Chef 12 Server trusted_certs


#1

Chef 12… where do I get the trusted cert from?

Doug


#2

On Friday, January 23, 2015 at 10:52 AM, Douglas Garstang wrote:

Chef 12… where do I get the trusted cert from?

Doug
Trusted certs are a feature added in Chef 11 to make it easier to enable the ‘verify_peer’ setting for SSL validation. Just to be clear, trusted certs have nothing to do with the Chef Server’s authentication/authorization mechanisms, they’re only used by chef-client/knife when connecting to the server using SSL/TLS. Part of the SSL/TLS process is checking whether the server is trustworthy by checking that the certificate provided by the server is signed by a trusted root certificate. If you buy a cert from Verisign (or any of the other CAs) and install it on your Chef Server, everything will work out of the box because the Chef packages include all the usual root certificates. Most folks running their own server, however, are using a self-signed cert generated by the server (during the initial install/reconfigure step). Since the certificate is only signed by itself, chef-client/knife can’t verify the authenticity of the server without additional configuration. The typical mechanism for doing this is to regenerate the root CA bundle with your self-signed cert included, but that’s a bit of a pain, which is where the trusted certs feature comes in. Instead of rebuilding the cert bundle, you can simply copy the certificate you want chef/knife to trust to your trusted certs directory and (as long as the host name, etc. match) chef/knife will accept the certificate when doing the SSL/TLS parts of connecting to your Chef Server. Knife includes a knife ssl fetch command which can automatically download the certificate from the server and install it to the trusted certs directory. In practice this is basically like if you connect to a site with an unknown cert in your browser and click the “trust this cert for this server from now on” button. The one risk is if you’ve already been MITM’d, then you’re going to trust the MITM’s certificate, so for maximum safety, you should double check that the cert has the content you expect. Joshua has written up the steps to do all that here: http://jtimberman.housepub.org/blog/2014/12/11/chef-12-fix-untrusted-self-sign-certs/

Also note that knife ssl check is a debugging tool to help you diagnose SSL connection problems, but again, it only deals with the actual transport layer connection to the Chef Server, so it doesn’t care at all about anything at the application layer (like HTTP 401 responses and such).

HTH,


Daniel DeLeo