【发布时间】:2015-01-28 06:32:33
【问题描述】:
主厨服务器(RHEL 6.5):11.16.4
Windows 端点:Windows 2008
引导在 http (with winrm config allowUnEncrypeted = true and basic auth = true) 上运行良好。
现在我们在 https(but with basic auth = false and AllowUnEncrypted = false) 上尝试同样的事情
已生成自签名证书(使用私钥),并且我已通过端口 443 验证了 telnet。
为了检查连接,我从终端(Windows 7)运行了以下命令,
winrs -r:https://<fqdn Of windows EP>:443 -u:administrator -p:password_1 ipconfig
在受信任的根证书颁发机构下添加自签名证书后工作正常。
从主厨服务器引导时出错:
[root@v-ng25-rhel6u5-tpm722 ~]# knife bootstrap windows winrm v-ngibm71tpm7222k8.example.co.in -x Administrator -P 'password_1' -p 443 --bootstrap-version '11.16.4-1'
Waiting for remote response before bootstrap.at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
..at depth 0 - 18: self signed certificate
ERROR: No response received from remote node after 1.84 minutes, giving up.
ERROR: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
理想情况下,如果 winrs 命令有效(意味着自签名证书生成和侦听器配置没有问题),那么应该这样。
非常感谢任何帮助/指针。
更新:
在创建侦听器时注意删除指纹中的空格
knife ssl check能够验证证书在链接 [link]https://github.com/gswallow/knife-windows/commit/d04c835cfff1260017b91a799168e90b931cad6a 尝试
--no-ssl-peer-verification选项env var
SSL_CERT_FILE指向包含远程机器证书的/opt/chef-server/embedded/ssl/certs/cacert.pem尝试了一个临时建议,将证书添加到
/opt/opscode/embedded/jre/jre/lib/security/cacerts的密钥库
问题仍然存在。
更新:
这是有效的,
编辑文件
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/knife-windows-0.8.0/lib/chef/knife/bootstrap_windows_winrm.rb
并添加行,
winrm.config[:no_ssl_peer_verification] = true
编辑文件
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/knife-windows-0.8.0/lib/chef/knife/winrm.rb
并添加行,
session_opts[:no_ssl_peer_verification] = true if config.has_key?(:no_ssl_peer_verification)
它仍然给出自签名错误,但至少它引导
输出:
Waiting for remote response before bootstrap.at depth 0 - 18: self signed certificate
at depth 0 - 18: self signed certificate
tpm72-win2K8R2.example.com .
tpm72-win2K8R2.example.com Response received.
Remote node responded after 0.0 minutes.
Bootstrapping Chef on tpm72-win2K8R2.example.com
at depth 0 - 18: self signed certificate
at depth 0 - 18: self signed certificate
tpm72-win2K8R2.example.com "Rendering "C:\Users\ADMINI~1\AppData\Local\Temp\bootstrap-22620-1423038641.bat" chunk 1"
at depth 0 - 18: self signed certificate
at depth 0 - 18: self signed certificate
tpm72-win2K8R2.example.com "Rendering "C:\Users\ADMINI~1\AppData\Local\Temp\bootstrap-22620-1423038641.bat" chunk 2"
【问题讨论】:
-
我最后想到的办法,尝试使用与http相同的参数的https(看看它是否只是证书问题或添加到证书警告的身份验证问题)
-
@Tensibai 错误保持与 http (
winrm config allowUnEncrypeted = true and basic auth = true) 相同的参数。我会试试这个看看它是否有帮助[链接]gagravarr.org/writing/openssl-certs/… -
刚刚查看了您的一个链接(第 3 个)似乎 CA 证书文件有一个配置选项:
winrm.config[:ca_trust_file] = Chef::Config[:knife][:ca_trust_file] if Chef::Config[:knife][:ca_trust_file]所以您可以尝试将knife[:ca_trust_file] = "/opt/chef-server/embedded/ssl/certs/cacert.pem"添加到您的 Knife.rb 文件中。 -
@Tensibai 更新了解决方法。似乎绕过了错误。
-
感谢您的更新,它可能会帮助其他人:)
标签: windows chef-infra bootstrapping winrm