chef - [chef] Re: How tdo I configure the ssl to make the chef client and server happy

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: How tdo I configure the ssl to make the chef client and server happy

From: Noah Kantrowitz < >
To:
Subject: [chef] Re: How tdo I configure the ssl to make the chef client and server happy
Date: Thu, 24 Jul 2014 10:54:51 -0700

Just generate the certificate/key yourself and provide it to the server. To
make a self-signed cert:

$ openssl req -x509 -newkey rsa:4096 -keyout chef.key -out chef.pem -nodes
-days 365

And then in your /etc/chef-server/chef-server.rb (you may have to create it):

nginx['ssl_certificate'] = '/etc/chef-server/chef.pem'
nginx['ssl_certificate_key'] = '/etc/chef-server/chef.key'

You'll need to distribute the chef.pem to all clients as well, and configure
it as a trusted CA certificate.

--Noah

On Jul 24, 2014, at 6:27 AM, Stephen Corbesero
< >
wrote:

>
> I am setting up a chef server for a project in AWS, and I am trying to find
> the best way to make the server and client happy wrt the ssl settings.
>
> I want to do the following.
>
> ·        Create a chef server with a private IP address and a public
> (elastic) IP address.
> ·        I want to use chef01.some.dom.com as the DNS/hostname for the
> private IP address, and I want to use chef01-eip.some.dom.com as the DNS
> for the public IP address,  AND I want to create  a CNAME of just
> chef.some.dom.com which I will use as the name of the chef server in the
> client.rb files.
>
> When I do that, the ssl checking fails.  The name of the server in
> client.rb (che.some.dom.com) does not match the name on the certificate,
> which was generated with the machines hostname, chef01.some.dom.com.
>
> I try to outsmart the “chef-server-ctl reconfigure” command by temporarily
> changing the host name to my CNAME (chef.some.dom.com).  Well,
> chef-server-ctl  is too clever for me.  It does a DNS lookup and finds the
> actual name associated with the address so it now generates a certificate
> with name chef01-eip.some.dom.com.
>
> What should I be doing?  I am perfectly happy with the self-generated
> certificate.
>
> On a related note, will I also have to copy that cert to the trusted_certs/
> directory on all the clients?
>
>
>
> --
> Stephen Corbesero, DevOps Engineer
> Synchronoss - Mobile Innovation for a Connected World
>
>  | www.synchronoss.com

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[chef] How tdo I configure the ssl to make the chef client and server happy, Stephen Corbesero, 07/24/2014
- [chef] Re: How tdo I configure the ssl to make the chef client and server happy, Noah Kantrowitz, 07/24/2014
  - [chef] Re: Re: How tdo I configure the ssl to make the chef client and server happy, Daniel DeLeo, 07/24/2014
    - [chef] RE: Re: Re: How do I configure the ssl to make the chef client and server happy, Stephen Corbesero, 07/25/2014
      - [chef] RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy, Stephen Corbesero, 07/25/2014
        
        [chef] Re: RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy, Daniel DeLeo, 07/25/2014
        
        [chef] RE: Re: RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy, Stephen Corbesero, 07/25/2014
        
        [chef] Re: RE: Re: RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy, Daniel DeLeo, 07/25/2014
        [chef] RE: Re: RE: Re: RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy, Stephen Corbesero, 07/28/2014