Chef Server .crt defaulting to localhost

I am setting up a local virtual lab environment with VMWare workstation for Chef Server 12. Workstation and Chef server are reachable and pingable by FQDN’s but it seems when I do knife ssl fetch it pulls down localhost.crt instead of chefserver01.localdomain.crt as I would expect.

I have confirmed that the file is localhost.crt on the Chef server in /var/opt/opscode/nginx/ca/

I have tried renaming the files on the chef server and in the trusted certs locally on the workstation and doing a chef-server-ctl reconfigure and nginx reconfigure.

when I run

openssl x509 -in ./localhost.crt -noout -text

I see that the CN is set wrong

    Subject: C=US, O=YouCorp, OU=Operations, CN=localhost

My question is why does this pull the wrong hostname for the chef server when I have set up all the settings? (these boxes are CentOS 7 btw). I have tried re-installing chef server and reconfiguring it again but still no change. Is there a way to fix these the CN in the .crt to the correct value? I checked the hashes etc. are also correct and have run knife ssl check at the same time that I was using the knife ssl fetch commands.

If I have missed any details let me know.

Any suggestions would be much appreciated. Thanks

Hi Nathan,

While configuring chef-server by default it will create cert file based on the hostname of the machine. If you change hostname after installing chef-server it will not effect the existing configuration. Better approach is first assign FQDN names for both chef-server and workstation and then do chef-server-ctl reconfigure, you will get cert file with your modified hostname. Copy this file to trusted_certs directory in workstation which should be under .chef folder.

Hi Sunil,

Thanks for your reply. I had installed Chef after changing the hostname on the machine. I also tried reinstalling the Chef server just to see if it would update the .crt file with the hostname. I have also tried running chef-server-ctl reconfigure a few times but this didnt work for me. I have checked hostname in these locations

and also using hostname -f

I have tried even adding /etc/chef/client.rb file on the server and chef_server_url ‘https://chefserver01.localdomain/organizations/mylab’ but not even sure if this is required. It is holding the old hostname somewhere and this is messing up the .crt file details. Can the value be over-riden or manually changed another way. The reconfigure doesnt seem to work for me to change the name of .crt.


I guess there was some hostname traces somewhere. I restored the VM and built it up again and set the hostname according to this guide which seems I may have missed some of the locations (this guide doesnt mention /etc/hosts/ it will need to be in there to get chef-server-ctl reconfigure to work. Anyways just posting in case someone else has similar issues some time. My workstation is now able to pull down correct cert with hostname and verify succesfully.