chef - [chef] How could I configurate a trusted SSL certificate in chef 12?

First login ?
Lost password ?

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] How could I configurate a trusted SSL certificate in chef 12?

From: bln workplace < >
To:
Subject: [chef] How could I configurate a trusted SSL certificate in chef 12?
Date: Tue, 9 Jun 2015 02:21:16 +0200

Hi all,

I have the open source chef server 12 installed and I want to change the self signed SSL certificate for a trusted SSL certificate and at the same time pass the test here: https://www.ssllabs.com/ssltest/index.html

After the last Logjam vulnerability I've bought a Possitive SSL wildcard cert (I use *.mydomain.com in several servers with different subdomains) and I've put my .key file and .crt file in /etc/opscode/. In the /etc/opscode/chef-server.rb I've added:

nginx['ssl_certificate'] = "/etc/opscode/camydomain.com.crt" => here, there is a concatenated file with my serverdomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt, in this order.

nginx['ssl_certificate_key'] = "/etc/opscode/mydomain.com.key"

nginx['ssl_ciphers'] = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"

nginx['ssl_prefer_server_ciphers'] = "on"

nginx['ssl_dhparam'] = "/etc/ssl/private/dhparams.pem"

And I've created /etc/ssl/private/dhparams.pem with the command "openssl dhparam -out dhparams.pem 2048", following these instruccions: https://weakdh.org/sysadmin.html

Finally I run: chef-server-ctl reconfigure and I can see how it has been added in /etc/opscode/.chef-server-running.json.

But if I check my site again I obtain a B rate with the following message: "This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B"

Someone knows what I am missing?

/opt/opscode/embedded/bin/openssl version

OpenSSL 1.0.1m 19 Mar 2015

Thanks in advance

[chef] How could I configurate a trusted SSL certificate in chef 12?, bln workplace, 06/08/2015
- [chef] Re: How could I configurate a trusted SSL certificate in chef 12?, Christine Draper, 06/09/2015
  - [chef] Re: Re: How could I configurate a trusted SSL certificate in chef 12?, Brandon Raabe, 06/09/2015
    - [chef] Re: Re: Re: How could I configurate a trusted SSL certificate in chef 12?, bln workplace, 06/10/2015
      - [chef] Re: Re: Re: Re: How could I configurate a trusted SSL certificate in chef 12?, Daniel DeLeo, 06/10/2015