Hi Team,
please provide solution to below error.
I have used two ec2 ubuntu 14.4 installation for chef server and workstation.
I have used knife ssl fetch command also to place the valid certificate under .chef/trusted_certs
Use knife ssl check to troubleshoot your SSL configuration.
If your Chef Server uses a self-signed certificate, you can use
knife ssl fetch to make knife trust the server’s certificates.
Original Exception: OpenSSL::SSL::SSLError: hostname “ec2-52-74-246-20.ap-south
east-1.compute.amazonaws.com” does not match the server certificate
root@ip-172-31:/home/ubuntu/chef-repo# knife ssl check
Connecting to host ec2-52-74-246-20.ap-southeast-1.compute.amazonaws.com:443
ERROR: The SSL cert is signed by a trusted authority but is not valid for the gi
ven hostname
ERROR: You are attempting to connect to: 'ec2-52-74-246-20.ap-southeast-1.com
pute.amazonaws.com’
ERROR: The server’s certificate belongs to ‘ip-172-31-30-179.ap-southeast-1.comp
ute.internal’
By default, certificates are only valid for one hostname (or a range of hostnames if you have a wildcard cert). This is necessary because otherwise I could could get a valid cert for evil.com from verisign (or other trusted CA) and then use that certificate when running a MITM for, say, google.com.
Since you’re using EC2, your chef server has two hostnames, one to use inside of ec2 and one to use outside. You need to make a SSL certificate that works for both. To do this, you need to generate a certificate with the subject alternative name extension, which allows you to specify other hostnames that the certificate is valid for. The other thing you could do would be to set up proper DNS so that you’re always using the same hostname for the chef server everywhere. Though you probably want to route traffic that’s within EC2 via the internal IP so you’re not charged for the traffic. I scanned the AWS Route 53 FAQ but I didn’t see any information about this kind of split-horizon setup. Maybe someone else on the list has experience with it.
Regarding the internal/external ec2 names, provided you are in the same VPC (or using EC2 classic and in the same region, or maybe availability zone), then ec2-1-2-3-4.some-region-1.compute.amazonaws.com will resolve to the internal IP for the server when you’re connecting from another ec2 instance.
This means you can just generate a certificate for ec2-1-2-3-4.some-region-1.compute.amazonaws.com, or make a CNAME for chefserver.mycompany.com to point to the ec2-1-2-3-4 domain and make a certificate for that domain instead. No need to worry about manually doing split horizon DNS setups.
Thank you team for response ,
I am little bit confuse on certificate, could you please suggest me , where can i generate the certificate for public DNS(chef server). On Chef Workstation always picking certificate of private DNS (Chef Server).
Both ec2 instances are in same region , but always checking ssl authentication.
Some times i am getting error like “ERROR: Your private key could not be loaded from /etc/chef/client.pem” , is this pem related to chef server key file or chef workstation key file.
Thanks,
Rajesh.
If you don’t configure it otherwise, Chef Server will create a self-signed certificate when you run chef-server-ctl reconfigure. For your use case, you probably need to create the certificate manually and then configure Chef Server to use it. The Chef Server configuration is given here: https://docs.chef.io/server_security.html#ssl-certificates
There should be plenty of tutorials for generating an SSL certificate on the internet.