Skip to main content

Troubleshooting self enrollment

Resolve SSL/TLS connection issues

If you see the error message Could not create SSL/TLS secure channel during self enrollment, it means the Windows node is sending the request using a different version of TLS than the FQDN supports. This usually happens if the FQDN requires TLS version 1.2 or greater, but the node is using a lower version.

To resolve this issue, follow this step:

  • Set the TLS version to 1.2 or 1.3 for the current terminal session:

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls13

This change only applies to the active session, so run all related commands in the same terminal window.

Fix invalid FQDN format

If you see the error message invalid FQDN format found in application key config file while enrolling a node through self enrollment, it’s because the FQDN in your configuration is currently set as https://chef360.example.com (without a port). The CLI expects the FQDN to include a port number.

The following scripts add the appropriate port number (443 or 80 based on the protocol) to the FQDN in the intermediate status file.

Linux nodes

To fix the invalid FQDN format issue on Linux nodes, select the script that matches your scenario and run it as a root user.

These scripts update the FQDN value in the status file to include the port number and run the node enrollment command again.

  • Cohort defined in shell script, 360 Platform authenticates with self-signed certificate
    ######
# Troubleshooting script to manually configure port and re-run Chef 360 Platform node enrollment
# using cohort ID with self-signed certificates.
#
# Before running this script, replace the following placeholders:
# - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server
#   Example: https://chef360.example.com
# - <COHORT_ID>: The UUID of the cohort for node enrollment
######

export SERVER="<SERVER_FQDN>"
export Filename="/opt/chef-360/chef-node-enrollment-cli/node-enrollment-details.yml"
if [[ "$SERVER" == https* ]]; then
  sed -i "s|$SERVER|$SERVER:443|g" "$Filename"
else
  sed -i "s|$SERVER|$SERVER:80|g" "$Filename"
fi
export COHORT_ID="<COHORT_ID>"
echo "Running: node enrollment"
chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt --insecure

    Replace the following:

    • <SERVER_FQDN> with the fully qualified domain name of your Chef 360 Platform Server. For example, https://chef360.example.com.
    • <COHORT_ID> with the ID of the cohort that you’re enrolling the node into.
  • Cohort defined in shell script, 360 Platform uses http or authenticates with public certificate
    ######
# Troubleshooting script to manually configure port and re-run Chef 360 Platform node enrollment
# using cohort ID with public certificates or authentication disabled.
#
# Before running this script, replace the following placeholders:
# - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server
#   Example: https://chef360.example.com
# - <COHORT_ID>: The UUID of the cohort for node enrollment
######

export SERVER="<SERVER_FQDN>"
export Filename="/opt/chef-360/chef-node-enrollment-cli/node-enrollment-details.yml"
if [[ "$SERVER" == https* ]]; then
  sed -i "s|$SERVER|$SERVER:443|g" "$Filename"
else
  sed -i "s|$SERVER|$SERVER:80|g" "$Filename"
fi
export COHORT_ID="<COHORT_ID>"
echo "Running: node enrollment"
chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt

    Replace the following:

    • <SERVER_FQDN> with the fully qualified domain name of your Chef 360 Platform Server. For example, https://chef360.example.com.
    • <COHORT_ID> with the ID of the cohort that you’re enrolling the node into.
  • Cohort defined by application key, 360 Platform authenticates with self-signed certificate
    ######
# Troubleshooting script to manually configure port and re-run Chef 360 Platform node enrollment
# using application key authentication with self-signed certificates.
#
# Before running this script, replace the following placeholder:
# - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server
#   Example: https://chef360.example.com
######

export SERVER="<SERVER_FQDN>"
export Filename="/opt/chef-360/chef-node-enrollment-cli/node-enrollment-details.yml"
if [[ "$SERVER" == https* ]]; then
  sed -i "s|$SERVER|$SERVER:443|g" "$Filename"
else
  sed -i "s|$SERVER|$SERVER:80|g" "$Filename"
fi
echo "Running: node enrollment"
chef-node-enrollment-cli enroll-node --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt --insecure

    Replace <SERVER_FQDN> with the fully qualified domain name of your Chef 360 Platform Server. For example, https://chef360.example.com.

  • Cohort defined by application key, 360 Platform uses http or authenticates with public certificate
    ######
# Troubleshooting script to manually configure port and re-run Chef 360 Platform node enrollment
# using application key authentication with public certificates or authentication disabled.
#
# Before running this script, replace the following placeholder:
# - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server
#   Example: https://chef360.example.com
#
######

export SERVER="<SERVER_FQDN>"
export Filename="/opt/chef-360/chef-node-enrollment-cli/node-enrollment-details.yml"
if [[ "$SERVER" == https* ]]; then
  sed -i "s|$SERVER|$SERVER:443|g" "$Filename"
else
  sed -i "s|$SERVER|$SERVER:80|g" "$Filename"
fi
echo "Running: node enrollment"
chef-node-enrollment-cli enroll-node --sign-config-file /opt/chef-360/chef-node-enrollment-cli/chef-node-enrollment-cli.txt

    Replace <SERVER_FQDN> with the fully qualified domain name of your Chef 360 Platform Server. For example, https://chef360.example.com.

