Meta tags:
description= This guide covers the security features available in Chef Infra Server.
SSL Certificates
Initial configuration of the Chef Infra Server is done automatically
using a self-signed certificate to create the certificate and private
key files for Nginx. This section details the process for updating a
Chef Infra Server’s SSL certificate.;
Headings (most frequently used words):
chef, ssl, certificates, infra, server, key, installation, private, certificate, security, credentials, management, encryption, between, and, external, postgresql, rotation, automatic, recommended, manual, protocols, knife, client, authority, intermediate, verify, was, signed, by, proper, regenerate, add, on, compatibility, etc, opscode, secrets, json,
Text of the page (most frequently used words):
chef (228), the (166), #server (102), infra (85), and (82), ssl (55), nginx (51), certificate (48), for (46), overview (46), key (38), certificates (36), #install (33), postgresql (32), file (32), with (31), version (30), automate (30), builder (30), deployment (28), tlsv1 (27), node (26), opscode (25), this (24), configure (24), aws (24), about (23), client (22), rsa (22), ecdhe (21), aes256 (21), private (20), gcm (20), sha384 (20), 256 (20), habitat (20), ctl (18), settings (18), supermarket (18), upgrade (18), all (17), etc (17), management (17), using (17), following (17), manage (17), api (17), add (16), configuration (16), users (16), crt (16), packages (16), prem (16), are (15), will (15), that (15), root (15), files (15), config (15), from (14), opt (14), reference (14), security (13), community (13), backend (13), fqdn (13), workstation (13), create (13), nodes (13), not (12), your (12), openssl (12), var (12), example (12), license (12), 360 (12), managed (12), used (11), use (11), external (11), secrets (11), verify (11), authority (11), database (11), knife (10), can (10), connections (10), machine (10), data (10), private_chef (10), compliance (10), platform (10), backup (10), restore (10), effortless (10), recovery (10), saas (10), started (10), opensearch (10), credentials (9), intermediate (9), installation (9), run (9), set (9), new (9), system (9), guide (9), signed (8), user (8), log (8), command (8), local (8), default (8), service (8), supported (8), update (8), cloud (8), resources (8), prerequisites (8), origin (8), disaster (8), requirements (8), desktop (8), iam (8), between (7), page (7), you (7), more (7), then (7), which (7), troubleshooting (7), versions (7), rotation (6), json (6), regenerate (6), was (6), feedback (6), support (6), information (6), commands (6), start (6), reconfigure (6), these (6), should (6), setting (6), generated (6), ssl_certificate_key (6), ssl_certificate (6), single (6), end (6), exist (6), content (6), ssl_ciphers (6), high (6), cookbooks (6), audit (6), migrate (6), inspec (6), style (6), cookstyle (6), cluster (6), services (6), package (6), logs (6), get (6), integrations (6), dashboard (6), applications (6), enterprise (6), see (5), their (5), policy (5), terms (5), licensing (5), contents (5), how (5), hostssl (5), only (5), conf (5), keys (5), csr (5), error (5), during (5), ssl_signing_conf (5), ssl_keyfile (5), resource (5), ssl_protocols (5), tls (5), progress (4), names (4), trademarks (4), other (4), any (4), encryption (4), compatibility (4), proper (4), table (4), still (4), postgres (4), psql (4), session (4), running (4), restart (4), md5 (4), sudo (4), ons (4), locations (4), insecure_addon_compat (4), custom (4), values (4), after (4), configured (4), host (4), pem (4), list (4), self (4), ssl_crtfile (4), server_name (4), value (4), communication (4), pki (4), send (4), downloads (4), uninstall (4), organizations (4), groups (4), roles (4), saml (4), ldap (4), packs (4), profiles (4), download (4), apis (4), upgrades (4), monitor (4), quick (4), deprecations (4), cops (4), firewalls (4), ports (4), authentication (4), authorization (4), availability (4), core (4), origins (4), profile (4), minio (4), cookbook (4), application (4), enrollment (4), setup (4), infrastructure (4), getting (4), migration (4), courier (4), tokens (4), jobs (4), app (4), integration (4), elasticsearch (4), amazon (4), a2ha (4), premises (4), platforms (4), edition (4), product (3), one (3), does (3), protocols (3), manual (3), automatic (3), recommended (3), edit (3), github (3), cipher (3), show (3), enabled (3), into (3), path (3), pg_hba (3), non (3), paths (3), place (3), ensure (3), both (3), access (3), over (3), administration (3), passwords (3), share (3), secure (3), allow (3), write (3), name (3), lists (3), password (3), writes (3), those (3), directory (3), original (3), mismatch (3), sha1 (3), x509 (3), internal (3), systems (3), because (3), back (3), failure (3), later (3), not_if (3), mode (3), 0755 (3), group (3), owner (3), join (3), nginx_ca_dir (3), macos (3), windows (3), rc4 (3), https (3), docs (3), tuning (3), load (3), certs (3), available (3), herein (2), software (2), corporation (2), its (2), subsidiaries (2), affiliates (2), rights (2), reserved (2), respective (2), owners (2), 2026 (2), modified (2), improve (2), document (2), rows (2), pg_stat_ssl (2), select (2), enter (2), instance (2), state (2), require (2), done (2), unix (2), domain (2), here (2), prevent (2), specify (2), have (2), correct (2), permissions (2), compiled (2), machines (2), must (2), contain (2), allows (2), make (2), trusted (2), older (2), false (2), provided (2), such (2), without (2), including (2), them (2), where (2), written (2), automatically (2), necessary (2), organization (2), has (2), delete (2), same (2), like (2), part (2), need (2), previous (2), stdin (2), 05b4f62e52fe7ce2351ff81d3e1060c0cdf1fa24 (2), 432 (2), lxc (2), noout (2), modulus (2), when (2), match (2), possible (2), occur (2), process (2), cat (2), append (2), cacert (2), optionally (2), already (2), requests (2), made (2), embedded (2), bin (2), req (2), eoh (2), req_distinguished_name (2), releases (2), psk (2), sslv2 (2), seed (2), camellia (2), anull (2), adh (2), enull (2), exp (2), medium (2), low (2), kedh (2), nil (2), man1 (2), than (2), characters (2), certifying (2), initial (2), environments (2), bags (2), clients (2), active (2), console (2), legacy (2), azure (2), remediation (2), release (2), notes (2), what (2), scaffolding (2), variables (2), pattern (2), attributehelper (2), attributedefault (2), useplatformhelpers (2), unnecessaryplatformcasestatement (2), unnecessaryoscheck (2), trueclassfalseclassresourceproperties (2), simplifyplatformmajorversioncheck (2), overlycomplexsupportsdependsmetadata (2), negatingonlyif (2), includerecipewithparentheses (2), immediatenotificationtiming (2), filemode (2), defaultcopyrightcomments (2), copyrightcommentformat (2), commentsentencespacing (2), commentformat (2), chefwhaaat (2), attributekeys (2), invalidlicensestring (2), insecurecookbookurl (2), includeresourceexamples (2), includeresourcedescriptions (2), includepropertydescriptions (2), emptymetadatafield (2), defaultmetadatamaintainer (2), sharing (2), sshprivatekey (2), unlessdefinedrequire (2), requirenethttps (2), legacypowershelloutmethods (2), gemspecrequirerubygems (2), gemspeclicense (2), ruby (2), usecreateifmissing (2), unnecessarynameproperty (2), unnecessarydesiredstate (2), suggestsmetadata (2), stringpropertywithnildefault (2), sensitivepropertyinresource (2), resourcewithnothingaction (2), replacesmetadata (2), recipemetadata (2), providesmetadata (2), propertywithrequiredanddefault (2), propertysplatregex (2), ohaiattributetostring (2), namepropertyisrequired (2), multipleplatformchecks (2), longdescriptionmetadata (2), groupingmetadata (2), doublecompiletime (2), customresourcewithallowedactions (2), conflictsmetadata (2), attributemetadata (2), aptrepositorynotifiesaptupdate (2), aptrepositorydistributiondefault (2), redundantcode (2), zipfileresource (2), windowszipfileusage (2), windowsscresource (2), windowsregistryuac (2), whyrunsupportedtrue (2), useszypperrepo (2), userequirerelative (2), usemultipackageinstalls (2), usecheflanguagesystemdhelper (2), usecheflanguageenvhelpers (2), usecheflanguagecloudhelpers (2), usebuildessentialresource (2), unnecessarymixlibshelloutrequire (2), unnecessarydependschef15 (2), unnecessarydependschef14 (2), sysctlparamresource (2), simplifyaptppasetup (2), shellouttochocolatey (2), shellouthelper (2), sevenziparchiveresource (2), setorreturninresources (2), respondtoresourcename (2), respondtoprovides (2), respondtoinmetadata (2), respondtocompiletime (2), resourcenamefrominitialize (2), resourceforcingcompiletime (2), providesfrominitialize (2), propertywithnameattribute (2), powershellscriptexpandarchive (2), powershellinstallwindowsfeature (2), powershellinstallpackage (2), powershellguardinterpreter (2), osxconfigprofileresource (2), opensslx509resource (2), opensslrsakeyresource (2), noderolesinclude (2), nodeinitpackage (2), minitesthandlerusage (2), macosxuserdefaults (2), libarchivefileresource (2), legacyberksfilesource (2), includingwindowsdefaultrecipe (2), includingohaidefaultrecipe (2), includingmixinshelloutinresources (2), includingaptdefaultrecipe (2), ifprovidesdefaultaction (2), foodcriticcomments (2), executetzutil (2), executesysctl (2), executesleep (2), executescexe (2), executeaptupdate (2), emptyresourceinitializemethod (2), dslincludeinresource (2), dependsonzyppercookbook (2), dependsonwindowsfirewallcookbook (2), dependsontimezonelwrpcookbook (2), dependsonopensslcookbook (2), dependsonlocalecookbook (2), dependsonkernelmodulecookbook (2), dependsonchocolateycookbooks (2), dependsonchefvaultcookbook (2), definitions (2), defineschefspecmatchers (2), defaultactionfrominitialize (2), declareactionclass (2), databaghelpers (2), customresourcewithattributes (2), cronmanageresource (2), crondfileortemplate (2), conditionalusingtest (2), classevalactionclass (2), chefgemnokogiri (2), allowedactionsfrominitialize (2), actionmethodinresource (2), modernize (2), searchforenvironmentsorroles (2), dependschefvault (2), cookbookusessearch (2), cookbookusesroles (2), cookbookusespolicygroups (2), cookbookusesenvironments (2), cookbookusesdatabags (2), chefvaultused (2), berksfile (2), windowsversionhelpers (2), windowstaskchangeaction (2), windowspackageinstallertypestring (2), windowsfeatureservermanagercmd (2), verifypropertyusesfileexpansion (2), useyamldump (2), usesruncommandhelper (2), usesdeprecatedmixins (2), useschefresthelpers (2), userdeprecatedsupportsproperty (2), useinlineresourcesdefined (2), useautomaticresourcename (2), searchusespositionalparameters (2), rubyblockcreateaction (2), ruby27keywordargumentwarnings (2), resourcewithoutunifiedtrue (2), resourceusesupdatedmethod (2), resourceusesproviderbasemethod (2), resourceusesonlyresourcename (2), resourceusesdslnamemethod (2), resourceoverridesprovidesmethod (2), resourceinheritsfromcompatresource (2), requirerecipe (2), powershellcookbookhelpers (2), policyfilecommunitysource (2), poisearchiveusage (2), partialsearchhelperusage (2), partialsearchclassusage (2), nodesetwithoutlevel (2), nodesetunless (2), nodeset (2), nodemethodsinsteadofattributes (2), nodedeepfetch (2), namepropertywithdefaultvalue (2), macosuserdefaultsglobalproperty (2), logresourcenotifications (2), localedeprecatedlcallproperty (2), librarianchefspec (2), legacyyumcookbookrecipes (2), legacynotifysyntax (2), launchddeprecatedhashproperty (2), includingyumdnfcompatrecipe (2), includingxmlrubyrecipe (2), hwrpwithoutunifiedtrue (2), hwrpwithoutprovides (2), foodcritictesting (2), foodcriticfile (2), executerelativecreateswithoutcwd (2), executepathproperty (2), erlcallresource (2), epicfail (2), eolauditmodeusage (2), easyinstallresource (2), deprecatedyumrepositoryproperties (2), deprecatedyumrepositoryactions (2), deprecatedwindowsversioncheck (2), deprecatedsudoactions (2), deprecatedshelloutmethods (2), deprecatedplatformmethods (2), deprecatedchefspecplatform (2), dependsonomnibusupdatercookbook (2), dependsonchefreportingcookbook (2), dependsonchefnginxcookbook (2), delivery (2), cookbooksdependsonself (2), cookbookdependsonpoise (2), cookbookdependsonpartialsearch (2), cookbookdependsoncompatresource (2), chocolateypackageuninstallaction (2), chefwindowsplatformhelper (2), chefsugarhelpers (2), chefspeclegacyrunner (2), chefspeccoveragereport (2), chefshellout (2), chefrewind (2), chefhandlerusessupports (2), chefhandlerrecipe (2), cheffile (2), chefdkgenerators (2), tmppath (2), supportsmustbefloat (2), serviceresource (2), scopedfileexist (2), resourcewithnoneaction (2), resourcesetsnameproperty (2), resourcesetsinternalproperties (2), propertywithouttype (2), powershellscriptdeletefile (2), powershellfileexists (2), opensslpasswordhelpers (2), octalmodeasstring (2), notifiesactionnotsymbol (2), nodenormalunless (2), nodenormal (2), metadatamissingversion (2), metadatamissingname (2), metadatamalformeddepends (2), malformedplatformvalueforplatformhelper (2), macosuserdefaultsinvalidtype (2), lazyinresourceguard (2), lazyevalnodeattributedefaults (2), invalidversionmetadata (2), invalidplatformvalueforplatformhelper (2), invalidplatformvalueforplatformfamilyhelper (2), invalidplatformmetadata (2), invalidplatformincase (2), invalidplatformhelper (2), invalidplatformfamilyincase (2), invalidplatformfamilyhelper (2), invalidnotificationtiming (2), invalidnotificationresource (2), invaliddefaultaction (2), invalidcookbookname (2), incorrectlibraryinjection (2), emptyresourceguard (2), dnfpackageallowdowngrades (2), cookbookusesnodesave (2), conditionalrubyshellout (2), chefapplicationfatal (2), blockguardwithonlystring (2), correctness (2), v25 (2), v26 (2), optional (2), usage (2), tiered (2), airgap (2), capacity (2), planning (2), plan (2), base (2), 2025 (2), refresh (2), strategy (2), account (2), bootstrap (2), membership (2), rbac (2), rotate (2), separate (2), scale (2), frontend (2), artifactory (2), artifact (2), store (2), warm (2), spare (2), env (2), connect (2), windows_update_settings (2), windows_power_management (2), windows_password_policy (2), windows_ie_esc (2), windows_firewall (2), windows_disk_encryption (2), windows_desktop_winrm_settings (2), windows_desktop_screensaver (2), windows_defender_exclusion (2), windows_defender (2), windows_choco_installer (2), windows_automatic_logout (2), windows_app_management (2), windows_admin_control (2), rescue_account (2), macos_power_management (2), macos_password_policy (2), macos_firewall (2), macos_disk_encryption (2), macos_desktop_screensaver (2), macos_automatic_software_updates (2), macos_automatic_logout (2), macos_app_management (2), macos_admin_control (2), zero (2), touch (2), redirect (2), sso (2), opsworks (2), skills (2), guides (2), enroll (2), clis (2), san (2), best (2), practices (2), feature (2), flags (2), cli (2), architecture (2), administrator (2), incident (2), servicenow (2), marketplace (2), runs (2), scan (2), reports (2), eas (2), event (2), feed (2), teams (2), policies (2), actions (2), projects (2), lifecycle (2), feeds (2), notifications (2), cleanup (2), monitoring (2), centralize (2), large (2), report (2), ingestion (2), invalid (2), login (2), attempts (2), telemetry (2), timeout (2), disclosure (2), panel (2), banner (2), collection (2), topics (2), manager (2), bastion (2), rds (2), vpc (2), cidr (2), balancer (2), faqs (2), performance (2), benchmarks (2), view (2), bootstrapping (2), generation (2), remove (2), existing (2), efs (2), object (2), storage (2), filesystem (2), customer (2), airgapped (2), tutorial (2), shortcodes (2), front (2), matter (2), reuse (2), hugo (2), procedures (2), tables (2), headings (2), notices (2), markdown (2), linking (2), formatting (2), tools (2), house (2), contribute (2), guidelines (2), contributions (2), commercial (2), script (2), accept (2), training (2), blog (2), main (2), certain, registered, countries, appropriate, markings, contained, inclusion, imply, endorsement, affiliation, sponsorship, copyright, last, february, cookie, privacy, trademark, site, map, thank, submit, fill, field, ask, contact, stuck, help, yes, helpful, 16119, 16102, 16101, 16100, 16099, 16098, 16097, 16096, 16095, 16094, 16093, 16092, 16091, 16090, 16089, 16088, 16087, 16086, 16085, 16084, 16083, pid, bits, compression, clientdn, return, true, row, opscode_chef, way, examine, sql, queries, sslmode, line, typically, 192, 168, 100, nonlocal, 128, ipv6, 