chef - [chef] Re: Re: How could I configurate a trusted SSL certificate in chef 12?

First login ?
Lost password ?

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: How could I configurate a trusted SSL certificate in chef 12?

From: Brandon Raabe < >
To:
Subject: [chef] Re: Re: How could I configurate a trusted SSL certificate in chef 12?
Date: Tue, 09 Jun 2015 14:47:12 +0000

You can also find example configurations that should pass the SSL Labs test here:

https://cipherli.st

On Tue, Jun 9, 2015 at 5:57 AM Christine Draper < "> > wrote:

I suspect you need to remove the DSS ciphers too (and probably explicitly exclude them with !DSS).

See e.g.

http://security.stackexchange.com/questions/54639/recommended-ssl-ciphers-for-security-compatibility-perfect-forward-secrecy

Regards,
Christine

On Mon, Jun 8, 2015 at 7:21 PM, bln workplace < " target="_blank"> > wrote:
Hi all,

I have the open source chef server 12 installed and I want to change the self signed SSL certificate for a trusted SSL certificate and at the same time pass the test here: https://www.ssllabs.com/ssltest/index.html

After the last Logjam vulnerability I've bought a Possitive SSL wildcard cert (I use *.mydomain.com in several servers with different subdomains) and I've put my .key file and .crt file in /etc/opscode/. In the /etc/opscode/chef-server.rb I've added:

nginx['ssl_certificate'] = "/etc/opscode/camydomain.com.crt" => here, there is a concatenated file with my serverdomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt, in this order.
nginx['ssl_certificate_key'] = "/etc/opscode/mydomain.com.key"
nginx['ssl_ciphers'] = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_dhparam'] = "/etc/ssl/private/dhparams.pem"

And I've created /etc/ssl/private/dhparams.pem with the command "openssl dhparam -out dhparams.pem 2048", following these instruccions: https://weakdh.org/sysadmin.html

Finally I run: chef-server-ctl reconfigure and I can see how it has been added in /etc/opscode/.chef-server-running.json.

But if I check my site again I obtain a B rate with the following message: "This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B"

Someone knows what I am missing?

/opt/opscode/embedded/bin/openssl version
OpenSSL 1.0.1m 19 Mar 2015

Thanks in advance

[chef] How could I configurate a trusted SSL certificate in chef 12?, bln workplace, 06/08/2015
- [chef] Re: How could I configurate a trusted SSL certificate in chef 12?, Christine Draper, 06/09/2015
  - [chef] Re: Re: How could I configurate a trusted SSL certificate in chef 12?, Brandon Raabe, 06/09/2015
    - [chef] Re: Re: Re: How could I configurate a trusted SSL certificate in chef 12?, bln workplace, 06/10/2015
      - [chef] Re: Re: Re: Re: How could I configurate a trusted SSL certificate in chef 12?, Daniel DeLeo, 06/10/2015