I have a working installation of open source chef and am trying to add domain authentication to bootstrap Windows servers.
I've created the HTTPS listener as described in the knife windows documentation. I used the domain certificate for this node for the hex value.
When I try to run the following command:
knife bootstrap windows winrm #myip# -r 'role[#myrole#]' -x #MYDOMAIN#\\#myuser# -P '#mypass#' -p 5986 -VV
I get the following error:
Waiting for remote response before bootstrap.
DEBUG: Adding #myip#
DEBUG: :session => :init
DEBUG: :relay_to_servers => echo . & echo Response received.
DEBUG: :relayed => #myip#
DEBUG: #myip# => :run_command
at depth 1 - 20: unable to get local issuer certificate
Since the domain certificate that I used for the hex value was a Rackspace issued certificate, I figured that perhaps it was not registered as trusted on the chef server or chef workstation. I've added the certificates to /usr/local/share/ca-certificates/ and ran sudo update-ca-certificates on both the chef server and workstation. I've also added the certificates in .pem format to /opt/chef-server/embedded/ssl/certs and /etc/chef/trusted_certs on the chef server and '/opt/chef/embedded/ssl/certs` on the chef workstation.
Either my assessment of the issue was incorrect or I haven't reconfigured the certs correctly – either way, I'm lost.
Best Answer
As per Chef support, I needed to use port 5985 for both the listener and the chef bootstrap command making the command:
Then I needed to install the new (pre-release) gem of
winrm-svia:Then I needed to install the newest pre-release of
knife-windowsvia opscode github.Once all of that was complete I was able to bootstrap Windows servers from any Windows Chef workstation via domain authentication.