Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Chef remote_file from https site with self signed certificate

Tags:

ssl

chef-infra

I was wondering if Chef can use a remote_file resource form a https source that uses self signed certificate. It doesn't seem to be able to. Documentation does not mention certificates and offer configuration for disable SSL check.

If you have a site with https with self signed certificate this can for example be reproduced with recipe that has

remote_file "/tmp/image.png" do
  source "https://mywebsite.com/image.png"
end

You can of course use knife to fetch the certificate on the target node for example as follows

vagrant@devops:~$ knife ssl fetch https://mywebsite.com/
WARNING: No knife configuration file found
WARNING: Certificates from mywebsite.com will be fetched and placed in your trusted_cert directory (/home/vagrant/.chef/trusted_certs).
Knife has no means to verify these are the correct certificates. You should verify the authenticity of these certificates after downloading.

This doesn't seem to do much/anything. Chef will continue to show message

==> default: [2015-06-08T06:30:33+00:00] ERROR: remote_file[/tmp/image.png] (jenkins::remote_file_test line 1) had an error: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Maybe this is a bug? It seems that Chef is ignoring the trusted certs.

Is there a workaround for this? Can we make Chef trust the cert somehow?

Update Correct answer was given by Tensibai. See his comment.

like image 409
onknows Avatar asked Sep 27 '22 16:09

onknows


1 Answers

Per tensibai's technique (comment in the original question) I have the following bit of a recipe to install the cert:

bash 'pull certificate from gitlab' do
  code <<-EOH
    openssl s_client -connect hqdevgit01.my.lan:443 -showcerts | openssl x509 -outform PEM > /opt/chef/embedded/ssl/certs/gitlab.pem
    cat /opt/chef/embedded/ssl/certs/gitlab.pem >> /opt/chef/embedded/ssl/certs/cacert.pem
  EOH
  not_if { ::File.exists?('/opt/chef/embedded/ssl/certs/gitlab.pem') }
end

I download and store the pem in a separate file, and trigger the action off of that existance in the future. I suppose I should check the cacert.pem, but there doesn't seem to be much problem should the cert be appended more than once.

Ultimately I need to get some certs for my internal tools servers - but the organization is small, and there isn't a clear indication of what and where we will be in 6 months. This solution is fine (not ideal) for my short term needs (and we are 100% behind firewalls here).

like image 86
akaphenom Avatar answered Oct 06 '22 20:10

akaphenom