Chef-client 12 & chained cert for Chef server

Hey Guys,

We run a 2-tier internal CA (offline root CA and online intermediate CA that issues the certificates). Our Chef server uses a chained cert containing it’s own certificate and the intermediate’s certificate.

If I set ssl_ca_file to point to our root CA’s certificate in chef/client.rb everything works great (which is what we do once the node is bootstrapped). However, bootstrapping and using “knife ssl fetch” don’t work. They take the chained certificates from the Chef server and store them in trusted_certs/ as 2 separate certificates, but then continue to complain that the Chef server’s cert is not trusted. A little at a loss on how to get a node bootstrapped using our root CA’s cert (as trusted) to validate the chained cert from the Chef server.


Try bootstrapping with verify_node, and using a cookbook to put the ca file into your trusted certs. Then use something like the chef client cookbook to set ssl_ca_path for subsequent runs.

If you need to verify at bootstrap time, you may want to create a custom bootstrap to put the ca file in place and set the ssl_ca_path.


Hi JP,

Appreciate the help. We have our own certificates cookbook that installs
the root CA cert already, and our wrapper cookbook for the chef-client
cookbook, set ssl_ca_path. The issue is the initial bootstrap to get those
pulled down.

I’ll give “–node-ssl-verify-mode none” a shot for bootstrapping. Thanks


You can probably put the concatenated cert in your trusted certs dir on the machine you run knife from.

Tried that but it doesn’t like it.