Important -- Chef Automate 2 Internal Certificate Expiration

Chef Automate 2 uses TLS to authenticate inter-service communication. The certificates used are signed by an internal certificate authority (CA) managed by Chef Automate.

As with all certificates, the certificates of this internal CA eventually expire. Chef Automate's internal certificates expire 18 months after their initial generation at install time.

If you are a Chef Automate 2 user, this document describes what action may be required of you to deal with this certificate generation. What to do depends on the version of Chef Automate you are running.

You can check your Chef Automate version with:

# chef-automate version
Version: 2
CLI Build: 20190719172449
Server Build: 20190719175829

The "Server Build" number is the important version in this case.

For current versions of Chef Automate 2

If you are on Chef Automate 20190225235742 or later, then Chef Automate 2 will automatically regenerate the certificates 28 days before their expiration date.

You can see when your certificates will expire with:

# chef-automate internal-ca info
Authority Name: CN=Chef Automate 7b05bbc4a440b910
Root CA Expiration Date: 2019-09-12 18:36:44 +0000 UTC (54d from now)

Chef Automate starts attempting to rotate your certificate 28 days before the expiration date. In this example, Chef Automate will rotate this certificate in 26 days.

If you would like to rotate the internal certificates before the automatic rotation:

# chef-automate internal-ca regenerate root

Certificate authority regenerated.

After regeneration, Chef Automate will trigger a restart of all services so that they get the new certificates. This may take some time and your Chef Automate server will be unavailable during this restart.

For old versions of Chef Automate 2

If you are on a version of Chef Automate older than 20190225235742, we advise upgrading to the latest version of Chef Automate.

You can see the expiration date of your installation's internal certificate with a command such as:

# hab pkg exec core/openssl openssl x509 -in /hab/svc/deployment-service/data/root.crt -text | grep 'Not After'

If you cannot upgrade before this time, please contact support to determine the best procedure to regenerate your certificates.


Steven Danna
Software Engineer
Platform Engineering, Chef