It's common to want to install a CA signed SSL certificate in Chef Server's nginx web server. But Chef Client's built-in SSL verification will not trust this certificate if it is not properly installed in the Chef Server.
First, it's not mandatory that Chef Client verifies the SSL certificate. It's just highly recommended for obvious security reasons. If you want to disable SSL verification you can do so by adding ssl_verify_mode :verify_none to the node's client.rb file.
Reference: https://docs.chef.io/config_rb_client/
In order to properly install an SSL certificate that is signed by a public or private CA, the CA's Root and Intermediate certificates must be concatenated along with the host's SSL certificate into the single certificate file that is used when configuring SSL on the Chef Server. Then the Chef Client will have the complete trust chain and trust the SSL connection.
Here are a couple SSL documentation links as reference.
https://www.digicert.com/kb/csr-ssl-installation/nginx-openssl.htm#ssl_certificate_install
http://nginx.org/en/docs/http/configuring_https_servers.html#chains
And for the specific application of a custom internal CA signed cert, see https://docs.chef.io/runbook/server_security/#intermediate-certificates
Comments
2 comments
The official public Chef Server docs on this are quite confusing.
https://docs.chef.io/server_security.html#private-certificate-authority and the section following it about "Intermediate Certificates" do not make it clear that all 3 (root, intermediate, and server) certificates need to be in the file. The "Private Certificate Authority" section says just use root + server certs. The "Intermediate Certificates" section says to use intermediate + server.
The last link also references this:
* https://docs.chef.io/chef_client_security.html#ssl-certificates
Article is closed for comments.