chef-solo ssl warning when provisioning

Question

When using vagrant and chef as provisioner, I've got this warning:

[web] Chef 11.12.2 Omnibus package is already installed. [web] Running provisioner: chef_solo... Generating chef JSON and uploading... Running chef-solo... stdin: is not a tty [2014-04-10T14:48:46+00:00] INFO: Forking chef instance to converge... [2014-04-10T14:48:46+00:00] WARN: * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * SSL validation of HTTPS requests is disabled. HTTPS connections are still encrypted, but chef is not able to detect forged replies or man in the middle attacks.  To fix this issue add an entry like this to your configuration file:  ```   # Verify all HTTPS connections (recommended)   ssl_verify_mode :verify_peer    # OR, Verify only connections to chef-server   verify_api_cert true ```  To check your SSL configuration, or troubleshoot errors, you can use the `knife ssl check` command like so:  ```   knife ssl check -c /tmp/vagrant-chef-1/solo.rb ```  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 

Would be nice to know what kind of settings does chef requires in Vagrantfile to fix this issue.

Answer 1

This warning was introduced in Chef 11.12.0. See the release notes for details:

When ssl_verify_mode is set to :verify_none, Chef will print a warning. Use knife ssl check to test SSL connectivity and then add ssl_verify_mode :verify_peer to your configuration file to fix the warning. Though :verify_none is currently the default, this will be changed in a future release, so users are encouraged to be proactive in testing and updating their SSL configuration.

To fix this warning in Vagrant, you have to amend the solo.rb config file it creates in the VM. With Vagrant you can use the custom_config_path option for that.

You can thus amend your Vagrantfile like this:

Vagrant.configure("2") do |config|   config.vm.provision "chef_solo" do |chef|     # the next line is added     chef.custom_config_path = "Vagrantfile.chef"   end end 

This makes Vagrant include the contents of the local file Vagrantfile.chef into the generated solo.rb, the file thus needs to be present on your host system, not the VM.

Then, create a new file Vagrantfile.chef in the directory where you also keep your Vagrantfile with the following content:

Chef::Config.ssl_verify_mode = :verify_peer 

The next run of vagrant provision should no longer print the warning.

Answer 2

I had this issue when working with test-kitchen.

If that is also the case for you, note that this value can also be directly configured inside .kitchen.yml.

If your standard provisioner block looks like:

provisioner:   name: chef_solo 

you can just add the solo_rb key with the ssl_verify_mode option:

provisioner:   name: chef_solo   solo_rb:     ssl_verify_mode: verify_peer 

and the generated solo.rb will have this option set.