How could I configurate a trusted SSL certificate in chef 12?

Hi all,

I have the open source chef server 12 installed and I want to change the
self signed SSL certificate for a trusted SSL certificate and at the same
time pass the test here: https://www.ssllabs.com/ssltest/index.html

After the last Logjam vulnerability I’ve bought a Possitive SSL wildcard
cert (I use *.mydomain.com in several servers with different subdomains)
and I’ve put my .key file and .crt file in /etc/opscode/. In the
/etc/opscode/chef-server.rb I’ve added:

nginx[‘ssl_certificate’] = “/etc/opscode/camydomain.com.crt” => here,
there is a concatenated file with my
serverdomain.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt, in this order.
nginx[‘ssl_certificate_key’] = "/etc/opscode/mydomain.com.key"
nginx[‘ssl_ciphers’] =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
nginx[‘ssl_protocols’] = "TLSv1 TLSv1.1 TLSv1.2"
nginx[‘ssl_prefer_server_ciphers’] = "on"
nginx[‘ssl_dhparam’] = “/etc/ssl/private/dhparams.pem”

And I’ve created /etc/ssl/private/dhparams.pem with the command “openssl
dhparam -out dhparams.pem 2048”, following these instruccions:
https://weakdh.org/sysadmin.html

Finally I run: chef-server-ctl reconfigure and I can see how it has been
added in /etc/opscode/.chef-server-running.json.

But if I check my site again I obtain a B rate with the following message:
“This server supports weak Diffie-Hellman (DH) key exchange parameters.
Grade capped to B”

Someone knows what I am missing?

/opt/opscode/embedded/bin/openssl version
OpenSSL 1.0.1m 19 Mar 2015

Thanks in advance

1 Like

I suspect you need to remove the DSS ciphers too (and probably explicitly
exclude them with !DSS).

See e.g.

Regards,
Christine

On Mon, Jun 8, 2015 at 7:21 PM, bln workplace bln.workplace@gmail.com
wrote:

Hi all,

I have the open source chef server 12 installed and I want to change the
self signed SSL certificate for a trusted SSL certificate and at the same
time pass the test here: https://www.ssllabs.com/ssltest/index.html

After the last Logjam vulnerability I’ve bought a Possitive SSL wildcard
cert (I use *.mydomain.com in several servers with different subdomains)
and I’ve put my .key file and .crt file in /etc/opscode/. In the
/etc/opscode/chef-server.rb I’ve added:

nginx[‘ssl_certificate’] = “/etc/opscode/camydomain.com.crt” => here,
there is a concatenated file with my
serverdomain.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt, in this order.
nginx[‘ssl_certificate_key’] = "/etc/opscode/mydomain.com.key"
nginx[‘ssl_ciphers’] =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
nginx[‘ssl_protocols’] = "TLSv1 TLSv1.1 TLSv1.2"
nginx[‘ssl_prefer_server_ciphers’] = "on"
nginx[‘ssl_dhparam’] = “/etc/ssl/private/dhparams.pem”

And I’ve created /etc/ssl/private/dhparams.pem with the command “openssl
dhparam -out dhparams.pem 2048”, following these instruccions:
https://weakdh.org/sysadmin.html

Finally I run: chef-server-ctl reconfigure and I can see how it has been
added in /etc/opscode/.chef-server-running.json.

But if I check my site again I obtain a B rate with the following message:
“This server supports weak Diffie-Hellman (DH) key exchange parameters.
Grade capped to B”

Someone knows what I am missing?

/opt/opscode/embedded/bin/openssl version
OpenSSL 1.0.1m 19 Mar 2015

Thanks in advance

You can also find example configurations that should pass the SSL Labs test
here:

https://cipherli.st
On Tue, Jun 9, 2015 at 5:57 AM Christine Draper <
christine_draper@thirdwaveinsights.com> wrote:

I suspect you need to remove the DSS ciphers too (and probably explicitly
exclude them with !DSS).

See e.g.

http://security.stackexchange.com/questions/54639/recommended-ssl-ciphers-for-security-compatibility-perfect-forward-secrecy

Regards,
Christine

On Mon, Jun 8, 2015 at 7:21 PM, bln workplace bln.workplace@gmail.com
wrote:

Hi all,

I have the open source chef server 12 installed and I want to change the
self signed SSL certificate for a trusted SSL certificate and at the same
time pass the test here: https://www.ssllabs.com/ssltest/index.html

After the last Logjam vulnerability I’ve bought a Possitive SSL wildcard
cert (I use *.mydomain.com in several servers with different subdomains)
and I’ve put my .key file and .crt file in /etc/opscode/. In the
/etc/opscode/chef-server.rb I’ve added:

nginx[‘ssl_certificate’] = “/etc/opscode/camydomain.com.crt” => here,
there is a concatenated file with my
serverdomain.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt, in this order.
nginx[‘ssl_certificate_key’] = "/etc/opscode/mydomain.com.key"
nginx[‘ssl_ciphers’] =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
nginx[‘ssl_protocols’] = "TLSv1 TLSv1.1 TLSv1.2"
nginx[‘ssl_prefer_server_ciphers’] = "on"
nginx[‘ssl_dhparam’] = “/etc/ssl/private/dhparams.pem”

And I’ve created /etc/ssl/private/dhparams.pem with the command “openssl
dhparam -out dhparams.pem 2048”, following these instruccions:
https://weakdh.org/sysadmin.html

Finally I run: chef-server-ctl reconfigure and I can see how it has been
added in /etc/opscode/.chef-server-running.json.

