[chef] RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy

[Stephen Corbesero < >]

More follow-ups...

I've built my pem & key just using the system openssl with a conf file to 
generate the SANs.  I fetch it via "knife ssl fetch" which puts it in the 
/etc/chef/trusted-certs/ dir.  But chef-client is still failing.  And 'knife 
ssl check' fails saying I need the cert there, but it is there.

Am I still missing a step?


-----Original Message-----
From: Stephen Corbesero 
[mailto:
 
 
Sent: Friday, July 25, 2014 11:16 AM
To: 

 
Subject: [chef] RE: Re: Re: How do I configure the ssl to make the chef 
client and server happy

Thank you Noah and Daniel,

Follow-up questions:

Do I need to use the openssl inside the /opt/chef-server/... dirs so it gets 
the right openssl cnf file?



-----Original Message-----
From: Daniel DeLeo 
[mailto:
 
 On Behalf Of Daniel DeLeo
Sent: Thursday, July 24, 2014 1:57 PM
To: 

 
Subject: [chef] Re: Re: How tdo I configure the ssl to make the chef client 
and server happy



On Thursday, July 24, 2014 at 10:54 AM, Noah Kantrowitz wrote:

> Just generate the certificate/key yourself and provide it to the server. To 
> make a self-signed cert:
>  
> $ openssl req -x509 -newkey rsa:4096 -keyout chef.key -out chef.pem -nodes 
> -days 365
>  
> And then in your /etc/chef-server/chef-server.rb (you may have to create 
> it):
>  
> nginx['ssl_certificate'] = '/etc/chef-server/chef.pem'
> nginx['ssl_certificate_key'] = '/etc/chef-server/chef.key'
>  
> You'll need to distribute the chef.pem to all clients as well, and 
> configure it as a trusted CA certificate.
>  
> --Noah
I think you’ll also need to set the SubjectAltName field to include each of 
the hostnames you wish to use.

--  
Daniel DeLeo