127, ipv4, peer, socket, sample, different, accepting, change, relevant, ssl_key_file, ssl_cert_file, cert, enable, editing, directories, they, filenames, ownerships, applies, whether, compiling, own, source, pre, binary, installed, gain, typical, scenario, enabling, networked, together, accessible, encrypt, traffic, instructions, encompassing, assume, some, familiarity, consult, documentation, while, plaintext, safe, untrusted, format, deployments, conform, regulations, forbid, appearance, sensitive, plain, text, however, meaningfully, read, contains, underlying, stores, thus, restricted, newer, also, minimum, restrictive, greater, via, provide, multiple, inside, designed, maintain, option, further, restrict, latest, location, limits, disk, created, defined, referenced, two, please, found, hostname, located, named, determine, stop, regenerated, periodically, important, protecting, vulnerabilities, helps, stored, being, compromised, fix, generate, produce, along, away, tell, sure, doesn, emerg, ssl_ctx_use_privatekey_file, failed, 0b080074, routines, x509_check_private_key, your_hostname, certificatesigningrequest, question, always, output, don, random, newly, symptoms, issue, look, 3rd, party, providers, verisign, usual, treatment, but, mimics, behaves, followed, fetch, verbose, purpose, sslserver, cafile, check, combined, validity, well, appear, ships, operating, web, browsers, currently, deployed, able, issued, manner, trust, follow, chain, enough, globally, known, cacerts, design, until, verifiable, added, request, sent, sslerror, ssl_connect, sslv3, errno, returned, validation, connecting, com, responds, similar, downloading, enables, verification, means, recognized, downloaded, run_action, days, 3650, run_context, block, ruby_block, crtfile, emailaddress, ssl_email_address, ssl_organizational_unit_name, ssl_company_name, ssl_locality_name, ssl_state_name, ssl_country_name, prompt, distinguished_name, genrsa, 2048, unless, shows, sets, configures, suite, configurable, starting, defaults, enhanced, defaulted, allowed, less, linux, life, protocol, suites, establish, connection, favor, forward, drop, prefix, sha, copying, reflect, desired, level, hardness, www, org, ciphers, html, note, often, effort, resolvable, lowercase, fewer, suffix, requires, longer, warning, replace, been, updated, manually, placing, obtained, save, define, description, adding, section, details, updating, covers, features, menu, search, skip,
Text of the page (random words):
nginx ssl_certificate_key the certificate key used for ssl communication and then setting their values to define the paths to the certificate and key for example nginx ssl_certificate etc pki tls certs your host crt nginx ssl_certificate_key etc pki tls private your host key save the file and then run the following command sudo chef server ctl reconfigure for more information about the server configuration file see chef server rb manual installation ssl certificates can be updated manually by placing the certificate and private key file obtained from the certifying authority in the correct files after the initial configuration of chef infra server the locations of the certificate and private key files are var opt opscode nginx ca fqdn crt var opt opscode nginx ca fqdn key because the fqdn has already been configured do the following replace the contents of var opt opscode nginx ca fqdn crt and var opt opscode nginx ca fqdn key with the certifying authority s files reconfigure the chef infra server chef server ctl reconfigure restart the nginx service to load the new key and certificate chef server ctl restart nginx warning the fqdn for the chef infra server should be resolvable lowercase and have fewer than 64 characters including the domain suffix when using openssl as openssl requires the cn in a certificate to be no longer than 64 characters ssl protocols the following settings are often modified from the default as part of the tuning effort for the nginx service and to configure the chef infra server to use ssl certificates note see https www openssl org docs man1 0 2 man1 ciphers html for more information about the values used with the nginx ssl_ciphers and nginx ssl_protocols settings after copying ssl certificate files to the chef infra server update the nginx ssl_certificate and nginx ssl_certificate_key settings to specify the paths to those files and then optionally update the nginx ssl_ciphers and nginx ssl_protocols settings to reflect the desired level of hardness for the chef infra server for example nginx ssl_certificate etc pki tls private name of pem nginx ssl_certificate_key etc pki tls private name of key nginx ssl_ciphers high medium low kedh anull adh enull exp sslv2 seed camellia psk