More SSL issues

svucich · April 3, 2017, 12:08am

So, we have been using a Windows Active Directory Certificate Authority as our root CA for our chef installation. I have to say, that just as I expected, it was going to be an absolute pain in the but. Seems I am correct as there are many different CA configs required that are not documented to get the full package working (knife ssl fetch only resolves the chef-client issue and is a poor solutions IMO and any of the verify none SSL modes is a complete waste of time as it invalidates the SSL config).

So, getting the chef-client to trust the certificates is easy, but this is only one part of the puzzle, as berkshelf uses a different config and that is where the list continues to grow.

So, knife ssl fetch is only good for the chef-client and I still get all the errors that are no longer present on the Linux systems.

C:\opscode\chef\embedded\bin>knife ssl check -c c:\chef\client.rb

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.2j  26 Sep 2016
* Certificate file: C:/opscode/chef/embedded/ssl/cert.pem
* Certificate directory: C:/opscode/chef/embedded/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: "C:/opscode/chef/embedded/ssl/certs/cacert.pem"
* trusted_certs_dir: "c:/chef/trusted_certs"
WARNING: There are invalid certificates in your trusted_certs_dir.
OpenSSL will not use the following certificates when verifying SSL connections:

c:/chef/trusted_certs/chef_sv_local.crt: unable to get local issuer certificate


TO FIX THESE WARNINGS:

We are working on documentation for resolving common issues uncovered here.

* If the certificate is generated by the server, you may try redownloading the
server's certificate. By default, the certificate is stored in the following
location on the host where your chef-server runs:

  /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to your trusted_certs_dir (currently: c:/chef/trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server's certificate is now trusted.

Connecting to host chef.domain.local:443
Successfully verified certificates from `chef.domain.local'

So - How can I truly get ssl working for the whole implementation so that when I run the SSL check on windows I am only returned as follows (Like on the linux systems), EG:

Connecting to host chef.domain.local:443
Successfully verified certificates from `chef.domain.local'

I don’t want to use ssl_verify_mode = none (Or any equivalents) - This is a silly answer, as it invalidates any of this config.

Chef Server 12.X

kkeane · April 3, 2017, 12:32am

There are a few places where you need to add the CA certificate.

in /etc/chef/client.rb, add the following two lines:

ssl_ca_file ""
ssl_verify_mode :verify_peer

on workstations (ordinary clients don’t need it), /opt/chef/embedded/ssl/certs/cacert.pem - simply add it to the end. This takes care of knife. You must redo this every time the client is updated.
on workstations: /opt/chefdk/embedded/ssl/certs/cacert.pem - same thing but for the chefdk. This takes care of berkshelf etc.
on the chef server: modify /etc/opscode/chef-server.rb to point to the certificate and key. Then run chef-server-ctl reconfigure.

Here is my (redacted) /etc/opscode/chef-server.rb . Note that I’m using port 4443 since 443 is in use for something else.

topology "standalone"
api_fqdn ""
nginx[‘ssl_certificate’] = '/etc/pki/tls/certs/.crt’
nginx[‘ssl_certificate_key’] = '/etc/pki/tls/private/.key’
nginx[‘ssl_protocols’] = 'TLSv1 TLSv1.1 TLSv1.2’
nginx[‘non_ssl_port’] = 4080
nginx[‘ssl_port’] = 4443
bookshelf[‘vip_port’] = 4443

Kevin Keane
Whom the IT Pros Call
The NetTech
760-721-8339
http://www.4nettech.com
Our values: Privacy, Liberty, Justice
See https://www.4nettech.com/corp/the-nettech-values.html

svucich · April 3, 2017, 1:45am

Having the Linux machine working was easy, and the setup for the Nginx server was easy - Windows used its internal cert store to verify this via the Chef Server Manage home page, but this doesn't not complete the picture for windows.

Linux was simple. To get this working as a true SSL verified connection with not only chef, but any other service that requires this Root CA. To do this on CentOS I did the following:

# Ensure that the ca-certificates is installed:
sudo yum install ca-certificates

# Enable the dynamic CA feature
sudo update-ca-trust force-enable

# Copy the root ca to the anchor store
sudo cp mycert.crt /etc/pki/ca-trust/source/anchors

# Enable the new CA cert for use
sudo update-ca-trust extract

Here is the verification on the linux node:

Here is what windows returns - So, it seems Windows isn't quite working... :

svucich · April 5, 2017, 10:41pm

Has no-one a solution for having Chef accept a non-default root CA for windows and Chef?

Alex_Vinyar1 · April 6, 2017, 5:54pm

Hi, please take a look here, see if it helps:
https://github.com/chef-boneyard/chef-web-docs-2016/issues/737

svucich · April 9, 2017, 10:39pm

thanks @Alex_Vinyar - This helped!

Topic		Replies	Views
Struggling mightily with SSL on Windows Chef Infra (archive)	3	1235	November 16, 2016
Can't bootstrap new nodes Chef Infra (archive)	1	789	November 9, 2015
Unable to use SSL cert from in-house Chef Server w/ knife Chef Infra (archive)	4	980	February 17, 2015
OpenSSL::SSL::SSLError: certificate verify failed Chef Infra (archive)	10	8246	July 13, 2016
Chef Manage Signed SSL certificate Chef Infra (archive)	11	2268	February 3, 2017

More SSL issues

Related topics