So, we have been using a Windows Active Directory Certificate Authority as our root CA for our chef installation. I have to say, that just as I expected, it was going to be an absolute pain in the but. Seems I am correct as there are many different CA configs required that are not documented to get the full package working (
knife ssl fetch only resolves the
chef-client issue and is a poor solutions IMO and any of the
verify none SSL modes is a complete waste of time as it invalidates the SSL config).
So, getting the
chef-client to trust the certificates is easy, but this is only one part of the puzzle, as berkshelf uses a different config and that is where the list continues to grow.
knife ssl fetch is only good for the chef-client and I still get all the errors that are no longer present on the Linux systems.
C:\opscode\chef\embedded\bin>knife ssl check -c c:\chef\client.rb Configuration Info: OpenSSL Configuration: * Version: OpenSSL 1.0.2j 26 Sep 2016 * Certificate file: C:/opscode/chef/embedded/ssl/cert.pem * Certificate directory: C:/opscode/chef/embedded/ssl/certs Chef SSL Configuration: * ssl_ca_path: nil * ssl_ca_file: "C:/opscode/chef/embedded/ssl/certs/cacert.pem" * trusted_certs_dir: "c:/chef/trusted_certs" WARNING: There are invalid certificates in your trusted_certs_dir. OpenSSL will not use the following certificates when verifying SSL connections: c:/chef/trusted_certs/chef_sv_local.crt: unable to get local issuer certificate TO FIX THESE WARNINGS: We are working on documentation for resolving common issues uncovered here. * If the certificate is generated by the server, you may try redownloading the server's certificate. By default, the certificate is stored in the following location on the host where your chef-server runs: /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt Copy that file to your trusted_certs_dir (currently: c:/chef/trusted_certs) using SSH/SCP or some other secure method, then re-run this command to confirm that the server's certificate is now trusted. Connecting to host chef.domain.local:443 Successfully verified certificates from `chef.domain.local'
So - How can I truly get ssl working for the whole implementation so that when I run the SSL check on windows I am only returned as follows (Like on the linux systems), EG:
Connecting to host chef.domain.local:443 Successfully verified certificates from `chef.domain.local'
I don’t want to use ssl_verify_mode = none (Or any equivalents) - This is a silly answer, as it invalidates any of this config.
Chef Server 12.X