Trusting CA signed SSL Certificates

Jeremiah Snapp -

It's common to want to install a CA signed SSL certificate in Chef Server's nginx web server. But Chef Client 12's built-in SSL verification will not trust this certificate if it is not properly installed in the Chef Server.

First, it's not mandatory that chef-client verifies the SSL certificate. It's just highly recommended for obvious security reasons. If you want to disable SSL verification you can do so by adding `ssl_verify_mode :verify_none` to the node's `client.rb` file.

Reference: http://docs.chef.io/config_rb_client.html

In order to properly install an SSL certificate that is signed by a public or private CA the CA's Root and Intermediate certificates must be concatenated along with the host's SSL certificate into the single certificate file that is used when configuring SSL on the Chef Server. Then the chef-client will have the complete trust chain and trust the SSL connection.

Here are a couple SSL documentation links as reference.

https://www.digicert.com/ssl-certificate-installation-nginx.htm

http://nginx.org/en/docs/http/configuring_https_servers.html#chains

And for the specific application of a custom internal CA signed cert, see the "Intermediate Certificates" section of the following https://docs.chef.io/server_security.html#knife-title-chef-client-title

Have more questions? Submit a request

Comments

Powered by Zendesk