Chef infra 使用自定义SSL证书引导Chef节点
通过Chef安装(12.0.3),我们已经从内部私有CA安装了一个新的SSL证书。但是,一旦安装了证书,我们现在在尝试引导新节点时会出现以下错误,例如:Chef infra 使用自定义SSL证书引导Chef节点,chef-infra,knife,Chef Infra,Knife,通过Chef安装(12.0.3),我们已经从内部私有CA安装了一个新的SSL证书。但是,一旦安装了证书,我们现在在尝试引导新节点时会出现以下错误,例如: C:\ws\devops\chef\cookbooks>knife bootstrap windows winrm WIN-e9073a7mffd.mydomain.local -N CHEF_TEST_DELETE_ME -x administrator -P password -r "recipe[test]" WIN-e9073
C:\ws\devops\chef\cookbooks>knife bootstrap windows winrm WIN-e9073a7mffd.mydomain.local -N CHEF_TEST_DELETE_ME -x administrator -P password -r "recipe[test]"
WIN-e9073a7mffd.mydomain.local [2015-02-11T17:45:14+00:00] INFO: *** Chef 12.0.3 ***
WIN-e9073a7mffd.mydomain.local [2015-02-11T17:45:14+00:00] INFO: Chef-client pid: 1644
WIN-e9073a7mffd.mydomain.local [2015-02-11T17:45:21+00:00] INFO: Client key c:/chef/client.pem is not present - registering
WIN-e9073a7mffd.mydomain.local [2015-02-11T17:45:21+00:00] ERROR: SSL Validation failure connecting to host: chef.mydomain.local - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
WIN-e9073a7mffd.mydomain.local
WIN-e9073a7mffd.mydomain.local ================================================================================
WIN-e9073a7mffd.mydomain.local Chef encountered an error attempting to create the client "CHEF_TEST_DELETE_ME"
WIN-e9073a7mffd.mydomain.local ================================================================================
WIN-e9073a7mffd.mydomain.local
WIN-e9073a7mffd.mydomain.local [2015-02-11T17:45:21+00:00] FATAL: Stacktrace dumped to c:/chef/cache/chef-stacktrace.out
WIN-e9073a7mffd.mydomain.local [2015-02-11T17:45:21+00:00] FATAL: NoMethodError: undefined method `run_id' for nil:NilClass
ERROR: Failed to execute command on WIN-e9073a7mffd.mydomain.local return code 1
如果我手动将CA的证书添加到/opscode/chef/embedded/ssl/certs/cacert.pem
文件中,则服务器将允许随后的引导尝试
关于如何修复此问题,以便在第一次尝试时正确引导节点,您有什么想法吗?要修复此问题,您有一些选择
- 将您的CA证书添加到trusted_certs目录(请参阅)
- 将
设置为ssl\u verify\u mode
(第一次运行成功时,client.rb应该从它开始),然后分发更新的:验证knife.rb中的\u none
,并与chef itslef一起管理targetcacert.pem
(chef\u client cookbook有这方面的食谱)client.rb