chef - [chef] Re: RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy

From: Daniel DeLeo < >
To:
Subject: [chef] Re: RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy
Date: Fri, 25 Jul 2014 13:06:03 -0700

On Friday, July 25, 2014 at 10:18 AM, Stephen Corbesero wrote:
> More follow-ups...
>
> I've built my pem & key just using the system openssl with a conf file to
> generate the SANs. I fetch it via "knife ssl fetch" which puts it in the
> /etc/chef/trusted-certs/ dir. But chef-client is still failing. And 'knife
> ssl check' fails saying I need the cert there, but it is there.
>
> Am I still missing a step?

What failure message are you getting from 'knife ssl check’ ?

--
Daniel DeLeo
>
>
> -----Original Message-----
> From: Stephen Corbesero
> [mailto:
>
> Sent: Friday, July 25, 2014 11:16 AM
> To:
>
>
> (mailto: )
> Subject: [chef] RE: Re: Re: How do I configure the ssl to make the chef
> client and server happy
>
> Thank you Noah and Daniel,
>
> Follow-up questions:
>
> Do I need to use the openssl inside the /opt/chef-server/... dirs so it
> gets the right openssl cnf file?
>
>
>
> -----Original Message-----
> From: Daniel DeLeo
> [mailto:
>  On Behalf Of Daniel DeLeo
> Sent: Thursday, July 24, 2014 1:57 PM
> To:
>
>
> (mailto: )
> Subject: [chef] Re: Re: How tdo I configure the ssl to make the chef client
> and server happy
>
>
>
> On Thursday, July 24, 2014 at 10:54 AM, Noah Kantrowitz wrote:
>
> > Just generate the certificate/key yourself and provide it to the server.
> > To make a self-signed cert:
> >
> > $ openssl req -x509 -newkey rsa:4096 -keyout chef.key -out chef.pem
> > -nodes -days 365
> >
> > And then in your /etc/chef-server/chef-server.rb (you may have to create
> > it):
> >
> > nginx['ssl_certificate'] = '/etc/chef-server/chef.pem'
> > nginx['ssl_certificate_key'] = '/etc/chef-server/chef.key'
> >
> > You'll need to distribute the chef.pem to all clients as well, and
> > configure it as a trusted CA certificate.
> >
> > --Noah
>
> I think you’ll also need to set the SubjectAltName field to include each of
> the hostnames you wish to use.
>
> --
> Daniel DeLeo

[chef] How tdo I configure the ssl to make the chef client and server happy, Stephen Corbesero, 07/24/2014
- [chef] Re: How tdo I configure the ssl to make the chef client and server happy, Noah Kantrowitz, 07/24/2014
  - [chef] Re: Re: How tdo I configure the ssl to make the chef client and server happy, Daniel DeLeo, 07/24/2014
    - [chef] RE: Re: Re: How do I configure the ssl to make the chef client and server happy, Stephen Corbesero, 07/25/2014
      - [chef] RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy, Stephen Corbesero, 07/25/2014
        
        [chef] Re: RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy, Daniel DeLeo, 07/25/2014
        
        [chef] RE: Re: RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy, Stephen Corbesero, 07/25/2014
        
        [chef] Re: RE: Re: RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy, Daniel DeLeo, 07/25/2014
        [chef] RE: Re: RE: Re: RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy, Stephen Corbesero, 07/28/2014