HiveBrain v1.2.0
Get Started
← Back to all entries
snippetModerate

How do I include my internal CA certificate to validate SSL exchanges in Chef?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
validatecertificatechefexchangesincludehowinternalssl

Problem

We do use an internal Certificate Authority to create server certificates in my company.

We also have to deal with a transparent proxy doing SSL interception (MITM).

I regularly encounter SSL validation errors due to Chef not knowing the CA certificate, and sometimes it's the tooling around chef itself (berkshelf, knife; even chef client itself when talking to the server for the first time since chef 12 enables SSL by default).

Question is: How do I make Chef aware of my CA certificate to get valid SSL exchanges ?

Solution

There's a couple of way to achieve the result:

-
Chef has a trusted_dir to allow adding certificate to the trusted list. the documentation has a lot of details about it. Adding your CA certificate to this directory would solve the problem. knife has it also in a slightly different path as per it's own documentation

-
Chef use its own CA certiticate list in /opt/chef/embedded/ssl/certs/cacert.pem.
You can add your CA certificate at end of this list to trust it.

The second option has an advantage of allowing you to export the environment variable SSL_CERT_FILE pointing to chef cacert.pem to allow most of the tools using openssl library to know your CA certificate.

For the case of a self signed certificate on the chef server (or another server used as target in a recipe), knife ssl_fetch would allow all knife commands to work.

To add the server certificate to the cacert.pem for the case 2. above, you can use the following command:

# For a self signed CA certiticate
openssl s_client -showcerts -connect :443 /dev/null|openssl x509 -outform PEM >> /opt/chefdk/embedded/ssl/certs/cacert.pem

# For an internal CA signed certificate:
openssl s_client -showcerts -verify 5 -connect :443 /dev/null | awk '/BEGIN/,/END/{if(/BEGIN/){a++}; certs[a]=(certs[a] "\n" $0)}; END {print certs[a]}' >> /opt/chefdk/embedded/ssl/certs/cacert.pem

export SSL_CERT_FILE=/opt/chefdk/embedded/ssl/certs/cacert.pem


The openssl command is included in chef-dk, so this can be done under windows also. Change the path to c:\opscode\ instead of /opt/. To export the environment variable use set SSL_CERT_FILE=... (with /P to add it permanently to your environment) in your command.

Code Snippets

# For a self signed CA certiticate
openssl s_client -showcerts -connect <YOUR_CHEF_SERVER>:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >> /opt/chefdk/embedded/ssl/certs/cacert.pem

# For an internal CA signed certificate:
openssl s_client -showcerts -verify 5 -connect <YOUR_CHEF_SERVER>:443 </dev/null 2>/dev/null | awk '/BEGIN/,/END/{if(/BEGIN/){a++}; certs[a]=(certs[a] "\n" $0)}; END {print certs[a]}' >> /opt/chefdk/embedded/ssl/certs/cacert.pem

export SSL_CERT_FILE=/opt/chefdk/embedded/ssl/certs/cacert.pem

Context

StackExchange DevOps Q#19, answer score: 15

Revisions (0)

No revisions yet.