knife-vsphere with SSL (knife ssl) help!

[ghost]

I have used the the knife ssl_fetch command to import the certificates into Chef and the ssl_check command returns:

Connecting to host :443 Successfully verified certificates from `'

nice. now has anyone had any success with using knife-vsphere with SSL??

eg. when I run a vsphere vm list command with vsinsecure true, the command works (over port 80?) but does not work without vsinsecure true (port 443).

i.e knife vsphere vm list --recursive --vsuser username --vspass passwordhere --vsdc MYDC --vshost --vsinsecure true

works

knife vsphere vm list --recursive --vsuser username --vspass passwordhere --vsdc MYDC --vshost <my-ip

returns this error:

ERROR: Could not establish a secure connection to the server. Use knife ssl check to troubleshoot your SSL configuration. If your server uses a self-signed certificate, you can use knife ssl fetch to make knife trust the server's certificates.

Original Exception: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)

the ssl_check command returns:

Connecting to host :443 Successfully verified certificates from `'

Is this feature working and how is it used?

[swalberg]

Hi, there are two certificates/services at play here: The Chef API and the vSphere API. The --vsinsecure flag tells the knife-vsphere plugin to ignore certificate validation when talking to the vSphere API even though it continues to use SSL/TLS. The knife ssl check and knife ssl fetch commands only manage the Chef API certificate.

What you're seeing is that without the flag, we're unable to validate the certificate coming back from vSphere against your machine's root certs. The --vsinsecure flag ignores this transgression. If you want to validate the certificate, then vSphere (not Chef) needs a cert that can be validated by your workstation.

Sean