- From: Stephen Corbesero <
>
- To: "
" <
>
- Subject: [chef] RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy
- Date: Fri, 25 Jul 2014 17:18:08 +0000
- Accept-language: en-US
More follow-ups...
I've built my pem & key just using the system openssl with a conf file to
generate the SANs. I fetch it via "knife ssl fetch" which puts it in the
/etc/chef/trusted-certs/ dir. But chef-client is still failing. And 'knife
ssl check' fails saying I need the cert there, but it is there.
Am I still missing a step?
-----Original Message-----
From: Stephen Corbesero
[mailto:
Sent: Friday, July 25, 2014 11:16 AM
To:
Subject: [chef] RE: Re: Re: How do I configure the ssl to make the chef
client and server happy
Thank you Noah and Daniel,
Follow-up questions:
Do I need to use the openssl inside the /opt/chef-server/... dirs so it gets
the right openssl cnf file?
-----Original Message-----
From: Daniel DeLeo
[mailto:
On Behalf Of Daniel DeLeo
Sent: Thursday, July 24, 2014 1:57 PM
To:
Subject: [chef] Re: Re: How tdo I configure the ssl to make the chef client
and server happy
On Thursday, July 24, 2014 at 10:54 AM, Noah Kantrowitz wrote:
>
Just generate the certificate/key yourself and provide it to the server. To
>
make a self-signed cert:
>
>
$ openssl req -x509 -newkey rsa:4096 -keyout chef.key -out chef.pem -nodes
>
-days 365
>
>
And then in your /etc/chef-server/chef-server.rb (you may have to create
>
it):
>
>
nginx['ssl_certificate'] = '/etc/chef-server/chef.pem'
>
nginx['ssl_certificate_key'] = '/etc/chef-server/chef.key'
>
>
You'll need to distribute the chef.pem to all clients as well, and
>
configure it as a trusted CA certificate.
>
>
--Noah
I think you’ll also need to set the SubjectAltName field to include each of
the hostnames you wish to use.
--
Daniel DeLeo
Archive powered by MHonArc 2.6.16.