Support for connecting to winrm over ssl

components/chef-workstation/i18n/en.yml

@@ -57,6 +57,13 @@ commands:
                             the name of the user you wanted to create.
       root_description: "Whether to use root permissions on the target. Defaults to true."
       identity_file: "SSH identity file to use when connecting."
+      ssl:
+        desc: "Use SSL for WinRM. Current default: %1"
+        verify_desc: |
+          Verify peer certificate when using SSL for WinRM
+          Use --ssl-no-verify when using SSL for WinRM and
+          the remote host is using a self-signed certificate.
+          Current default: %1
       status:
         verifying: Verifying Chef client installation.
         converging: Converging %1...
@@ -210,6 +217,20 @@ errors:
 
     Please verify the host name or address is correct and that the host is
     reachable before trying again.
+
+  # Maps to: SSL::SSLError with message text indicating verification failure
+  CHEFNET002: |
+    SSL host verification failed.
+
+    I could not verify the identity of the remote host.
+
+    If you are certain that you are connecting to the correct host,
+    you can specify the '--no-ssl-verify' option for this command, or
+    make it the default by setting the following in your configuration:
+
+      [connection.winrm]
+      ssl_verify=false
+
   footer:
     both: |
       If you are not able to resolve this issue, please contact Chef support

components/chef-workstation/lib/chef-workstation/command/target/converge.rb

@@ -21,12 +21,15 @@
 require "chef-workstation/action/install_chef"
 require "chef-workstation/action/converge_target"
 require "chef-workstation/ui/terminal"
+require "chef-workstation/log"
+require "chef-workstation/config"
 
 module ChefWorkstation
   module Command
     class Target
       class Converge < ChefWorkstation::Command::Base
-        T = Text.commands.target.converge
+        T = ChefWorkstation::Text.commands.target.converge
+        Config = ChefWorkstation::Config
 
         option :root,
           :long => "--[no-]root",
@@ -45,15 +48,31 @@ class Converge < ChefWorkstation::Command::Base
             path
           end)
 
+        option :ssl,
+          :long => "--[no-]ssl",
+          :short => "-s",
+          :description => T.ssl.desc(Config.connection.winrm.ssl),
+          :boolean => true,
+          :default => Config.connection.winrm.ssl
+
+        option :ssl_verify,
+          :long => "--[no-]ssl-verify",
+          :short => "-s",
+          :description => T.ssl.verify_desc(Config.connection.winrm.ssl_verify),
+          :boolean => true,
+          :default => Config.connection.winrm.ssl_verify
+
         def run(params)
           validate_params(cli_arguments)
           # TODO: option: --no-install
           target = cli_arguments.shift
           resource = cli_arguments.shift
           resource_name = cli_arguments.shift
+
           attributes = format_attributes(cli_arguments)
 
-          conn = connect(target, { sudo: config[:root], key_file: config[:identity_file] })
+          conn = connect(target, config)
+
           UI::Terminal.spinner(T.status.verifying, prefix: "[#{conn.config[:host]}]") do |r|
             Action::InstallChef.instance_for_target(conn, reporter: r).run
           end
@@ -113,7 +132,6 @@ def transform_attribute_value(value)
             value
           end
         end
-
       end
     end
   end

components/chef-workstation/lib/chef-workstation/config.rb

@@ -26,6 +26,14 @@ class Config
     config_context :cache do
       default(:path, File.join(WS_BASE_PATH, "cache"))
     end
+
+    config_context :connection do
+      config_context :winrm do
+        default(:ssl, false)
+        default(:ssl_verify, true)
+      end
+    end
+
     config_context :dev do
       default(:spinner, "TTY::Spinner")
     end

components/chef-workstation/lib/chef-workstation/error.rb

@@ -59,6 +59,12 @@ def self.unwrap_exception(wrapper)
       show_log = true
       show_stack = true
       case wrapper.contained_exception
+      when OpenSSL::SSL::SSLError
+        if wrapper.contained_exception.message =~ /SSL.*verify failed.*/
+          id = "CHEFNET002"
+          show_log = false
+          show_stack = false
+        end
       when SocketError then id = "CHEFNET001"; show_log = false; show_stack = false
       end
       if id.nil?

components/chef-workstation/lib/chef-workstation/remote_connection.rb

@@ -28,11 +28,16 @@ def self.make_connection(target, opts = {})
 
   def initialize(host_url, opts = {}, logger = nil)
     target_url = maybe_add_default_scheme(host_url)
-    conn_opts = { sudo: opts.has_key?(:sudo) ? opts[:sudo] : false,
-                  target: target_url,
-                  key_files: opts[:key_file],
-                  logger: ChefWorkstation::Log }
-    @config = Train.target_config(conn_opts)
+    cfg = { target: target_url,
+            sudo: opts.has_key?(:root) ? opts[:root] : true,
+            key_files: opts[:identity_file],
+            logger: ChefWorkstation::Log }
+    if opts.has_key? :ssl
+      cfg[:ssl] = opts[:ssl]
+      cfg[:self_signed] = opts[:ssl_verify] == false ? true : false
+    end
+
+    @config = Train.target_config(cfg)
     @type = Train.validate_backend(@config)
     @train_connection = Train.create(@type, config)
   end

components/chef-workstation/lib/chef-workstation/ui/error_printer.rb

@@ -46,8 +46,8 @@ def self.write_backtrace(e, args)
       formatter.add_backtrace_header(out, args)
       formatter.add_formatted_backtrace(out)
       formatter.save_backtrace(out)
-    rescue => e
-      dump_unexpected_error(e)
+    rescue => ex
+      dump_unexpected_error(ex)
     end
 
     # Use this to dump an an exception to output. useful