nginx ssl_protocols tlsv1 2 nginx ssl_certificate the ssl certificate used to verify communication over https default value nil nginx ssl_certificate_key the certificate key used for ssl communication default value nil nginx ssl_ciphers the list of supported cipher suites that are used to establish a secure connection to favor aes256 with ecdhe forward security drop the rc4 sha rc4 md5 rc4 rsa prefix for example nginx ssl_ciphers high medium low kedh anull adh enull exp sslv2 seed camellia psk nginx ssl_protocols the ssl protocol versions that are enabled for the chef infra server api starting with chef infra server 14 3 this value defaults to tlsv1 2 for enhanced security previous releases defaulted to tlsv1 tlsv1 1 tlsv1 2 which allowed for less secure ssl connections tls 1 2 is supported on chef infra client 10 16 4 and later on linux unix and macos and on chef infra client 12 8 and later on windows if it is necessary to support these older end of life chef infra client releases set this value to tlsv1 1 tlsv1 2 example configure ssl keys for nginx the following example shows how the chef infra server sets up and configures ssl certificates for nginx the cipher suite used by nginx is configurable using the ssl_protocols and ssl_ciphers settings ssl_keyfile file join nginx_ca_dir node private_chef nginx server_name key ssl_crtfile file join nginx_ca_dir node private_chef nginx server_name crt ssl_signing_conf file join nginx_ca_dir node private_chef nginx server_name ssl conf unless file exist ssl_keyfile file exist ssl_crtfile file exist ssl_signing_conf file ssl_keyfile do owner root group root mode 0755 content opt opscode embedded bin openssl genrsa 2048 not_if file exist ssl_keyfile end file ssl_signing_conf do owner root group root mode 0755 not_if file exist ssl_signing_conf content eoh req distinguished_name req_distinguished_name prompt no req_distinguished_name c node private_chef nginx ssl_country_name st node private_chef nginx ssl_state_name l node private_chef nginx ssl_locality_name o node private_chef nginx ssl_company_name ou node private_chef nginx ssl_organizational_unit_name cn node private_chef nginx server_name emailaddress node private_chef nginx ssl_email_address eoh end ruby_block create crtfile do block do r chef resource file new ssl_crtfile run_context r owner root r group root r mode 0755 r content opt opscode embedded bin openssl req config ssl_signing_conf new x509 nodes sha1 days 3650 key ssl_keyfile r not_if file exist ssl_crtfile r run_action create end end end knife chef infra client chef infra server 12 and later enables ssl verification by default for all requests made to the server such as those made by knife and chef infra client the certificate that is generated during the installation of the chef infra server is self signed which means the certificate is not signed by a trusted certificate authority ca recognized by chef infra client the certificate generated by the chef infra server must be downloaded to any machine from which knife and or chef infra client will make requests to the chef infra server for example without downloading the ssl certificate the following knife command knife client list responds with an error similar to error ssl validation failure connecting to host chef server example com error openssl ssl sslerror ssl_connect returned 1 errno 0 state sslv3 this is by design and will occur until a verifiable certificate is added to the machine from which the request is sent see chef infra client ssl certificates for more information on how knife and chef infra client use ssl certificates generated by the chef infra server private certificate authority if an organization is using an internal certificate authority then the root certificate will not appear in any cacerts pem file that ships by default with operating systems and web browsers because of this no currently deployed system will be able to verify certificates that are issued in this manner to allow other systems to trust certificates from an internal certificate authority this root certificate will need to be configured so that other systems can follow the chain of authority back to the root certificate an intermediate certificate is not enough because the root