search

chef / knife-windows

Plugin for Chef's knife tool for working with Windows nodes
Apache License 2.0
152 stars 110 forks source link

MSI Url with self-signed cert causes bootstrapping to choke #486

Closed AccidentallyTheCable closed 4 years ago

AccidentallyTheCable commented 5 years ago

Version:

1.96 - I know its old, but looking at code, current is affected as well

Environment:

Windows 10 1909; WinRM

Scenario:

Bootstrap fails if using an MSI Url that has a self-signed certificate.

Steps to Reproduce:

Bootstrap with --msi-url https://.... Remote site should have a self-signed or invalid cert

Example Command used: knife bootstrap windows winrm 1.2.3.4 -E "myenv" -x ".\myuser" -P "mypassword" -N "rndtest0001.dev.domain.tld" --no-verify-api-cert --no-color --verbose --msi-url https://chef.appliance.domain.tld:7443/chef-client-12.22.5-1-x64.msi --winrm-ssl-verify-mode verify_none

Expected Result:

Successful Bootstrap

Actual Result:

wget.ps1 fails to complete successfully, as does wget.vbs because Windows does not handle invalid certs without mucking around a bit.

While I'm sure that the wget.ps1 is there for a reason, wget (Powershell Invoke-Webrequest) now exists, but in either case, self signed certs are not handled well by windows.

Workaround:

Modify the windows-chef-client-msi.erb template and remove wget.ps1 creation. Pre-create a wget.ps1 in the correct location that handles self-signed certs. EX:

` add-type @" using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; } } "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

Invoke-WebRequest -Uri $Args[0] -OutFile $Args[1] -UseBasicParsing `

Note that this Wget method does not do proxy methods without further work. I attempted to inject this straight into the template instead of pre-creating, but there were issues with some of the lines and parsing from the template / running at batch time.

Also, I'm not sure if ...CertificatePolicy = New-Object TrustAllCertsPolicy is permanent or not. In our env it doesnt matter.

tas50 commented 4 years ago

I'm going to close this out since we've removed bootstrap functionality from this repository. Bootstrapping is now handled directly chef project repo. If this is still an issue for you in Chef Infra Client please file the issue at https://github.com/chef/chef/issues