chef-solo ssl warning when provisioning

Question

When using vagrant and chef as provisioner, I've got this warning:

[web] Chef 11.12.2 Omnibus package is already installed.
[web] Running provisioner: chef_solo...
Generating chef JSON and uploading...
Running chef-solo...
stdin: is not a tty
[2014-04-10T14:48:46+00:00] INFO: Forking chef instance to converge...
[2014-04-10T14:48:46+00:00] WARN:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SSL validation of HTTPS requests is disabled. HTTPS connections are still
encrypted, but chef is not able to detect forged replies or man in the middle
attacks.

To fix this issue add an entry like this to your configuration file:

```
  # Verify all HTTPS connections (recommended)
  ssl_verify_mode :verify_peer

  # OR, Verify only connections to chef-server
  verify_api_cert true
```

To check your SSL configuration, or troubleshoot errors, you can use the
`knife ssl check` command like so:

```
  knife ssl check -c /tmp/vagrant-chef-1/solo.rb
```

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Would be nice to know what kind of settings does chef requires in Vagrantfile to fix this issue.

Answer 1

This warning was introduced in Chef 11.12.0. See the release notes for details:

When ssl_verify_mode is set to :verify_none, Chef will print a warning. Use knife ssl check to test SSL connectivity and then add ssl_verify_mode :verify_peer to your configuration file to fix the warning. Though :verify_none is currently the default, this will be changed in a future release, so users are encouraged to be proactive in testing and updating their SSL configuration.

To fix this warning in Vagrant, you have to amend the solo.rb config file it creates in the VM. With Vagrant you can use the custom_config_path option for that.

You can thus amend your Vagrantfile like this:

Vagrant.configure("2") do |config|
  config.vm.provision "chef_solo" do |chef|
    # the next line is added
    chef.custom_config_path = "Vagrantfile.chef"
  end
end

This makes Vagrant include the contents of the local file Vagrantfile.chef into the generated solo.rb, the file thus needs to be present on your host system, not the VM.

Then, create a new file Vagrantfile.chef in the directory where you also keep your Vagrantfile with the following content:

Chef::Config.ssl_verify_mode = :verify_peer

The next run of vagrant provision should no longer print the warning.

Answer 2

I had this issue when working with test-kitchen.

If that is also the case for you, note that this value can also be directly configured inside .kitchen.yml.

If your standard provisioner block looks like:

provisioner:
  name: chef_solo

you can just add the solo_rb key with the ssl_verify_mode option:

provisioner:
  name: chef_solo
  solo_rb:
    ssl_verify_mode: verify_peer

and the generated solo.rb will have this option set.

Answer 3

I know the original question was about Vagrant, but for people using the knife-solo gem and encountering this error, just add the following line to .chef/knife.rb:

ssl_verify_mode :verify_peer

The knife-solo gem will take that value and put it into the solo.rb file that gets uploaded onto the server, which is the main configuration file passed to chef-solo.