certificate is not already globally known to use an internal certificate authority append the server optionally any intermediate certificate as well and root certificates into a single crt file for example cat server crt intermediate crt root crt var opt opscode nginx ca fqdn crt check your combined certificate s validity on the chef infra server openssl verify verbose purpose sslserver cafile cacert pem var opt opscode nginx ca fqdn crt the cacert pem should contain only your root ca s certificate file this is not the usual treatment but mimics how chef workstation behaves after a knife ssl fetch followed by a knife ssl verify intermediate certificates for use with 3rd party certificate providers for example verisign to use an intermediate certificate append both the server and intermediate certificates into a single crt file for example cat server crt intermediate crt var opt opscode nginx ca fqdn crt verify certificate was signed by proper key it s possible that a certificate key mismatch can occur during the certificatesigningrequest csr process during a csr the original key for the server in question should always be used if the output of the following commands don t match then it s possible the csr for a new key for this host was generated using a random key or a newly generated key the symptoms of this issue will look like the following in the nginx log files nginx emerg ssl_ctx_use_privatekey_file var opt opscode nginx ca your_hostname key failed ssl error 0b080074 x509 certificate routines x509_check_private_key key values mismatch here s how to tell for sure when the configured certificate doesn t match the key openssl x509 in var opt opscode nginx ca chef 432 lxc crt noout modulus openssl sha1 stdin 05b4f62e52fe7ce2351ff81d3e1060c0cdf1fa24 openssl rsa in var opt opscode nginx ca chef 432 lxc key noout modulus openssl sha1 stdin 05b4f62e52fe7ce2351ff81d3e1060c0cdf1fa24 to fix this you will need to generate a new csr using the original key for the server the same key that was used to produce the csr for the previous certificates install that new certificates along with the original key and the mismatch error should go away regenerate certificates ssl certificates should be regenerated periodically this is an important part of protecting the chef infra server from vulnerabilities and helps to prevent the information stored on the chef infra server from being compromised to regenerate ssl certificates run the following command chef server ctl stop the chef infra server can regenerate them these certificates will be located in var opt opscode nginx ca and will be named after the fqdn for the chef infra server to determine the fqdn for the server run the following command hostname f please delete the files found in the ca directory with names like this fqdn crt and fqdn key if your organization has provided custom ssl certificates to the chef infra server the locations of that custom certificate and private key are defined in etc opscode chef server rb as values for the nginx ssl_certificate and nginx ssl_certificate_key settings delete the files referenced in those two settings and regenerate new keys using the same authority run the following command chef server generated ssl certificates will automatically be created if necessary chef server ctl reconfigure run the following command chef server ctl start chef infra server credentials management chef infra server limits where it writes service passwords and keys to disk in the default configuration credentials are only written to files in etc opscode by default chef infra server still writes service credentials to multiple locations inside etc opscode this is designed to maintain compatibility with add ons the insecure_addon_compat configuration option in etc opscode chef server rb allows you to further restrict where credentials are written insecure_addon_compat can be used if you are not using add ons or if you are using the latest add on versions setting insecure_addon_compat to false writes credentials to only one location etc opscode private chef secrets json user provided secrets such as the password for an external postgresql instance can still be set in etc opscode chef server rb or via the secrets management