Clever Geek Handbook

Chef remote_file from https site with self-signed certificate

I was wondering if Chef would be able to use the remote_file

https resource that uses a self signed certificate. He seems unable to. The documentation doesn't mention certificates and offers a configuration to disable SSL checking.

If you have a site with https with a self signed certificate, it can be reproduced, for example, using the recipe with

remote_file "/tmp/image.png" do
  source "https://mywebsite.com/image.png"
end

You can of course use knife

to get the certificate on the target node, for example like this

vagrant @devops: ~ $ knife ssl fetch https://mywebsite.com/
WARNING: knife config file not found
WARNING. The certificates from mywebsite.com will be downloaded and placed in the trusted_cert directory (/home/vagrant/.chef/trusted_certs).
The Knife has no means to verify that these are the correct certificates. You should check the authenticity of these certificates after downloading.

It doesn't seem like much / nothing. The chef will keep showing the message

==> default: [2015-06-08T06: 30: 33 + 00: 00] ERROR: remote_file [/tmp/image.png] (jenkins :: remote_file_test line 1) has error: OpenSSL :: SSL :: SSLError: SSL_connect returned = 1 errno = 0 state = SSLv3 read server B certificate: certificate failed completed

Maybe this is a mistake? It looks like the chef is ignoring trusted certificates.

Is there a workaround for this? Can we get Chef to trust cert somehow?

Update The correct answer was given by Tensibai. See His commentary.

+3


source to share


3 answers


I am using a heap book certificate

to set up my self signed certificates. So my decision was based on this. In my recipe, I use certificate_manage

to install a certificate that is stored in an encrypted data packet.

cert_resource = certificate_manage node['hostname'] do
  action :create
  ignore_missing false
end


Then I can add the certificate in cacert.pem

with something like

ruby_block 'add_self_signed_certificate_to_cacert' do
  block do
    cert_file_path = ::File.join(cert_resource.cert_path, 'certs', cert_resource.cert_file)
    cacert = ::File.read('/opt/chef/embedded/ssl/certs/cacert.pem')
    pem = ::File.read(::File.join(cert_resource.cert_path, 'certs',cert_resource.cert_file))
    unless cacert.include? pem
      File.open('/opt/chef/embedded/ssl/certs/cacert.pem', 'w') {|f| f.write(cacert + "\n" + pem) }
    end
  end
end
+1


source


According to the method linked to tenziv (comment in original question) I have the following bit of recipe for setting the certificate:

bash 'pull certificate from gitlab' do
  code <<-EOH
    openssl s_client -connect hqdevgit01.my.lan:443 -showcerts | openssl x509 -outform PEM > /opt/chef/embedded/ssl/certs/gitlab.pem
    cat /opt/chef/embedded/ssl/certs/gitlab.pem >> /opt/chef/embedded/ssl/certs/cacert.pem
  EOH
  not_if { ::File.exists?('/opt/chef/embedded/ssl/certs/gitlab.pem') }
end


I load and save the letters in a separate file and start the action from this existence in the future. I suppose I should check cacert.pem, but there doesn't seem to be much of a problem if the certificate is added more than once.

Ultimately I need to get some certifications for my internal tool servers, but the organization is small and there is no clear indication of what or where we will be in 6 months. This solution is fine (not ideal) for my short term needs (and we're 100% behind firewalls here).

+2


source


from chef 12, the place to put your ca certificate file is at /etc/chef/trusted_certs

. Typing your file will fix the problem.

+1


source






More articles:


All Articles