patternMinor
When do I have to renew an SSL certificate in Chef?
Viewed 0 times
certificatechefwhensslrenewhave
Problem
In the annual process of renewing SSL certificates, I have a list of infrastructure that needs updating.
This usually included Chef. This is followed by an arduous and painful process of getting every node to re-fetch the self-signed chef-server certificate regenerated from the renewed certificate. I always assumed Chef would simply break if I didn't renew my certificate.
This time I looked a bit closer and noticed the self-signed certificate that chef-server actively uses (specifically the nginx component) doesn't expire for another ten years.
Which leaves me wondering:
What I know:
/var/opt/opscode/nginx/ca -- this is done by
What I don't know
It logically follows that I shouldn't actually have to update the certificate, but I've never encountered something like this and it feels quite odd.
I'm asking he
This usually included Chef. This is followed by an arduous and painful process of getting every node to re-fetch the self-signed chef-server certificate regenerated from the renewed certificate. I always assumed Chef would simply break if I didn't renew my certificate.
This time I looked a bit closer and noticed the self-signed certificate that chef-server actively uses (specifically the nginx component) doesn't expire for another ten years.
Which leaves me wondering:
- Is it unnecessary to update the SSL certificate for chef?
- Will chef break and halt all deploys, chef-client runs, and bootstraps if I let the annual certificate expire?
What I know:
- I'm using chef server 13.0.17 on Ubuntu Linux 18.04
- chef uses a self-signed certificate that is distributed to all nodes that are bootstrapped. This is based off of your cert in /etc/ssl/private and generated to
/var/opt/opscode/nginx/ca -- this is done by
chef-server-ctl reconfigurecat | openssl x509 -noout -enddatereports the expiration date as ~10 years from now
- When the chef server's certificate is updated, every node must fetch the certificate through
knife ssl fetch. I've never had a good way of automating this
- configuration is explained here, but I couldn't find any information on expiry: https://docs.chef.io/server/server_security/ and https://docs.chef.io/chef_client_security/
What I don't know
- Does the functionality of chef actually depend on the expiration date of the cert in /var/opt/opscode/nginx/ca -- making the update to this years certificate unnecessary?
- Do I simply need to regenerate the certificate when the chef self-signed certificate expires? Seems like this would make it an incredibly rare event.
It logically follows that I shouldn't actually have to update the certificate, but I've never encountered something like this and it feels quite odd.
I'm asking he
Solution
You only need to renew this certificate when it expires unless you configured the clients to ignore ssl verification with
A
Set the verify mode for HTTPS requests. Use
validation of SSL certificates. Use
all SSL certificates, including the Chef Infra Server connections, S3
connections, and any HTTPS remote_file resource URLs used in Chef
Infra Client runs. This is the recommended setting.
Depending on how OpenSSL is configured, the
be specified. Default value:
Related about certificates I've made this Q/A as well: How do I include my internal CA certificate to validate SSL exchanges in Chef?
ssl_verify_mode :verify_none in client.rb.A
chef-server-ctl reconfigure should take care of generating a new self-signed certificate if you don't use a specific certificate signed by an internal or external Authority.ssl_verify_modeSet the verify mode for HTTPS requests. Use
:verify_none for novalidation of SSL certificates. Use
:verify_peer for validation ofall SSL certificates, including the Chef Infra Server connections, S3
connections, and any HTTPS remote_file resource URLs used in Chef
Infra Client runs. This is the recommended setting.
Depending on how OpenSSL is configured, the
ssl_ca_path may need tobe specified. Default value:
:verify_peer.Related about certificates I've made this Q/A as well: How do I include my internal CA certificate to validate SSL exchanges in Chef?
Code Snippets
ssl_verify_modeContext
StackExchange DevOps Q#15270, answer score: 1
Revisions (0)
No revisions yet.