chef-solo ssl warning when provisioning

chef-infra vagrant chef-solo
holms picture holms · Apr 10, 2014 · Viewed 9.2k times · Source

When using vagrant and chef as provisioner, I've got this warning:

[web] Chef 11.12.2 Omnibus package is already installed.
[web] Running provisioner: chef_solo...
Generating chef JSON and uploading...
Running chef-solo...
stdin: is not a tty
[2014-04-10T14:48:46+00:00] INFO: Forking chef instance to converge...
[2014-04-10T14:48:46+00:00] WARN:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SSL validation of HTTPS requests is disabled. HTTPS connections are still
encrypted, but chef is not able to detect forged replies or man in the middle
attacks.

To fix this issue add an entry like this to your configuration file:

```
  # Verify all HTTPS connections (recommended)
  ssl_verify_mode :verify_peer

  # OR, Verify only connections to chef-server
  verify_api_cert true
```

To check your SSL configuration, or troubleshoot errors, you can use the
`knife ssl check` command like so:

```
  knife ssl check -c /tmp/vagrant-chef-1/solo.rb
```

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Would be nice to know what kind of settings does chef requires in Vagrantfile to fix this issue.

Answer

Holger Just picture Holger Just · Apr 10, 2014

This warning was introduced in Chef 11.12.0. See the release notes for details:

When ssl_verify_mode is set to :verify_none, Chef will print a warning. Use knife ssl check to test SSL connectivity and then add ssl_verify_mode :verify_peer to your configuration file to fix the warning. Though :verify_none is currently the default, this will be changed in a future release, so users are encouraged to be proactive in testing and updating their SSL configuration.

To fix this warning in Vagrant, you have to amend the solo.rb config file it creates in the VM. With Vagrant you can use the custom_config_path option for that.

You can thus amend your Vagrantfile like this:

Vagrant.configure("2") do |config|
  config.vm.provision "chef_solo" do |chef|
    # the next line is added
    chef.custom_config_path = "Vagrantfile.chef"
  end
end

This makes Vagrant include the contents of the local file Vagrantfile.chef into the generated solo.rb, the file thus needs to be present on your host system, not the VM.

Then, create a new file Vagrantfile.chef in the directory where you also keep your Vagrantfile with the following content:

Chef::Config.ssl_verify_mode = :verify_peer

The next run of vagrant provision should no longer print the warning.

Related questions

Chef correct way to load new rpm and install package

I am trying to install the latest version of php on a centos box and am struggling. The cookbook i have been looking at is the opscode one: https://github.com/opscode-cookbooks/php It doesnt look like i can install …

Read More
How can I get Chef to run apt-get update before running other recipes

Right now I have the following in my Vagrantfile: config.vm.provision :chef_solo do |chef| chef.cookbooks_path = "cookbooks" chef.add_recipe "apt" chef.add_recipe "build-essential" chef.add_recipe "chef-redis::source" chef.add_recipe "openssl" chef.add_recipe "…

Read More
How can I display the output of a Opscode Chef bash command in my console?

I use Vagrant to spawn a standard "precise32" box and provision it with Chef so I can test my Node.js code on Linux when I work on a Windows machine. This works fine. I also have this bash command …

Read More