Unable to bootstrap with windows-winrm over ssl

[echandradhas]

I am trying to bootstrap a windows node with WinRM over ssl and it gives me a bare error. Any clues. I did the following steps before bootstrapping to configure ssl and that seem to work. Is this a known issue?

knife windows cert generate --cert-passphrase "test" --hostname "servername.domainname.local" --output-file "server_cert.pfx"
Generated Certificates:

• server_cert.pfx - PKCS12 format key pair. Contains public and private keys, can be used with an SSL server.
• server_cert.b64 - Base64 encoded PKCS12 key pair. Contains public and private keys, used by some cloud provider API's to configure SSL servers.
• server_cert.pem - Base64 encoded public certificate only. Required by the client to connect to the server.
  Certificate Thumbprint: d05CdasdadadadadaCFC6

c:\Chef\devops>knife windows cert install "server_cert.pfx" --cert-passphrase "test"
Adding certificate to the Windows Certificate Store...
Certificate added to Certificate Store

c:\Chef\devops>knife windows listener create --cert-passphrase "test" --hostname "servername.domainname.local" --cert-thumbprint "d05CdasdadadadadaCFC6"
WinRM listener created with Port: 5986 and CertificateThumbprint: d05CdasdadadadadaCFC6

knife bootstrap windows winrm -t ssl servername.domainname.local -x "admin" -P "adminpass" -f "server_cert.pfx"
It gives me the following error
ERROR: OpenSSL::X509::StoreError:

[mwrock]

That is a terrible error message which should be fixed. I think the problem is that you need to use the .pem file and not the .pfx file in your bootstrap command.

[echandradhas]

My issue is fixed and I am leaving some closing notes for other Chef users.

1. I had to use .pem file in the bootstrap command instead of a .pfx. You can skip the proxy server option if it is not relevant.
   knife bootstrap windows winrm -t ssl admin-PC.local -x "admin" -P "adminpass" -f admin-PC.pem --bootstrap-version 12.3.0 bootstrap-proxy http://itsmy.proxyserver.com:1234 --winrm-ssl-verify-mode 'verify_peer'
2. Imported the pfx that gets generated from knife windows cert generate command into the certificate store on the node to be bootstrapped.
3. Create a listener manually on the node to be bootstrapped using the command.
   winrm create winrm/config/Listener?Address=*+Transport=HTTPS "@{Hostname="admin-PC.local";CertificateThumbprint="<THUMBPRINT>"}"

Thanks mwrock for the help!

[mwrock]

I'm reopening just to make sure we get a better error message when passing in a .pfx and to cleanup the readme around the ssl setup.

[mwrock]

see #316 to address some of the ambiguity around where commands should be run and which file to use with the bootstrap command. I have also added an issue (WinRb/WinRM#156) to the WinRM gem about better error messages when the wrong certificate format is used.

I think this addresses most of the issues @echandradhas had bootstrapping her node not to mention possibly many others who have not filed issues.

Working with @echandradhas offline to resolve her issue, we hit a couple other snags such as errors when the NIC connection type of the node is set to public. I don't think that topic is specifically related to this gem but it would be great to have a chef walk through tutorial on SSL setup that we could reference here. (cc @tpetchel )

Also note: I wrote a blog post covering alot of the typical hangups related to winrm/ssl setup but its not incredibly chef specific. I also need to add the connection type nuances.

[mwrock]

One final note here, I just blogged about changing internet connection to get around errors when trying to enable WinRM here and updated my winrm troubleshooting post to reference it.