But if I check my site again I obtain a B rate with the following
message: “This server supports weak Diffie-Hellman (DH) key exchange
parameters. Grade capped to B”

Someone knows what I am missing?

/opt/opscode/embedded/bin/openssl version
OpenSSL 1.0.1m 19 Mar 2015

Thanks in advance

Thanks for your answers.

As far I can see the problem is the server ciphers to 1024 bits by default.
When I put nginx[‘ssl_dhparam’] = “/etc/ssl/private/dhparams.pem” in the
/etc/opscode/chef-server.rb file this parameter doesn’t apply when I run
chef-server-ctl reconfigure, it’s ignored.

If I try to put this DH parameter in
/var/opt/opscode/nginx/etc/chef_http_lb.conf file my server uses my new
dhparams.pem to 2048 bits so I pass the vulnerability test but when I run
chef-server-ctl reconfigure this parameter is gone.

So my provisional solution is to create a new file in
/var/opt/opscode/nginx/etc/nginx.d/dhparams.conf for adding non default
configuration to nginx and in this file I have put the path to my new
Diffie-Hellman group:
ssl_dhparam /etc/ssl/private/dhparams.pem;

I think this is a nasty solution by I don’t know another better at the
moment. Maybe this ssl_dhparam could be recognized by default or maybe I
need to put this parameter in another side that I don’t know or maybe is a
bug…

2015-06-09 16:47 GMT+02:00 Brandon Raabe brandocorp@gmail.com:

You can also find example configurations that should pass the SSL Labs
test here:

https://cipherli.st

On Tue, Jun 9, 2015 at 5:57 AM Christine Draper <
christine_draper@thirdwaveinsights.com> wrote:

I suspect you need to remove the DSS ciphers too (and probably explicitly
exclude them with !DSS).

See e.g.

http://security.stackexchange.com/questions/54639/recommended-ssl-ciphers-for-security-compatibility-perfect-forward-secrecy

Regards,
Christine

On Mon, Jun 8, 2015 at 7:21 PM, bln workplace bln.workplace@gmail.com
wrote:

Hi all,

I have the open source chef server 12 installed and I want to change the
self signed SSL certificate for a trusted SSL certificate and at the same
time pass the test here: https://www.ssllabs.com/ssltest/index.html

After the last Logjam vulnerability I’ve bought a Possitive SSL wildcard
cert (I use *.mydomain.com in several servers with different
subdomains) and I’ve put my .key file and .crt file in /etc/opscode/. In
the /etc/opscode/chef-server.rb I’ve added:

nginx[‘ssl_certificate’] = “/etc/opscode/camydomain.com.crt” => here,
there is a concatenated file with my
serverdomain.crt COMODORSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt, in this order.
nginx[‘ssl_certificate_key’] = "/etc/opscode/mydomain.com.key"
nginx[‘ssl_ciphers’] =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
nginx[‘ssl_protocols’] = "TLSv1 TLSv1.1 TLSv1.2"
nginx[‘ssl_prefer_server_ciphers’] = "on"
nginx[‘ssl_dhparam’] = “/etc/ssl/private/dhparams.pem”

And I’ve created /etc/ssl/private/dhparams.pem with the command “openssl
dhparam -out dhparams.pem 2048”, following these instruccions:
https://weakdh.org/sysadmin.html

Finally I run: chef-server-ctl reconfigure and I can see how it has been
added in /etc/opscode/.chef-server-running.json.

But if I check my site again I obtain a B rate with the following
message: “This server supports weak Diffie-Hellman (DH) key exchange
parameters. Grade capped to B”

Someone knows what I am missing?

/opt/opscode/embedded/bin/openssl version
OpenSSL 1.0.1m 19 Mar 2015

Thanks in advance

On Wednesday, June 10, 2015 at 7:52 AM, bln workplace wrote:

Thanks for your answers.

As far I can see the problem is the server ciphers to 1024 bits by default. When I put nginx[‘ssl_dhparam’] = “/etc/ssl/private/dhparams.pem” in the /etc/opscode/chef-server.rb file this parameter doesn’t apply when I run chef-server-ctl reconfigure, it’s ignored.

If I try to put this DH parameter in /var/opt/opscode/nginx/etc/chef_http_lb.conf file my server uses my new dhparams.pem to 2048 bits so I pass the vulnerability test but when I run chef-server-ctl reconfigure this parameter is gone.

So my provisional solution is to create a new file in /var/opt/opscode/nginx/etc/nginx.d/dhparams.conf for adding non default configuration to nginx and in this file I have put the path to my new Diffie-Hellman group:
ssl_dhparam /etc/ssl/private/dhparams.pem;

I think this is a nasty solution by I don’t know another better at the moment. Maybe this ssl_dhparam could be recognized by default or maybe I need to put this parameter in another side that I don’t know or maybe is a bug…

I don’t remember any of this stuff well enough to answer your questions directly, but the cookbook that configures chef-server is here: https://github.com/chef/chef-server/tree/master/omnibus/files/private-chef-cookbooks/private-chef

If it doesn’t do what you need now, then you could submit a patch.


Daniel DeLeo