chef
Chef cert being stored in the windows OS cert store issue.
Version:
23.2.1028
Environment:
Windows 10 / 11
Scenario:
Pushing a policy to the
Steps to Reproduce:
Install Chef Workstation on 23.2.1028 on a Windows 11 system
Push a policyfile to the Chef Infra server with a command like chef push dev .\base.lock.json
Do not run Chef from a Powershell session with Administrator elevated privileges.
Expected Result:
To not get a warning that "Hive and values not preset in registry". To not get an error about Access is Denied on Win32::Registry::Error
Actual Result:
PS C:\Users\butler\repos\snohio\policyfiles> chef push dev .\base.lock.json
[2023-02-14T09:27:54-05:00] WARN: Authentication Hive and values not present in registry, creating them now
Error: Failed to upload policy to policy group dev
Reason: (Win32::Registry::Error) Access is denied.
And if running with Admin privileges:
PS C:\Users\butler\repos\snohio\policyfiles> chef push dev .\base.lock.json
[2023-02-14T09:59:42-05:00] WARN: Authentication Hive and values not present in registry, creating them now
Uploading policy base_win_choco (c83e387e32) to policy group dev
Using chef-client 1.4.1 (977e300d)
Using chef_client_updater 3.12.3 (4a3c5a1d)
Sounds like chef-cli is sharing a library or something with chef-client or knife where it's looking at the Windows OS cert store for the users login pem cert. This is the new behaviour in chef-client 18 for nodes. Since the user isn't running an administrator shell they are denied access but it works when they do run it in an administrator shell.
Logic may need to be updated to look at the config[client_key] first and if undefined then try to find it in the OS cert store.
This may be related to this PR https://github.com/chef/chef/pull/13552 which references: Reference Bug - https://chefio.atlassian.net/browse/INFC-407 Reference Bug - https://github.com/chef/chef/issues/13402#issuecomment-1401633050 Related discussion - https://github.com/chef/chef/pull/13407
