Skip to content

Commit

Permalink
Add documenation for SSL warnings
Browse files Browse the repository at this point in the history
  • Loading branch information
danielsdeleo committed Mar 24, 2014
1 parent ed0dc00 commit f7bad25
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 0 deletions.
34 changes: 34 additions & 0 deletions DOC_CHANGES.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,3 +82,37 @@ http://docs.opscode.com/dsl_recipe_method_platform_family.html
The weekday attribute now accepts the weekday as a symbol, e.g. :monday or :thursday.

The new time attribute takes special time values specified by cron as a symbol, such as :reboot or :monthly.

### SSL Verification Warnings

Chef 11.12 emits verbose warnings when configured to not verify SSL
certificates. Though not verifying certificates is currently the default
setting, this is unsecure and a future release of Chef will change the
default setting so that SSL certificates are verified.

Users are encouraged to resolve these warnings by adding the following
to their configuration files (client.rb or solo.rb):

`ssl_verify_mode :verify_peer`

This setting will check that the certificate presented by HTTPS servers
is signed by a trusted authority. By default, the on-premises Enterprise
Chef and Open Source Chef server use a self-signed certificate that
chef-client will not be able to verify, which will result in SSL errors
when connecting to the server. To check SSL connectivity with the
server, users can use the `knife ssl check` command. If the server is
configured to use an untrusted self-signed certificate, users can
configure chef-client to trust the remote server by copying the server's
certificate to the `trusted_certs_dir`. The `knife ssl fetch` command
can be used to automate this process; however, `knife` is not able to
determine whether certificates downloaded with `knife ssl fetch` have
been tampered with during the download, so users should verify the
authenticity of any certificates downloaded this way.

If a user absolutely cannot enable certificate verification and wishes
to suppress SSL warnings, they can use HTTP instead of HTTPS as a
workaround. This is highly discouraged. If some behavior of Chef
prevents a user from enabling SSL certificate verification, they are
encouraged to file a bug report.


9 changes: 9 additions & 0 deletions RELEASE_NOTES.md
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,15 @@ knife cannot verify that the certificates haven't been tampered with, so
you should verify their content after downloading.


#### Unsecure SSL Verification Mode Now Triggers a Warning

When `ssl_verify_mode` is set to `:verify_none`, Chef will print a
warning. Use `knife ssl check` to test SSL connectivity and then add
`ssl_verify_mode :verify_peer` to your configuration file to fix the
warning. Though `:verify_none` is currently the default, this will be
changed in a future release, so users are encouraged to be proactive in
testing and updating their SSL configuration.

#### Chef Solo Missing Dependency Warning ([CHEF-4367](https://tickets.opscode.com/browse/CHEF-4367))

Chef 11.0 introduced ordered evaluation of non-recipe files in
Expand Down

0 comments on commit f7bad25

Please sign in to comment.