Set SSL_CERT_FILE

FWIW, after an upgrade to aws v2 I ran into
```
Seahorse::Client::Http::Error: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed
```

During a chef-client run on amazon linux and ubuntu, where I managed to
make chef-client (and seahorse) happy again as follows:
- `SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt chef-client` (ubuntu)
- `SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt chef-client` (amazon linux)

See https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/,
https://github.com/opscode-cookbooks/chef-client#attributes for more info.

Author: adriaanm

README.md

@@ -509,8 +509,12 @@ PASS=$(aws ec2 get-password-data --instance-id i-f67c0a35 --priv-launch-key $PWD
 knife winrm jenkins-worker-windows-publish chef-client -m -P $PASS
 ```
 
-- ubuntu:  `ssh jenkins-worker-ubuntu-publish sudo chef-client`
-- amazon linux: `ssh jenkins-worker-behemoth-1`, and then `sudo chef-client`
+- linux
+```
+ssh jenkins-worker-ubuntu-publish
+sudo su --login # --login needed on ubuntu to set SSL_CERT_FILE (it's done in /etc/profile.d)
+chef-client
+```
 
 ### Attach eips
 

metadata.rb

@@ -4,11 +4,13 @@
 license          'All rights reserved'
 description      'Installs/Configures the Scala Jenkins infrastructure'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.1.0'
+version          '0.2.0'
 
 # for chef_vault_item, which allows loading from plain databags when developing with vagrant
 depends 'chef-vault'
 
+depends 'magic_shell'
+
 depends 'chef-client'
 depends 'cron'
 

recipes/_init-chef-client.rb

@@ -0,0 +1,41 @@
+#
+# Cookbook Name:: scala-jenkins-infra
+# Recipe:: _init-chef-client
+#
+# Copyright 2015, Typesafe, Inc.
+#
+# All rights reserved - Do Not Redistribute
+#
+
+# location is platform dependent (ubuntu/amazon/window)
+sslCertFile = ['/etc/ssl/certs/ca-certificates.crt', '/etc/ssl/certs/ca-bundle.crt', 'c:\opscode\chef\embedded\ssl\certs\cacert.pem'].find{|p| File.exist?(p)}
+
+# for good measure, in case magic_shell_environment's modifications don't make it to the shell used by cron...
+if sslCertFile != nil
+ node.set['chef_client']['cron']['environment_variables']="SSL_CERT_FILE=#{sslCertFile}"
+end
+
+# set SSL_CERT_FILE so that ruby's openssl can connect to aws etc... URGH
+# NOTE will need a reboot....
+case node["platform_family"]
+when "windows"
+  env "SSL_CERT_FILE" do
+    value   sslCertFile
+    only_if {sslCertFile != nil}
+  end
+else
+  magic_shell_environment 'SSL_CERT_FILE' do
+    value   sslCertFile
+    only_if {sslCertFile != nil}
+  end
+end
+
+# has no effect!?
+# ruby_block 'Set SSL_CERT_FILE' do
+#   block do
+#     ENV['SSL_CERT_FILE'] = sslCertFile
+#   end
+#   only_if {sslCertFile != nil}
+# end
+
+include_recipe 'chef-client::service'

recipes/master-init.rb

@@ -6,7 +6,7 @@
 #
 # All rights reserved - Do Not Redistribute
 #
-include_recipe 'chef-client::service'
+include_recipe 'scala-jenkins-infra::_init-chef-client'
 
 include_recipe "java"
 

recipes/worker-init.rb

@@ -6,7 +6,7 @@
 #
 # All rights reserved - Do Not Redistribute
 #
-include_recipe 'chef-client::service'  # TODO: it seems chef's not run on boot on windows?
+include_recipe 'scala-jenkins-infra::_init-chef-client'
 
 include_recipe "aws"