mwrock
commented
9 years ago That is a terrible error message which should be fixed. I think the problem is that you need to use the .pem file and not the .pfx file in your bootstrap command.
Closed echandradhas closed 9 years ago
mwrock
commented
9 years ago That is a terrible error message which should be fixed. I think the problem is that you need to use the .pem file and not the .pfx file in your bootstrap command.
echandradhas
commented
9 years ago My issue is fixed and I am leaving some closing notes for other Chef users.
1) I had to use .pem file in the bootstrap command instead of a .pfx. You can skip the proxy server option if it is not relevant.
knife bootstrap windows winrm -t ssl admin-PC.local -x "admin" -P "adminpass" -f admin-PC.pem --bootstrap-version 12.3.0 bootstrap-proxy http://itsmy.proxyserver.com:1234 --winrm-ssl-verify-mode 'verify_peer'
2) Imported the pfx that gets generated from knife windows cert generate command into the certificate store on the node to be bootstrapped.
3) Create a listener manually on the node to be bootstrapped using the command.
winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname="admin-PC.local";CertificateThumbprint="<THUMBPRINT>"}"
Thanks mwrock for the help!
mwrock
commented
9 years ago I'm reopening just to make sure we get a better error message when passing in a .pfx and to cleanup the readme around the ssl setup.
mwrock
commented
9 years ago see #316 to address some of the ambiguity around where commands should be run and which file to use with the bootstrap command. I have also added an issue (https://github.com/WinRb/WinRM/issues/156) to the WinRM gem about better error messages when the wrong certificate format is used.
I think this addresses most of the issues @echandradhas had bootstrapping her node not to mention possibly many others who have not filed issues.
Working with @echandradhas offline to resolve her issue, we hit a couple other snags such as errors when the NIC connection type of the node is set to public. I don't think that topic is specifically related to this gem but it would be great to have a chef walk through tutorial on SSL setup that we could reference here. (cc @tpetchel )
Also note: I wrote a blog post covering alot of the typical hangups related to winrm/ssl setup but its not incredibly chef specific. I also need to add the connection type nuances.
mwrock
commented
9 years ago One final note here, I just blogged about changing internet connection to get around errors when trying to enable WinRM here and updated my winrm troubleshooting post to reference it.
I am trying to bootstrap a windows node with WinRM over ssl and it gives me a bare error. Any clues. I did the following steps before bootstrapping to configure ssl and that seem to work. Is this a known issue?
knife windows cert generate --cert-passphrase "test" --hostname "servername.domainname.local" --output-file "server_cert.pfx" Generated Certificates:
c:\Chef\devops>knife windows cert install "server_cert.pfx" --cert-passphrase "test" Adding certificate to the Windows Certificate Store... Certificate added to Certificate Store
c:\Chef\devops>knife windows listener create --cert-passphrase "test" --hostname "servername.domainname.local" --cert-thumbprint "d05CdasdadadadadaCFC6" WinRM listener created with Port: 5986 and CertificateThumbprint: d05CdasdadadadadaCFC6
knife bootstrap windows winrm -t ssl servername.domainname.local -x "admin" -P "adminpass" -f "server_cert.pfx" It gives me the following error ERROR: OpenSSL::X509::StoreError: