Search code examples
chef-infravagrantchef-solo

chef-solo ssl warning when provisioning

When using vagrant and chef as provisioner, I've got this warning:

[web] Chef 11.12.2 Omnibus package is already installed.
[web] Running provisioner: chef_solo...
Generating chef JSON and uploading...
Running chef-solo...
stdin: is not a tty
[2014-04-10T14:48:46+00:00] INFO: Forking chef instance to converge...
[2014-04-10T14:48:46+00:00] WARN:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SSL validation of HTTPS requests is disabled. HTTPS connections are still
encrypted, but chef is not able to detect forged replies or man in the middle
attacks.

To fix this issue add an entry like this to your configuration file:

```
  # Verify all HTTPS connections (recommended)
  ssl_verify_mode :verify_peer

  # OR, Verify only connections to chef-server
  verify_api_cert true
```

To check your SSL configuration, or troubleshoot errors, you can use the
`knife ssl check` command like so:

```
  knife ssl check -c /tmp/vagrant-chef-1/solo.rb
```

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Would be nice to know what kind of settings does chef requires in Vagrantfile to fix this issue.

Solution

  • This warning was introduced in Chef 11.12.0. See the release notes for details:

    When ssl_verify_mode is set to :verify_none, Chef will print a warning. Use knife ssl check to test SSL connectivity and then add ssl_verify_mode :verify_peer to your configuration file to fix the warning. Though :verify_none is currently the default, this will be changed in a future release, so users are encouraged to be proactive in testing and updating their SSL configuration.

    To fix this warning in Vagrant, you have to amend the solo.rb config file it creates in the VM. With Vagrant you can use the custom_config_path option for that.

    You can thus amend your Vagrantfile like this:

    Vagrant.configure("2") do |config|
  config.vm.provision "chef_solo" do |chef|
    # the next line is added
    chef.custom_config_path = "Vagrantfile.chef"
  end
end

    This makes Vagrant include the contents of the local file Vagrantfile.chef into the generated solo.rb, the file thus needs to be present on your host system, not the VM.

    Then, create a new file Vagrantfile.chef in the directory where you also keep your Vagrantfile with the following content:

    Chef::Config.ssl_verify_mode = :verify_peer

    The next run of vagrant provision should no longer print the warning.