1 files changed, 70 insertions, 6 deletions
diff --git a/lib/chef/knife/ssl_check.rb b/lib/chef/knife/ssl_check.rb
index e98469d5aa..f2d368ff39 100644
--- a/lib/chef/knife/ssl_check.rb
+++ b/lib/chef/knife/ssl_check.rb
@@ -106,6 +106,22 @@ class Chef
         end
       end
 
+      def verify_X509
+        cert_debug_msg = ""
+        trusted_certificates.each do |cert_name|
+          message = check_X509_certificate(cert_name)
+          unless message.nil?
+            cert_debug_msg << File.expand_path(cert_name) + ": " + message + "\n"
+          end
+        end
+
+        unless cert_debug_msg.empty?
+          debug_invalid_X509(cert_debug_msg)
+        end
+
+        true # Maybe the bad certs won't hurt...
+      end
+
       def verify_cert
         ui.msg("Connecting to host #{host}:#{port}")
         verify_peer_socket.connect
@@ -127,6 +143,35 @@ class Chef
         false
       end
 
+      def debug_invalid_X509(cert_debug_msg)
+        ui.msg("\n#{ui.color("Configuration Info:", :bold)}\n\n")
+        debug_ssl_settings
+        debug_chef_ssl_config
+
+        ui.warn(<<-BAD_CERTS)
+There are invalid certificates in your trusted_certs_dir.
+OpenSSL will not use the following certificates when verifying SSL connections:
+
+#{cert_debug_msg}
+
+#{ui.color("TO FIX THESE WARNINGS:", :bold)}
+
+We are working on documentation for resolving common issues uncovered here.
+
+* If the certificate is generated by the server, you may try redownloading the
+server's certificate. By default, the certificate is stored in the following
+location on the host where your chef-server runs:
+
+  /var/opt/chef-server/nginx/ca/SERVER_HOSTNAME.crt
+
+Copy that file to your trusted_certs_dir (currently: #{configuration.trusted_certs_dir})
+using SSH/SCP or some other secure method, then re-run this command to confirm
+that the server's certificate is now trusted.
+
+BAD_CERTS
+        # @TODO: ^ needs URL once documentation is posted.
+      end
+
       def debug_invalid_cert
         noverify_socket.connect
         issuer_info = noverify_socket.peer_cert.issuer
@@ -148,7 +193,7 @@ where your chef-server runs:
 
   /var/opt/chef-server/nginx/ca/SERVER_HOSTNAME.crt
 
-Copy that file to you trusted_certs_dir (currently: #{configuration.trusted_certs_dir})
+Copy that file to your trusted_certs_dir (currently: #{configuration.trusted_certs_dir})
 using SSH/SCP or some other secure method, then re-run this command to confirm
 that the server's certificate is now trusted.
 
@@ -197,17 +242,36 @@ ADVICE
 
       def run
         validate_uri
-        if verify_cert && verify_cert_host
+        if verify_X509 && verify_cert && verify_cert_host
           ui.msg "Successfully verified certificates from `#{host}'"
         else
           exit 1
         end
       end
 
+      private
+      def trusted_certificates
+        if configuration.trusted_certs_dir && Dir.exist?(configuration.trusted_certs_dir)
+          Dir.glob(File.join(configuration.trusted_certs_dir, "*.{crt,pem}"))
+        else
+          []
+        end
+      end
+
+      def check_X509_certificate(cert_file)
+        store = OpenSSL::X509::Store.new
+        cert = OpenSSL::X509::Certificate.new(IO.read(File.expand_path(cert_file)))
+        begin
+          store.add_cert(cert)
+          # test if the store can verify the cert we just added
+          unless store.verify(cert) # true if verified, false if not
+            return store.error_string
+          end
+        rescue OpenSSL::X509::StoreError => e
+          return e.message
+        end
+        return nil
+      end
     end
   end
 end
-
-
-
-