Use Berkshelf with custom CA certificate

喜你入骨 提交于 2019-12-24 15:42:30

问题


I have a custom Chef server on premises with a TLS certificate that is signed by our own CA server. I added the CA certificate to .chef/trusted_certs and now knife ssl verify works fine.

But when I try to upload cookbooks using Berksfile I run into the following error:

$ berks upload
E, [2016-03-26T15:02:18.290419 #8629] ERROR -- : Ridley::Errors::ClientError: SSL_connect returned=1 errno=0 state=error: certificate verify failed
E, [2016-03-26T15:02:18.291025 #8629] ERROR -- : /Users/chbr/.rvm/gems/ruby-2.3-head@global/gems/celluloid-0.16.0/lib/celluloid/responses.rb:29:in `value'

I have tried to append the CA certificate to /ops/chefdk/embedded/ssl/certs/cabundle.pem but it made no difference.


回答1:


Create a custom CA bundle file and then set $SSL_CERT_FILE (or $SSL_CERT_DIR if you want to use that format) in your environment.




回答2:


Use --no-ssl-verify. Berkshelf does not respect chef's trusted certs.

Alternatively, there is an option to specify this in berks config file.




回答3:


Don't ignore certificate validation. That is not the safest choice, especially with news about attackers having recently inserted malware in places like Node Package Manager. You can easily configure Berkshelf to trust the same certificates you trust with Chef.

In your ~/chef-repo/.berkshelf/config.json file, make sure the ca_path is set to point at your Chef trusted certificates, like this (assuming your chef repo is located at ~/chef-repo)

{
  "ssl": {
    "verify": true,
    "ca_path": "~/chef-repo/.chef/trusted_certs"
  }
}

Then, use knife to manage your Chef certificates (like this):

$ cd ~/chef-repo
$ knife ssl fetch https://supermarket.chef.io/
$ knife ssl fetch https://my.chef.server.example.org/

All the certificates you trust with Chef will also be trusted by Berks.



来源:https://stackoverflow.com/questions/36236213/use-berkshelf-with-custom-ca-certificate

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!