[chef] Re: Re: Re: Re: How could I configurate a trusted SSL certificate in chef 12?

[Daniel DeLeo < >]

On Wednesday, June 10, 2015 at 7:52 AM, bln workplace wrote:

> Thanks for your answers.
>  
> As far I can see the problem is the server ciphers to 1024 bits by default. 
> When I put nginx['ssl_dhparam'] = "/etc/ssl/private/dhparams.pem" in the 
> /etc/opscode/chef-server.rb file this parameter doesn't apply when I run 
> chef-server-ctl reconfigure, it's ignored.  
>  
> If I try to put this DH parameter in 
> /var/opt/opscode/nginx/etc/chef_http_lb.conf file my server uses my new 
> dhparams.pem to 2048 bits so I pass the vulnerability test but when I run 
> chef-server-ctl reconfigure this parameter is gone.
>  
> So my provisional solution is to create a new file in 
> /var/opt/opscode/nginx/etc/nginx.d/dhparams.conf for adding non default 
> configuration to nginx and in this file I have put the path to my new 
> Diffie-Hellman group:  
> ssl_dhparam /etc/ssl/private/dhparams.pem;
>  
> I think this is a nasty solution by I don't know another better at the 
> moment. Maybe this ssl_dhparam could be recognized by default or maybe I 
> need to put this parameter in another side that I don't know or maybe is a 
> bug...

I don’t remember any of this stuff well enough to answer your questions 
directly, but the cookbook that configures chef-server is here: 
https://github.com/chef/chef-server/tree/master/omnibus/files/private-chef-cookbooks/private-chef

If it doesn’t do what you need now, then you could submit a patch.

--  
Daniel DeLeo