Chef Automate SSL Cert info doesn't make it into the nginx config


#1

We were setting up our ChefAutomate server to use a trusted cert. We modified our delivery.rb so that we had our nginx attributes setup and then did a reconfigure. Startup logs show that it gets added to the delivery-running.json just fine but our url was still using the Chef provided self-signed cert. After doing a bunch more digging, we were able to find that the /var/opt/delivery/nginx/etc/server.d/.conf file wasn’t getting updated. Within that, the “ssl_certificate” and “ssl_certificate_key” were still both the default values. We can modify that config and then do a delivery-ctl stop / start and voila, certs! However, the next configure we run will of course over-write the corrected values.


#2

Hi Martin,

Thank you for your feedback! You did great by digging into the config to get around this problem. Let me help you a little bit so your config doesn’t change when you run the reconfigure ctl command.

Currently we are aware that the attributes for the certs are not working inside the delivery.rb config file. Our Product Team is prioritizing this work accordingly, but in the meantime this is what you can do:

As you discovered the certificate generated automatically is stored at /var/opt/delivery/nginx/ca/{FQDN}.crt, so instead of modifying the {FQDN}.conf I would recommend you (for now) to instead override the .crt file with your own signed-cert. With this you can still run delivery-ctl reconfigure without issues.

Let me know if you have any further question.

Salim


#3

Thanks for the tip! I tried that and it’s erroring still (copied and renamed my cert/key) for me. But not too big of a deal since I’ve got my workaround now. Looking forward to the fix!


#4

I think we just hit this… cert configuration discussed here seems to have no effect: https://docs.chef.io/config_rb_delivery.html

I’m really surprised this is not fixed. Is everyone running on self-signed certs or what?