Previously, I wrote on setting up Chef Server 12.
By default, Chef Server uses a self-signed certificate. This is fine for small testing purposes, but this becomes a significant problem in production, especially when using other Ruby tools or modules that require SSL verification.
Thus, I highly recommend configuring the Chef server to run with a real, trusted SSL certificate. For this example, I got a free one from StartSSL. I chose StartSSL because it’s free, and the root CAs are already in the default OS X and iOS trust stores. As in the previous article, this is with Chef Server 12 running on CentOS 6.6 in VMWare.
In this post, all of my examples will be for “chef.sacredsf.org”. Substitute in your own example.
NOTE: you do not need to have this server exist in DNS. As long as the server knows its own hostname, you can do this all on one VM.
Once you go through the StartSSL certificate wizard, you’ll be given four things (not all filenames will be accurate, I’ve renamed them for clarity):
- The actual SSL certificate:
chef_sacredsf_org_startssl.crt - The encrypted private key:
chef_ssl_encrypted.key - The intermediate certificate:
sub.class1.server.ca.pem - The root CA certificate:
ca.pem
With all of these downloaded, here are the steps for setting up Chef to use these SSL certificates:
- First, decrypt the private key:
openssl rsa -in chef_ssl_encrypted.key -out chef.sacredsf.org.nopassphrase.key - Convert the .crt to a .pem file:
openssl x509 -in chef_sacredsf_org_startssl.crt -out chef.sacredsf.org.pem -outform PEM - Concatenate all the certs together into one .pem file:
cat chef.sacredsf.org.pem <(echo) sub.class1.server.ca.pem <(echo) ca.pem > Complete/chef.sacredsf.org.pem
(Note that I put this into a separate “Complete” folder to keep track of which one to copy)
- Copy
Complete/chef.sacredsf.org.pemandchef.sacredsf.org.nopassphrase.keyto your Chef server (viascp, or whatever mechanism works for you – since I did this in VMWare, I just used the drag-n-drop capability). - Copy the key and certificate into the trusted store for CentOS 6:
sudo cp chef.sacredsf.org.pem /etc/pki/tls/private/
sudo cp chef.sacredsf.org.nopassphrase.key /etc/pki/tls/private/ - Add the certificate and key paths to
/etc/opscode/chef-server.rb:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nginx['ssl_certificate'] = "/etc/pki/tls/private/chef.sacredsf.org.pem" nginx['ssl_certificate_key'] = "/etc/pki/tls/private/chef.sacredsf.org.nopassphrase.key" nginx['ssl_ciphers'] = "HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK" nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" Note: the last two parts,
ssl_ciphersandssl_protocolsare optional – they just harden the SSL connection against weaker forms of SSL. You can leave them out and this will work just fine. - IMPORTANT! Your server’s hostname must match the server in your certificate! Verify:
hostname -f
See https://www.centosblog.com/script-update-centos-linux-servers-hostname/ for more details on this. - Finally, reconfigure the server with the new SSL certs:
sudo chef-server-ctl reconfigure
If you have a problem here, or nginx takes too long to start up (or fails to start up), it’s almost certainly because of a problem with the certificates. Use cat to check the contents of the certs to make sure there are no typos, there is space between each BEGIN CERTIFICATE and END CERTIFICATE line (there should be 3 total), and that you copied the correct files.
You can verify your server’s SSL connection:
openssl s_client -connect chef.sacredsf.org:443
You should also verify in a web browser as well.
If all of it checks out and the web page loads, your SSL certs are working and your Chef server now uses trusted SSL!
OS X Dominion: Mastering OS X Management 
The URL in #7 is wrong. Can you please adjust it?
LikeLike
17 months on, no fix.
LikeLike