0

I have a working installation of open source chef and am trying to add domain authentication to bootstrap Windows servers.

I've created the HTTPS listener as described in the knife windows documentation. I used the domain certificate for this node for the hex value.

When I try to run the following command:

knife bootstrap windows winrm #myip# -r 'role[#myrole#]' -x #MYDOMAIN#\\#myuser# -P '#mypass#' -p 5986 -VV

I get the following error:

Waiting for remote response before bootstrap.
DEBUG: Adding #myip#
DEBUG: :session => :init
DEBUG: :relay_to_servers => echo . & echo Response received.
DEBUG: :relayed => #myip#
DEBUG: #myip# => :run_command
at depth 1 - 20: unable to get local issuer certificate

Since the domain certificate that I used for the hex value was a Rackspace issued certificate, I figured that perhaps it was not registered as trusted on the chef server or chef workstation. I've added the certificates to /usr/local/share/ca-certificates/ and ran sudo update-ca-certificates on both the chef server and workstation. I've also added the certificates in .pem format to /opt/chef-server/embedded/ssl/certs and /etc/chef/trusted_certs on the chef server and '/opt/chef/embedded/ssl/certs` on the chef workstation.

Either my assessment of the issue was incorrect or I haven't reconfigured the certs correctly - either way, I'm lost.

Dan Hoerst
  • 1
  • 6

1 Answers1

0

As per Chef support, I needed to use port 5985 for both the listener and the chef bootstrap command making the command:

knife bootstrap windows winrm #myip# -r 'role[#myrole#]' -x #MYDOMAIN#\\#myuser# -P '#mypass#' -p 5985

Then I needed to install the new (pre-release) gem of winrm-s via:

gem install winrm-s --pre
gem uninstall winrm-s --version '= 0.2.0'

Then I needed to install the newest pre-release of knife-windows via opscode github.

Once all of that was complete I was able to bootstrap Windows servers from any Windows Chef workstation via domain authentication.

Dan Hoerst
  • 1
  • 6