Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chef-run does not warn when Automate cert is untrusted #79

Open
ericcalabretta opened this issue Nov 20, 2018 · 3 comments
Open

chef-run does not warn when Automate cert is untrusted #79

ericcalabretta opened this issue Nov 20, 2018 · 3 comments
Labels
Aspect: Integration Works correctly with other projects or systems. Aspect: Security Can an unwanted third party affect the stability or look at privileged information? Triage: Confirmed Indicates and issue has been confirmed as described. Type: Bug Does not work as expected.

Comments

@ericcalabretta
Copy link

ericcalabretta commented Nov 20, 2018
edited by tyler-ball
Loading

Description

If the chef-workstation node does not trust the certificate of Chef Automate, the chef-run command will successfully run but will not send the report to Automate. It will not warn or provide an indicator to user regarding the untrusted cert. Results will not be sent to Automate. No indicator is sent to the command output, the default.log or the stack-trace.log.

Example command output:

Chef-run ssh://vagrant:vagrant@centos package ntp
[✔] Packaging cookbook... done!
[✔] Generating local policyfile... exporting... done!
[✔] Applying package[ntp] from resource to target.
└── [✔] [centos] Successfully converged package[ntp].

example config.toml

[data_collector]
url="https://automate/data-collector/v0/"
token="12345678910"

Something should be sent to the user to inform them the chef-run succeeded but the report was not sent to Automate because the certificate is not trusted. It'd also be helpful if instructions on how to use knife ssl fetch would be provided.

Chef Workstation Version

Chef Workstation: 0.2.29

Platform Version

macOS 10.14.1
@robbkidd
Copy link
Contributor

Thanks for reporting, @ericcalabretta. I'm going to move this issue over to chef-run's repo.

@robbkidd robbkidd transferred this issue from chef/chef-workstation May 15, 2019
@tyler-ball tyler-ball added Aspect: Correctness Aspect: Integration Works correctly with other projects or systems. Aspect: Security Can an unwanted third party affect the stability or look at privileged information? Triage: Confirmed Indicates and issue has been confirmed as described. Type: Bug Does not work as expected. labels Sep 9, 2019
@tyler-ball
Copy link
Contributor

I'm pretty sure we hard coded this behavior for the initial release because we were getting too many chef-client failures from self-signed Automate certs. I agree - we need to re-address this is a better way.

Maybe chef-run looks up the cert for the Automate server, asks the user whether to trust it, saves it locally and then copies it to the trusted cert directory for remote nodes?

@ericcalabretta
Copy link
Author

@tyler-ball That'd be good behavior, similar to the experience you get with knife. If the cert is untrusted it'll give you the commands required to trust with the appropriate warnings.

We could also have chef-run look in the standard chef trusted folders too. Depending on the user personas that may not help, but it's what you'd expect as an existing chef user. You'd expect all our tools to use the same settings/certs/env vars when possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Aspect: Integration Works correctly with other projects or systems. Aspect: Security Can an unwanted third party affect the stability or look at privileged information? Triage: Confirmed Indicates and issue has been confirmed as described. Type: Bug Does not work as expected.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@robbkidd @tyler-ball @ericcalabretta