Support for https to chef?

[rtkmhart]

Is there support for communicating with chef over https? I have these settings in my $HOME/.chef/knife.rb:

#omit irrelevant stuff
chef_server_url 'https://chef.mydomain.com:4449'
ssl_verify_mode :verify_peer
ssl_client_key 'client.key.pem'
ssl_client_cert 'client.cert.pem'
ssl_ca_file 'ca.pem'

And knife works fine, but chef-ssl won't connect with this error:

# chef-ssl search --trace
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:586:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (Spice::Error::ClientError)
    from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:586:in `connect'
    from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:553:in `do_start'
    from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:542:in `start'
    from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/net/http.rb:1035:in `request'
    from /Library/Ruby/Gems/1.8/gems/faraday-0.8.4/lib/faraday/adapter/net_http.rb:74:in `perform_request'
    from /Library/Ruby/Gems/1.8/gems/faraday-0.8.4/lib/faraday/adapter/net_http.rb:37:in `call'
    from /Library/Ruby/Gems/1.8/gems/faraday-0.8.4/lib/faraday/response.rb:8:in `call'
    from /Library/Ruby/Gems/1.8/gems/faraday-0.8.4/lib/faraday/connection.rb:226:in `run_request'
    from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice/request.rb:55:in `request'
    from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice/request.rb:11:in `get'
    from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice/connection/search.rb:26:in `search'
    from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice/connection/nodes.rb:13:in `nodes'
    from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice.rb:20:in `send'
    from /Library/Ruby/Gems/1.8/gems/spice-1.0.4/lib/spice.rb:20:in `method_missing'
    from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:50:in `ca_search'
    from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/command.rb:115
    from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:in `call'
    from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:in `call'
    from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:155:in `run'
    from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:402:in `run_active_command'
    from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:78:in `run!'
    from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/delegates.rb:7:in `run!'
    from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/import.rb:10
    from /usr/bin/chef-ssl:23

Thoughts?

[chrisa]

The issue here is that we're not propagating Chef's SSL configuration into the Spice configuration we use to talk to the server, so the default verify mode is "yes, verify". https works for us because we distribute the relevant CA using the x509::localca recipe.

I've got a patch pending for this, which should show up shortly in a release.

[nmcspadden]

Guessing this never got patched in? I'm running into a similar problem.

[rtkmhart]

It looks to me like @chrisa is no longer maintaining this cookbook. I've got big pull request in and no movement. I'm moving ahead with my own fork as I need that functionality.