When using vagrant and chef as provisioner, I've got this warning:
[web] Chef 11.12.2 Omnibus package is already installed.
[web] Running provisioner: chef_solo...
Generating chef JSON and uploading...
Running chef-solo...
stdin: is not a tty
[2014-04-10T14:48:46+00:00] INFO: Forking chef instance to converge...
[2014-04-10T14:48:46+00:00] WARN:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SSL validation of HTTPS requests is disabled. HTTPS connections are still
encrypted, but chef is not able to detect forged replies or man in the middle
attacks.
To fix this issue add an entry like this to your configuration file:
```
# Verify all HTTPS connections (recommended)
ssl_verify_mode :verify_peer
# OR, Verify only connections to chef-server
verify_api_cert true
```
To check your SSL configuration, or troubleshoot errors, you can use the
`knife ssl check` command like so:
```
knife ssl check -c /tmp/vagrant-chef-1/solo.rb
```
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Would be nice to know what kind of settings does chef requires in Vagrantfile to fix this issue.
This warning was introduced in Chef 11.12.0. See the release notes for details:
When
ssl_verify_mode
is set to:verify_none
, Chef will print a warning. Useknife ssl check
to test SSL connectivity and then addssl_verify_mode :verify_peer
to your configuration file to fix the warning. Though:verify_none
is currently the default, this will be changed in a future release, so users are encouraged to be proactive in testing and updating their SSL configuration.
To fix this warning in Vagrant, you have to amend the solo.rb
config file it creates in the VM. With Vagrant you can use the custom_config_path
option for that.
You can thus amend your Vagrantfile like this:
Vagrant.configure("2") do |config|
config.vm.provision "chef_solo" do |chef|
# the next line is added
chef.custom_config_path = "Vagrantfile.chef"
end
end
This makes Vagrant include the contents of the local file Vagrantfile.chef
into the generated solo.rb, the file thus needs to be present on your host system, not the VM.
Then, create a new file Vagrantfile.chef
in the directory where you also keep your Vagrantfile with the following content:
Chef::Config.ssl_verify_mode = :verify_peer
The next run of vagrant provision
should no longer print the warning.
I had this issue when working with test-kitchen.
If that is also the case for you, note that this value can also be directly configured inside .kitchen.yml
.
If your standard provisioner block looks like:
provisioner:
name: chef_solo
you can just add the solo_rb
key with the ssl_verify_mode
option:
provisioner:
name: chef_solo
solo_rb:
ssl_verify_mode: verify_peer
and the generated solo.rb will have this option set.
I know the original question was about Vagrant, but for people using the knife-solo
gem and encountering this error, just add the following line to .chef/knife.rb
:
ssl_verify_mode :verify_peer
The knife-solo
gem will take that value and put it into the solo.rb
file that gets uploaded onto the server, which is the main configuration file passed to chef-solo
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.