

Knife 命令使用 openssl lib,它对您的 Windows 证书存储一无所知,但使用它自己的。

您必须将远程机器证书添加到 ruby​​ 堆栈的 cacert.pem 文件中<path to chef install>\embedded\ssl\certs\cacert.pem

您可能还需要SSL_CERT_FILE为其他工具添加一个名为指向此文件的环境变量。

于 2015-01-28T12:46:49.473 回答