More SSL issues

So, we have been using a Windows Active Directory Certificate Authority as our root CA for our chef installation. I have to say, that just as I expected, it was going to be an absolute pain in the but. Seems I am correct as there are many different CA configs required that are not documented to get the full package working (knife ssl fetch only resolves the chef-client issue and is a poor solutions IMO and any of the verify none SSL modes is a complete waste of time as it invalidates the SSL config).

So, getting the chef-client to trust the certificates is easy, but this is only one part of the puzzle, as berkshelf uses a different config and that is where the list continues to grow.

So, knife ssl fetch is only good for the chef-client and I still get all the errors that are no longer present on the Linux systems.

C:\opscode\chef\embedded\bin>knife ssl check -c c:\chef\client.rb

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.2j  26 Sep 2016
* Certificate file: C:/opscode/chef/embedded/ssl/cert.pem
* Certificate directory: C:/opscode/chef/embedded/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: "C:/opscode/chef/embedded/ssl/certs/cacert.pem"
* trusted_certs_dir: "c:/chef/trusted_certs"
WARNING: There are invalid certificates in your trusted_certs_dir.
OpenSSL will not use the following certificates when verifying SSL connections:

c:/chef/trusted_certs/chef_sv_local.crt: unable to get local issuer certificate


We are working on documentation for resolving common issues uncovered here.

* If the certificate is generated by the server, you may try redownloading the
server's certificate. By default, the certificate is stored in the following
location on the host where your chef-server runs:


Copy that file to your trusted_certs_dir (currently: c:/chef/trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server's certificate is now trusted.

Connecting to host chef.domain.local:443
Successfully verified certificates from `chef.domain.local'

So - How can I truly get ssl working for the whole implementation so that when I run the SSL check on windows I am only returned as follows (Like on the linux systems), EG:

Connecting to host chef.domain.local:443
Successfully verified certificates from `chef.domain.local'

I don’t want to use ssl_verify_mode = none (Or any equivalents) - This is a silly answer, as it invalidates any of this config.

Chef Server 12.X

There are a few places where you need to add the CA certificate.

  1. in /etc/chef/client.rb, add the following two lines:

ssl_ca_file ""
ssl_verify_mode :verify_peer

  1. on workstations (ordinary clients don’t need it), /opt/chef/embedded/ssl/certs/cacert.pem - simply add it to the end. This takes care of knife. You must redo this every time the client is updated.

  2. on workstations: /opt/chefdk/embedded/ssl/certs/cacert.pem - same thing but for the chefdk. This takes care of berkshelf etc.

  3. on the chef server: modify /etc/opscode/chef-server.rb to point to the certificate and key. Then run chef-server-ctl reconfigure.

Here is my (redacted) /etc/opscode/chef-server.rb . Note that I’m using port 4443 since 443 is in use for something else.

topology "standalone"
api_fqdn ""
nginx[‘ssl_certificate’] = '/etc/pki/tls/certs/.crt’
nginx[‘ssl_certificate_key’] = '/etc/pki/tls/private/.key’
nginx[‘ssl_protocols’] = 'TLSv1 TLSv1.1 TLSv1.2’
nginx[‘non_ssl_port’] = 4080
nginx[‘ssl_port’] = 4443
bookshelf[‘vip_port’] = 4443

Kevin Keane
Whom the IT Pros Call
The NetTech
Our values: Privacy, Liberty, Justice

Having the Linux machine working was easy, and the setup for the Nginx server was easy - Windows used its internal cert store to verify this via the Chef Server Manage home page, but this doesn't not complete the picture for windows.

Linux was simple. To get this working as a true SSL verified connection with not only chef, but any other service that requires this Root CA. To do this on CentOS I did the following:

# Ensure that the ca-certificates is installed:
sudo yum install ca-certificates

# Enable the dynamic CA feature
sudo update-ca-trust force-enable

# Copy the root ca to the anchor store
sudo cp mycert.crt /etc/pki/ca-trust/source/anchors

# Enable the new CA cert for use
sudo update-ca-trust extract

Here is the verification on the linux node:

Here is what windows returns - So, it seems Windows isn't quite working... :

Has no-one a solution for having Chef accept a non-default root CA for windows and Chef?

Hi, please take a look here, see if it helps:

1 Like

thanks @Alex_Vinyar - This helped!