snippetModerate
How do I include my internal CA certificate to validate SSL exchanges in Chef?
Viewed 0 times
validatecertificatechefexchangesincludehowinternalssl
Problem
We do use an internal Certificate Authority to create server certificates in my company.
We also have to deal with a transparent proxy doing SSL interception (MITM).
I regularly encounter SSL validation errors due to Chef not knowing the CA certificate, and sometimes it's the tooling around chef itself (berkshelf, knife; even chef client itself when talking to the server for the first time since chef 12 enables SSL by default).
Question is: How do I make Chef aware of my CA certificate to get valid SSL exchanges ?
We also have to deal with a transparent proxy doing SSL interception (MITM).
I regularly encounter SSL validation errors due to Chef not knowing the CA certificate, and sometimes it's the tooling around chef itself (berkshelf, knife; even chef client itself when talking to the server for the first time since chef 12 enables SSL by default).
Question is: How do I make Chef aware of my CA certificate to get valid SSL exchanges ?
Solution
There's a couple of way to achieve the result:
-
Chef has a
-
Chef use its own CA certiticate list in
You can add your CA certificate at end of this list to trust it.
The second option has an advantage of allowing you to export the environment variable
For the case of a self signed certificate on the chef server (or another server used as target in a recipe),
To add the server certificate to the cacert.pem for the case 2. above, you can use the following command:
The openssl command is included in chef-dk, so this can be done under windows also. Change the path to
-
Chef has a
trusted_dir to allow adding certificate to the trusted list. the documentation has a lot of details about it. Adding your CA certificate to this directory would solve the problem. knife has it also in a slightly different path as per it's own documentation-
Chef use its own CA certiticate list in
/opt/chef/embedded/ssl/certs/cacert.pem. You can add your CA certificate at end of this list to trust it.
The second option has an advantage of allowing you to export the environment variable
SSL_CERT_FILE pointing to chef cacert.pem to allow most of the tools using openssl library to know your CA certificate.For the case of a self signed certificate on the chef server (or another server used as target in a recipe),
knife ssl_fetch would allow all knife commands to work.To add the server certificate to the cacert.pem for the case 2. above, you can use the following command:
# For a self signed CA certiticate
openssl s_client -showcerts -connect :443 /dev/null|openssl x509 -outform PEM >> /opt/chefdk/embedded/ssl/certs/cacert.pem
# For an internal CA signed certificate:
openssl s_client -showcerts -verify 5 -connect :443 /dev/null | awk '/BEGIN/,/END/{if(/BEGIN/){a++}; certs[a]=(certs[a] "\n" $0)}; END {print certs[a]}' >> /opt/chefdk/embedded/ssl/certs/cacert.pem
export SSL_CERT_FILE=/opt/chefdk/embedded/ssl/certs/cacert.pemThe openssl command is included in chef-dk, so this can be done under windows also. Change the path to
c:\opscode\ instead of /opt/. To export the environment variable use set SSL_CERT_FILE=... (with /P to add it permanently to your environment) in your command.Code Snippets
# For a self signed CA certiticate
openssl s_client -showcerts -connect <YOUR_CHEF_SERVER>:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >> /opt/chefdk/embedded/ssl/certs/cacert.pem
# For an internal CA signed certificate:
openssl s_client -showcerts -verify 5 -connect <YOUR_CHEF_SERVER>:443 </dev/null 2>/dev/null | awk '/BEGIN/,/END/{if(/BEGIN/){a++}; certs[a]=(certs[a] "\n" $0)}; END {print certs[a]}' >> /opt/chefdk/embedded/ssl/certs/cacert.pem
export SSL_CERT_FILE=/opt/chefdk/embedded/ssl/certs/cacert.pemContext
StackExchange DevOps Q#19, answer score: 15
Revisions (0)
No revisions yet.