Chef server and workstation certificate error


#1

Hi everyone . I am trying to do chef install chef work station (on windows) and chef server (on RHEL on AWS). When i am trying to check the connection between the work station and chef server i am getting an ssl error. Below are the things i configured.

  1. Installed chef server (12.15.7) on AWS RHEL and configured the chef server with username and organization twocommands saved the two .pem files to a directory
  2. Installed workstation on my windows 10 and created a .chef folder copied the 2 .pem files (validator and user). and prepared the knife.rb file

current_dir = File.dirname(FILE)
log_level :info
log_location STDOUT
node_name "username"
client_key “#{current_dir}/username.pem"
chef_server_url “https:///organizations/4thcoffee"
cookbook_path [”#{current_dir}/…/cookbooks”]

Below are the commands i ran
knife ssl fetch (this fetches the privateip.crt to the .chef )
knife ssl check

BELOW IS THE ERROR I AM GETTING

The solution for this issue depends on your networking configuration. If you
are able to connect to this server using the hostname ip-.ec2.internal
instead of ec2-.compute-1.amazonaws.com, then you can resolve this issue by updating chef_server_url
in your configuration file.

If you are not able to connect to the server using the hostname ip-.ec2.internal
you will have to update the certificate on the server to use the correct hostname.

Can some one please help me ? with some links how to solve this ?


#2

This is the answer right here. Chef Server autodetects the FQDN of the host and plops that into the SSL cert that it generates for the server. When you pull down the cert with knife ssl fetch it doesn’t (can’t and also shouldn’t) fix the fact that the certificate is created for a different hostname than the one you are using for the server (the hostname check is important b/c you’d be vulnerable to MITM without it). In EC2, if you plan to use both the internal and external hostnames, you should generate a SAN (subject alternative name) cert. We used to have the procedure documented on docs.chef.io but I can’t find it now.