HiveBrain v1.2.0
Get Started
← Back to all entries
patternMinor

When do I have to renew an SSL certificate in Chef?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
certificatechefwhensslrenewhave

Problem

In the annual process of renewing SSL certificates, I have a list of infrastructure that needs updating.

This usually included Chef. This is followed by an arduous and painful process of getting every node to re-fetch the self-signed chef-server certificate regenerated from the renewed certificate. I always assumed Chef would simply break if I didn't renew my certificate.

This time I looked a bit closer and noticed the self-signed certificate that chef-server actively uses (specifically the nginx component) doesn't expire for another ten years.

Which leaves me wondering:

  • Is it unnecessary to update the SSL certificate for chef?



  • Will chef break and halt all deploys, chef-client runs, and bootstraps if I let the annual certificate expire?



What I know:

  • I'm using chef server 13.0.17 on Ubuntu Linux 18.04



  • chef uses a self-signed certificate that is distributed to all nodes that are bootstrapped. This is based off of your cert in /etc/ssl/private and generated to


/var/opt/opscode/nginx/ca -- this is done by chef-server-ctl reconfigure

  • cat | openssl x509 -noout -enddate reports the expiration date as ~10 years from now



  • When the chef server's certificate is updated, every node must fetch the certificate through knife ssl fetch. I've never had a good way of automating this



  • configuration is explained here, but I couldn't find any information on expiry: https://docs.chef.io/server/server_security/ and https://docs.chef.io/chef_client_security/



What I don't know

  • Does the functionality of chef actually depend on the expiration date of the cert in /var/opt/opscode/nginx/ca -- making the update to this years certificate unnecessary?



  • Do I simply need to regenerate the certificate when the chef self-signed certificate expires? Seems like this would make it an incredibly rare event.



It logically follows that I shouldn't actually have to update the certificate, but I've never encountered something like this and it feels quite odd.

I'm asking he

Solution

You only need to renew this certificate when it expires unless you configured the clients to ignore ssl verification with ssl_verify_mode :verify_none in client.rb.

A chef-server-ctl reconfigure should take care of generating a new self-signed certificate if you don't use a specific certificate signed by an internal or external Authority.

ssl_verify_mode


Set the verify mode for HTTPS requests. Use :verify_none for no
validation of SSL certificates. Use :verify_peer for validation of
all SSL certificates, including the Chef Infra Server connections, S3
connections, and any HTTPS remote_file resource URLs used in Chef
Infra Client runs. This is the recommended setting.

Depending on how OpenSSL is configured, the ssl_ca_path may need to
be specified. Default value: :verify_peer.

Related about certificates I've made this Q/A as well: How do I include my internal CA certificate to validate SSL exchanges in Chef?

Code Snippets

ssl_verify_mode

Context

StackExchange DevOps Q#15270, answer score: 1

Revisions (0)

No revisions yet.