Windows nodes

To fix the invalid FQDN format issue on Windows nodes, select the script that matches your scenario and run it in PowerShell with administrator privileges.

These scripts update the FQDN value in the status file to include the port number and run the node enrollment command again.

  • Cohort defined in PowerShell script, 360 Platform authenticates with self-signed certificate
    <#
.SYNOPSIS
    Troubleshooting script to manually configure port and re-run Chef 360 Platform node enrollment using cohort ID with self-signed certificates.

.NOTES
    Before running this script, replace the following placeholders:
    - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server
      Example: https://chef360.example.com
    - <COHORT_ID>: The UUID of the cohort for node enrollment
#>

$SERVER="<SERVER_FQDN>"
$Filename="C:\Users\Administrator\chef-360\chef-node-enrollment-cli\node-enrollment-details.yml"
if ($SERVER -like "https*") {
    (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":443") | Set-Content $Filename
} else {
    (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":80") | Set-Content $Filename
}
#Set CohortId
$COHORT_ID="<COHORT_ID>"
Write-Host "Running: node enrollment"
chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" --insecure

    Replace the following:

    • <SERVER_FQDN> with the fully qualified domain name of your Chef 360 Platform Server. For example, https://chef360.example.com.
    • <COHORT_ID> with the Cohort ID for your self node enrollment.
  • Cohort defined in PowerShell script, 360 Platform uses http or authenticates with public certificate
    <#
.SYNOPSIS
    Troubleshooting script to manually configure port and re-run Chef 360 Platform node enrollment using cohort ID with public certificates.

.NOTES
    Before running this script, replace the following placeholders:
    - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server
      Example: https://chef360.example.com
    - <COHORT_ID>: The UUID of the cohort for node enrollment
#>

$SERVER="<SERVER_FQDN>"
$Filename="C:\Users\Administrator\chef-360\chef-node-enrollment-cli\node-enrollment-details.yml"
if ($SERVER -like "https*") {
    (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":443") | Set-Content $Filename
} else {
    (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":80") | Set-Content $Filename
}
# Set CohortId
$COHORT_ID="<COHORT_ID>"
Write-Host "Running: node enrollment"
chef-node-enrollment-cli enroll-node --cohortId $COHORT_ID --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt"

    Replace the following:

    • <SERVER_FQDN> with the fully qualified domain name of your Chef 360 Platform Server. For example, https://chef360.example.com.
    • <COHORT_ID> with the ID of the cohort that you’re enrolling the node into.
  • Cohort defined in application key, 360 Platform authenticates with self-signed cert
    <#
.SYNOPSIS
    Troubleshooting script to manually configure port and re-run Chef 360 Platform node enrollment using application key authentication with self-signed certificates.

.NOTES
    Before running this script, replace the following placeholder:
    - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server
      Example: https://chef360.example.com
#>

$SERVER="<SERVER_FQDN>"
$Filename="C:\Users\Administrator\chef-360\chef-node-enrollment-cli\node-enrollment-details.yml"
if ($SERVER -like "https*") {
    (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":443") | Set-Content $Filename
} else {
    (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":80") | Set-Content $Filename
}
Write-Host "Running: node enrollment"
chef-node-enrollment-cli enroll-node --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt" --insecure

    Replace <SERVER_FQDN> with the fully qualified domain name of your Chef 360 Platform Server. For example, https://chef360.example.com.

  • Cohort defined in application key, 360 Platform uses http or authenticates with public certificate
    <#
.SYNOPSIS
    Troubleshooting script to manually configure port and re-run Chef 360 Platform node enrollment using application key authentication.

.NOTES
    Before running this script, replace the following placeholder:
    - <SERVER_FQDN>: The fully qualified domain name of your Chef 360 Platform Server
      Example: https://chef360.example.com
#>

$SERVER="<SERVER_FQDN>"
$Filename="C:\Users\Administrator\chef-360\chef-node-enrollment-cli\node-enrollment-details.yml"
if ($SERVER -like "https*") {
    (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":443") | Set-Content $Filename
} else {
    (Get-Content $Filename) -replace ([regex]::Escape($SERVER)), ($SERVER + ":80") | Set-Content $Filename
}
Write-Host "Running: node enrollment"
chef-node-enrollment-cli enroll-node --sign-config-file "C:\Users\Administrator\chef-360\chef-node-enrollment-cli\chef-node-enrollment-cli.txt"

    Replace <SERVER_FQDN> with the fully qualified domain name of your Chef 360 Platform Server. For example, https://chef360.example.com.

Thank you for your feedback!

×