[chef] RE: Re: RE: RE: Re: Re: How do I configure the ssl to make the chef client and server happy

[Stephen Corbesero < >]

This is the error I get when I specify the actual hostname or its subject 
alternative name.  


 
 sbin]# knife ssl check -c /etc/chef/client.rb

Connecting to host oh-chef01.devops.dev.cloud.synchronoss.net:443
ERROR: The SSL certificate of oh-chef01.devops.dev.cloud.synchronoss.net 
could not be verified
Certificate issuer data: /C=US/ST=PA/L=Bethlehem/O=Synchronoss Technologies, 
Inc./OU=IT/CN=oh-chef01.devops.dev.cloud.synchronoss.net/
 

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.1h 5 Jun 2014
* Certificate file: /opt/chef/embedded/ssl/cert.pem
* Certificate directory: /opt/chef/embedded/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/etc/chef/trusted_certs"

Followed by the 'To fix this error..'


It looks like it doesn't like the certificate at all.

I have generated certs w/ SANs before, but not very often. I even use openssl 
to dump the text of my cert and do see the proper CN and the SAN.

Also, If I generate a simple cert using the command given to me originally, 
that works just fine.  If my client (or knife ssl check) tries to connect on 
the CN in the certificate, it succeeds. If I try the other name, "knife ssl 
check"  gives me a very polite message that I am trying one name, but the 
server is reporting the other.

Just to make sure that the server is in the correct state, I do a reconfigure 
and restart every time I generate a new cert.



-----Original Message-----
From: Daniel DeLeo 
[mailto:
 
 On Behalf Of Daniel DeLeo
Sent: Friday, July 25, 2014 4:06 PM
To: 

 
Subject: [chef] Re: RE: RE: Re: Re: How do I configure the ssl to make the 
chef client and server happy

On Friday, July 25, 2014 at 10:18 AM, Stephen Corbesero wrote:
> More follow-ups...
>  
> I've built my pem & key just using the system openssl with a conf file to 
> generate the SANs. I fetch it via "knife ssl fetch" which puts it in the 
> /etc/chef/trusted-certs/ dir. But chef-client is still failing. And 'knife 
> ssl check' fails saying I need the cert there, but it is there.
>  
> Am I still missing a step?

What failure message are you getting from 'knife ssl check’ ?


--  
Daniel DeLeo  
>  
>  
> -----Original Message-----
> From: Stephen Corbesero 
> [mailto:
 
>   
> Sent: Friday, July 25, 2014 11:16 AM
> To: 
> 
 
>  
> (mailto:
 )
> Subject: [chef] RE: Re: Re: How do I configure the ssl to make the chef 
> client and server happy
>  
> Thank you Noah and Daniel,
>  
> Follow-up questions:
>  
> Do I need to use the openssl inside the /opt/chef-server/... dirs so it 
> gets the right openssl cnf file?
>  
>  
>  
> -----Original Message-----
> From: Daniel DeLeo 
> [mailto:
 
>  On Behalf Of Daniel DeLeo
> Sent: Thursday, July 24, 2014 1:57 PM
> To: 
> 
 
>  
> (mailto:
 )
> Subject: [chef] Re: Re: How tdo I configure the ssl to make the chef client 
> and server happy
>  
>  
>  
> On Thursday, July 24, 2014 at 10:54 AM, Noah Kantrowitz wrote:
>  
> > Just generate the certificate/key yourself and provide it to the server. 
> > To make a self-signed cert:
> >  
> > $ openssl req -x509 -newkey rsa:4096 -keyout chef.key -out chef.pem 
> > -nodes -days 365
> >  
> > And then in your /etc/chef-server/chef-server.rb (you may have to create 
> > it):
> >  
> > nginx['ssl_certificate'] = '/etc/chef-server/chef.pem'
> > nginx['ssl_certificate_key'] = '/etc/chef-server/chef.key'
> >  
> > You'll need to distribute the chef.pem to all clients as well, and 
> > configure it as a trusted CA certificate.
> >  
> > --Noah
>  
> I think you’ll also need to set the SubjectAltName field to include each of 
> the hostnames you wish to use.
>  
> --  
> Daniel DeLeo