How to make ChefDK tools trust untrusted SSL certificates

Jeremiah Snapp -

By default, Chef DK tools such as knife and berkshelf perform SSL/TLS verification when making HTTPS connections using the embedded cacert.pem bundle. When making connections to sites secured by self-signed SSL certificates or certificates generated by a private CA the tools will throw an error because they can not verify the security of the connections.

One option is to skip SSL verification by adding `ssl_verify_mode :verify_none` to the knife.rb file and `{ "ssl": { "verify": true } }` to the `~/.berkshelf/config.json` file but this is not a secure solution.

The knife tool provides the `knife ssl fetch [https://url]` command to fetch the SSL certificate and place it in a `.chef/trusted_certs` directory. Any subsequent knife commands should now trust connections that are secured by that certificate.

However, this solution does not work for the berkshelf tool because it doesn't look in the `.chef/trusted_certs` directory.

Appending the entire chain of untrusted SSL certificates to the end of the cacert.pem certificate bundle embedded in Chef DK is a solution that works for both knife and berkshelf.

The cacert.pem bundle is stored in the following location:

Linux/OS X - /opt/chefdk/embedded/ssl/certs/cacert.pem

Windows - C:\opscode\chefdk\embedded\ssl\certs\cacert.pem

Even though appending the certificates to the embedded cacert.pem bundle solves the problem it is still a good idea to fetch the SSL certificates to the `.chef/trusted_certs` directory on the workstation. That makes sure the certificates are available to be automatically uploaded to nodes during a bootstrap process such as the one triggered by the "knife bootstrap" command.

Here are the recommended steps.

Fetch the entire chain of SSL certificates for each server by running the following command for each server's URL.

knife ssl fetch [https://url]

Then use the following command to append those certificates to the certificate bundle embedded in Chef DK so tools like berkshelf will trust them.

cat .chef/trusted_certs/* | sudo tee -a /opt/chefdk/embedded/ssl/certs/cacert.pem

Have more questions? Submit a request


Powered by Zendesk