I was wondering if Chef can use a remote_file
resource form a https source that uses self signed certificate. It doesn't seem to be able to. Documentation does not mention certificates and offer configuration for disable SSL check.
If you have a site with https with self signed certificate this can for example be reproduced with recipe that has
remote_file "/tmp/image.png" do
source "https://mywebsite.com/image.png"
end
You can of course use knife
to fetch the certificate on the target node for example as follows
vagrant@devops:~$ knife ssl fetch https://mywebsite.com/
WARNING: No knife configuration file found
WARNING: Certificates from mywebsite.com will be fetched and placed in your trusted_cert directory (/home/vagrant/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should verify the authenticity of these certificates after downloading.
This doesn't seem to do much/anything. Chef will continue to show message
==> default: [2015-06-08T06:30:33+00:00] ERROR: remote_file[/tmp/image.png] (jenkins::remote_file_test line 1) had an error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Maybe this is a bug? It seems that Chef is ignoring the trusted certs.
Is there a workaround for this? Can we make Chef trust the cert somehow?
Update Correct answer was given by Tensibai. See his comment.
Per tensibai's technique (comment in the original question) I have the following bit of a recipe to install the cert:
bash 'pull certificate from gitlab' do
code <<-EOH
openssl s_client -connect hqdevgit01.my.lan:443 -showcerts | openssl x509 -outform PEM > /opt/chef/embedded/ssl/certs/gitlab.pem
cat /opt/chef/embedded/ssl/certs/gitlab.pem >> /opt/chef/embedded/ssl/certs/cacert.pem
EOH
not_if { ::File.exists?('/opt/chef/embedded/ssl/certs/gitlab.pem') }
end
I download and store the pem in a separate file, and trigger the action off of that existance in the future. I suppose I should check the cacert.pem, but there doesn't seem to be much problem should the cert be appended more than once.
Ultimately I need to get some certs for my internal tools servers - but the organization is small, and there isn't a clear indication of what and where we will be in 6 months. This solution is fine (not ideal) for my short term needs (and we are 100% behind firewalls here).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With