chef - [chef] Re: Chef 12 Server trusted

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Chef 12 Server trusted_certs

From: Daniel DeLeo < >
To:
Subject: [chef] Re: Chef 12 Server trusted_certs
Date: Fri, 23 Jan 2015 12:59:48 -0800

On Friday, January 23, 2015 at 10:52 AM, Douglas Garstang wrote:

> Chef 12... where do I get the trusted cert from?
>
> Doug
Trusted certs are a feature added in Chef 11 to make it easier to enable the
‘verify_peer’ setting for SSL validation. Just to be clear, trusted certs
have nothing to do with the Chef Server’s authentication/authorization
mechanisms, they’re only used by chef-client/knife when connecting to the
server using SSL/TLS. Part of the SSL/TLS process is checking whether the
server is trustworthy by checking that the certificate provided by the server
is signed by a trusted root certificate. If you buy a cert from Verisign (or
any of the other CAs) and install it on your Chef Server, everything will
work out of the box because the Chef packages include all the usual root
certificates. Most folks running their own server, however, are using a
self-signed cert generated by the server (during the initial
install/reconfigure step). Since the certificate is only signed by itself,
chef-client/knife can’t verify the authenticity of the server without
additional configuration. The typical mechanism for doing this is to
regenerate the root CA bundle with your self-signed cert included, but that’s
a bit of a pain, which is where the trusted certs feature comes in. Instead
of rebuilding the cert bundle, you can simply copy the certificate you want
chef/knife to trust to your trusted certs directory and (as long as the host
name, etc. match) chef/knife will accept the certificate when doing the
SSL/TLS parts of connecting to your Chef Server. Knife includes a `knife ssl
fetch` command which can automatically download the certificate from the
server and install it to the trusted certs directory. In practice this is
basically like if you connect to a site with an unknown cert in your browser
and click the “trust this cert for this server from now on” button. The one
risk is if you’ve already been MITM’d, then you’re going to trust the MITM’s
certificate, so for maximum safety, you should double check that the cert has
the content you expect. Joshua has written up the steps to do all that here:
http://jtimberman.housepub.org/blog/2014/12/11/chef-12-fix-untrusted-self-sign-certs/

Also note that `knife ssl check` is a debugging tool to help you diagnose SSL
connection problems, but again, it only deals with the actual transport layer
connection to the Chef Server, so it doesn’t care at all about anything at
the application layer (like HTTP 401 responses and such).

HTH,

--
Daniel DeLeo

[chef] Chef 12 Server trusted_certs, Douglas Garstang, 01/23/2015
- [chef] Re: Chef 12 Server trusted_certs, Daniel DeLeo, 01/23/2015