diff options
Diffstat (limited to 'lib/chef/knife/ssl_check.rb')
-rw-r--r-- | lib/chef/knife/ssl_check.rb | 76 |
1 files changed, 70 insertions, 6 deletions
diff --git a/lib/chef/knife/ssl_check.rb b/lib/chef/knife/ssl_check.rb index e98469d5aa..f2d368ff39 100644 --- a/lib/chef/knife/ssl_check.rb +++ b/lib/chef/knife/ssl_check.rb @@ -106,6 +106,22 @@ class Chef end end + def verify_X509 + cert_debug_msg = "" + trusted_certificates.each do |cert_name| + message = check_X509_certificate(cert_name) + unless message.nil? + cert_debug_msg << File.expand_path(cert_name) + ": " + message + "\n" + end + end + + unless cert_debug_msg.empty? + debug_invalid_X509(cert_debug_msg) + end + + true # Maybe the bad certs won't hurt... + end + def verify_cert ui.msg("Connecting to host #{host}:#{port}") verify_peer_socket.connect @@ -127,6 +143,35 @@ class Chef false end + def debug_invalid_X509(cert_debug_msg) + ui.msg("\n#{ui.color("Configuration Info:", :bold)}\n\n") + debug_ssl_settings + debug_chef_ssl_config + + ui.warn(<<-BAD_CERTS) +There are invalid certificates in your trusted_certs_dir. +OpenSSL will not use the following certificates when verifying SSL connections: + +#{cert_debug_msg} + +#{ui.color("TO FIX THESE WARNINGS:", :bold)} + +We are working on documentation for resolving common issues uncovered here. + +* If the certificate is generated by the server, you may try redownloading the +server's certificate. By default, the certificate is stored in the following +location on the host where your chef-server runs: + + /var/opt/chef-server/nginx/ca/SERVER_HOSTNAME.crt + +Copy that file to your trusted_certs_dir (currently: #{configuration.trusted_certs_dir}) +using SSH/SCP or some other secure method, then re-run this command to confirm +that the server's certificate is now trusted. + +BAD_CERTS + # @TODO: ^ needs URL once documentation is posted. + end + def debug_invalid_cert noverify_socket.connect issuer_info = noverify_socket.peer_cert.issuer @@ -148,7 +193,7 @@ where your chef-server runs: /var/opt/chef-server/nginx/ca/SERVER_HOSTNAME.crt -Copy that file to you trusted_certs_dir (currently: #{configuration.trusted_certs_dir}) +Copy that file to your trusted_certs_dir (currently: #{configuration.trusted_certs_dir}) using SSH/SCP or some other secure method, then re-run this command to confirm that the server's certificate is now trusted. @@ -197,17 +242,36 @@ ADVICE def run validate_uri - if verify_cert && verify_cert_host + if verify_X509 && verify_cert && verify_cert_host ui.msg "Successfully verified certificates from `#{host}'" else exit 1 end end + private + def trusted_certificates + if configuration.trusted_certs_dir && Dir.exist?(configuration.trusted_certs_dir) + Dir.glob(File.join(configuration.trusted_certs_dir, "*.{crt,pem}")) + else + [] + end + end + + def check_X509_certificate(cert_file) + store = OpenSSL::X509::Store.new + cert = OpenSSL::X509::Certificate.new(IO.read(File.expand_path(cert_file))) + begin + store.add_cert(cert) + # test if the store can verify the cert we just added + unless store.verify(cert) # true if verified, false if not + return store.error_string + end + rescue OpenSSL::X509::StoreError => e + return e.message + end + return nil + end end end end - - - - |