Has anyone used chef-server with SSL keys generated via LetsEncrypt? I’m wondering if that would solve some of the SSL validations I’m currently working around with knife ssl fetch / ssl_verify_mode :none.
Thanks!
I have a wrapper cookbook that depends on the chef-server cookbook that does this. It uses lego for the Let’s Encrypt portion.
The relevant bits are below. I phased out this server recently, but the config was working as of a few months ago. Hope it helps!
# attributes/default.rb:
default['chef-server']['api_fqdn'] = 'chef.myorg.com'
default['chef-server']['addons'] = %w(manage)
default['chef-server']['configuration'] = <<-EOS
notification_email 'me@myorg.com'
nginx['non_ssl_port'] = false
nginx['ssl_certificate'] = '/etc/lego/certificates/chef.myorg.com.crt'
nginx['ssl_certificate_key'] = '/etc/lego/certificates/chef.myorg.com.key'
EOS
# recipes/default.rb:
execute 'download and install lego' do
command <<-EOS
wget https://github.com/xenolf/lego/releases/download/v0.3.0/lego_linux_amd64.tar.xz
tar xvf lego_linux_amd64.tar.xz
mv -v lego/lego /usr/local/bin
EOS
cwd '/tmp'
creates '/usr/local/bin/lego'
end
execute 'generate certs with lego' do
command <<-EOS
lego --email="me@myorg.com" --domains="#{node['chef-server']['api_fqdn']}" --http :80 -a --path /etc/lego/ run
EOS
creates "/etc/lego/certificates/#{node['chef-server']['api_fqdn']}.crt"
end
cron 'lego-ssl-chef' do
time :monthly
command <<-EOS
lego --email="me@myorg.com" --domains="#{node['chef-server']['api_fqdn']}" --http :80 -a --path /etc/lego/ renew
EOS
end
include_recipe 'chef-server'
include_recipe 'chef-server::addons'
-Ameir
And does chef-client work with those SSL certificates ok, or do you have to manually mark them as trusted with knife ssl fetch?
Yep, the certificates worked just fine and I didn’t have to use knife ssl
to manually trust them.
Perfect, thank you!