commands these commands allow you to provide external passwords without including them in your configuration file add on compatibility the following table lists which add on versions support the more restrictive insecure_addon_compat false setting these versions require chef server 12 14 0 or greater add on name minimum version chef backend all chef manage 2 5 0 these newer add ons will also write all of their secrets to etc opscode private chef secrets json older versions of the add ons will still write their configuration to locations in etc and var opt etc opscode private chef secrets json etc opscode private chef secrets json s default permissions allow only the root user to read or write the file this file contains all of the secrets for access to the chef server s underlying data stores and thus access to it should be restricted to trusted users while the file does not contain passwords in plaintext it is not safe to share with untrusted users the format of the secrets file allows chef infra server deployments to conform to regulations that forbid the appearance of sensitive data in plain text in configuration files however it does not make the file meaningfully more secure ssl encryption between chef infra server and external postgresql chef infra server can encrypt traffic between chef infra server and an external postgresql server over ssl these instructions are not all encompassing and assume some familiarity with postgresql administration configuration and troubleshooting consult the postgresql documentation for more information the following is a typical scenario for enabling encryption between a machine running chef infra server and an external machine running postgresql both machines must be networked together and accessible to the user run the following command on both machines to gain root access sudo i ensure that openssl is installed on the postgresql machine ensure that ssl support is compiled in on postgresql this applies whether you are compiling your own source or using a pre compiled binary place ssl certificates in the proper directories on the postgresql machine and ensure they have correct filenames ownerships and permissions enable ssl on postgresql by editing the postgresql conf file set ssl on and specify the paths to the ssl certificates ssl on ssl_cert_file path to cert file ssl_key_file path to key file to prevent postgresql from accepting non ssl connections edit pg_hba conf on the postgresql machine and change the relevant chef infra server connections to hostssl here is a sample pg_hba conf file with hostssl connections for chef infra server the contents of your pg_hba conf will be different local is for unix domain socket connections only local all all peer ipv4 local connections hostssl all all 127 0 0 1 32 md5 ipv6 local connections hostssl all all 1 128 md5 nonlocal connections hostssl all all 192 168 33 100 32 md5 restart postgresql this can typically be done with the following command on the postgresql machine path to postgresql postgresql restart edit etc opscode chef server rb on the chef infra server and ad the following line postgresql sslmode require run reconfigure on the chef infra server chef server ctl reconfigure verify that ssl is enabled and that ssl connections are up between chef infra server and your running postgresql instance one way to do this is to log into the postgresql database from the chef infra server by running chef server ctl psql and then examine the ssl state using sql queries start a psql session chef server ctl psql opscode_chef from the psql session enter postgres show ssl which will show if ssl is enabled postgres show ssl ssl on 1 row then enter postgres select from pg_stat_ssl which will return true t in rows with ssl connections postgres select from pg_stat_ssl pid ssl version cipher bits compression clientdn 16083 t tlsv1 2 ecdhe rsa aes256 gcm sha384 256 f 16084 t tlsv1 2 ecdhe rsa aes256 gcm sha384 256 f 16085 t tlsv1 2 ecdhe rsa aes256 gcm sha384 256 f 16086 t tlsv1 2 ecdhe rsa aes256 gcm sha384 256 f 16087 t tlsv1 2 ecdhe rsa aes256 gcm sha384 256 f 16088 t tlsv1 2 ecdhe rsa aes256 gcm sha384 256 f 16089 t tlsv1 2 ecdhe rsa aes256 gcm sha384 256 f 16090 t tlsv1 2 ecdhe rsa aes256 gcm sha38...
|