Meta tags:
description= This guide covers the security features available in Chef Infra Server.
SSL Certificates
Initial configuration of the Chef Infra Server is done automatically
using a self-signed certificate to create the certificate and private
key files for Nginx. This section details the process for updating a
Chef Infra Server’s SSL certificate.;
Headings (most frequently used words):
chef, ssl, certificates, infra, server, key, installation, private, certificate, security, credentials, management, encryption, between, and, external, postgresql, rotation, automatic, recommended, manual, protocols, knife, client, authority, intermediate, verify, was, signed, by, proper, regenerate, add, on, compatibility, etc, opscode, secrets, json,
Text of the page (most frequently used words):
chef (228), the (166), #server (102), infra (85), and (82), ssl (55), nginx (51), certificate (48), for (46), overview (46), key (38), certificates (36), #install (33), postgresql (32), file (32), with (31), version (30), automate (30), builder (30), deployment (28), tlsv1 (27), node (26), opscode (25), this (24), configure (24), aws (24), about (23), client (22), rsa (22), ecdhe (21), aes256 (21), private (20), gcm (20), sha384 (20), 256 (20), habitat (20), ctl (18), settings (18), supermarket (18), upgrade (18), all (17), etc (17), management (17), using (17), following (17), manage (17), api (17), add (16), configuration (16), users (16), crt (16), packages (16), prem (16), are (15), will (15), that (15), root (15), files (15), config (15), from (14), opt (14), reference (14), security (13), community (13), backend (13), fqdn (13), workstation (13), create (13), nodes (13), not (12), your (12), openssl (12), var (12), example (12), license (12), 360 (12), managed (12), used (11), use (11), external (11), secrets (11), verify (11), authority (11), database (11), knife (10), can (10), connections (10), machine (10), data (10), private_chef (10), compliance (10), platform (10), backup (10), restore (10), effortless (10), recovery (10), saas (10), started (10), opensearch (10), credentials (9), intermediate (9), installation (9), run (9), set (9), new (9), system (9), guide (9), signed (8), user (8), log (8), command (8), local (8), default (8), service (8), supported (8), update (8), cloud (8), resources (8), prerequisites (8), origin (8), disaster (8), requirements (8), desktop (8), iam (8), between (7), page (7), you (7), more (7), then (7), which (7), troubleshooting (7), versions (7), rotation (6), json (6), regenerate (6), was (6), feedback (6), support (6), information (6), commands (6), start (6), reconfigure (6), these (6), should (6), setting (6), generated (6), ssl_certificate_key (6), ssl_certificate (6), single (6), end (6), exist (6), content (6), ssl_ciphers (6), high (6), cookbooks (6), audit (6), migrate (6), inspec (6), style (6), cookstyle (6), cluster (6), services (6), package (6), logs (6), get (6), integrations (6), dashboard (6), applications (6), enterprise (6), see (5), their (5), policy (5), terms (5), licensing (5), contents (5), how (5), hostssl (5), only (5), conf (5), keys (5), csr (5), error (5), during (5), ssl_signing_conf (5), ssl_keyfile (5), resource (5), ssl_protocols (5), tls (5), progress (4), names (4), trademarks (4), other (4), any (4), encryption (4), compatibility (4), proper (4), table (4), still (4), postgres (4), psql (4), session (4), running (4), restart (4), md5 (4), sudo (4), ons (4), locations (4), insecure_addon_compat (4), custom (4), values (4), after (4), configured (4), host (4), pem (4), list (4), self (4), ssl_crtfile (4), server_name (4), value (4), communication (4), pki (4), send (4), downloads (4), uninstall (4), organizations (4), groups (4), roles (4), saml (4), ldap (4), packs (4), profiles (4), download (4), apis (4), upgrades (4), monitor (4), quick (4), deprecations (4), cops (4), firewalls (4), ports (4), authentication (4), authorization (4), availability (4), core (4), origins (4), profile (4), minio (4), cookbook (4), application (4), enrollment (4), setup (4), infrastructure (4), getting (4), migration (4), courier (4), tokens (4), jobs (4), app (4), integration (4), elasticsearch (4), amazon (4), a2ha (4), premises (4), platforms (4), edition (4), product (3), one (3), does (3), protocols (3), manual (3), automatic (3), recommended (3), edit (3), github (3), cipher (3), show (3), enabled (3), into (3), path (3), pg_hba (3), non (3), paths (3), place (3), ensure (3), both (3), access (3), over (3), administration (3), passwords (3), share (3), secure (3), allow (3), write (3), name (3), lists (3), password (3), writes (3), those (3), directory (3), original (3), mismatch (3), sha1 (3), x509 (3), internal (3), systems (3), because (3), back (3), failure (3), later (3), not_if (3), mode (3), 0755 (3), group (3), owner (3), join (3), nginx_ca_dir (3), macos (3), windows (3), rc4 (3), https (3), docs (3), tuning (3), load (3), certs (3), available (3), herein (2), software (2), corporation (2), its (2), subsidiaries (2), affiliates (2), rights (2), reserved (2), respective (2), owners (2), 2026 (2), modified (2), improve (2), document (2), rows (2), pg_stat_ssl (2), select (2), enter (2), instance (2), state (2), require (2), done (2), unix (2), domain (2), here (2), prevent (2), specify (2), have (2), correct (2), permissions (2), compiled (2), machines (2), must (2), contain (2), allows (2), make (2), trusted (2), older (2), false (2), provided (2), such (2), without (2), including (2), them (2), where (2), written (2), automatically (2), necessary (2), organization (2), has (2), delete (2), same (2), like (2), part (2), need (2), previous (2), stdin (2), 05b4f62e52fe7ce2351ff81d3e1060c0cdf1fa24 (2), 432 (2), lxc (2), noout (2), modulus (2), when (2), match (2), possible (2), occur (2), process (2), cat (2), append (2), cacert (2), optionally (2), already (2), requests (2), made (2), embedded (2), bin (2), req (2), eoh (2), req_distinguished_name (2), releases (2), psk (2), sslv2 (2), seed (2), camellia (2), anull (2), adh (2), enull (2), exp (2), medium (2), low (2), kedh (2), nil (2), man1 (2), than (2), characters (2), certifying (2), initial (2), environments (2), bags (2), clients (2), active (2), console (2), legacy (2), azure (2), remediation (2), release (2), notes (2), what (2), scaffolding (2), variables (2), pattern (2), attributehelper (2), attributedefault (2), useplatformhelpers (2), unnecessaryplatformcasestatement (2), unnecessaryoscheck (2), trueclassfalseclassresourceproperties (2), simplifyplatformmajorversioncheck (2), overlycomplexsupportsdependsmetadata (2), negatingonlyif (2), includerecipewithparentheses (2), immediatenotificationtiming (2), filemode (2), defaultcopyrightcomments (2), copyrightcommentformat (2), commentsentencespacing (2), commentformat (2), chefwhaaat (2), attributekeys (2), invalidlicensestring (2), insecurecookbookurl (2), includeresourceexamples (2), includeresourcedescriptions (2), includepropertydescriptions (2), emptymetadatafield (2), defaultmetadatamaintainer (2), sharing (2), sshprivatekey (2), unlessdefinedrequire (2), requirenethttps (2), legacypowershelloutmethods (2), gemspecrequirerubygems (2), gemspeclicense (2), ruby (2), usecreateifmissing (2), unnecessarynameproperty (2), unnecessarydesiredstate (2), suggestsmetadata (2), stringpropertywithnildefault (2), sensitivepropertyinresource (2), resourcewithnothingaction (2), replacesmetadata (2), recipemetadata (2), providesmetadata (2), propertywithrequiredanddefault (2), propertysplatregex (2), ohaiattributetostring (2), namepropertyisrequired (2), multipleplatformchecks (2), longdescriptionmetadata (2), groupingmetadata (2), doublecompiletime (2), customresourcewithallowedactions (2), conflictsmetadata (2), attributemetadata (2), aptrepositorynotifiesaptupdate (2), aptrepositorydistributiondefault (2), redundantcode (2), zipfileresource (2), windowszipfileusage (2), windowsscresource (2), windowsregistryuac (2), whyrunsupportedtrue (2), useszypperrepo (2), userequirerelative (2), usemultipackageinstalls (2), usecheflanguagesystemdhelper (2), usecheflanguageenvhelpers (2), usecheflanguagecloudhelpers (2), usebuildessentialresource (2), unnecessarymixlibshelloutrequire (2), unnecessarydependschef15 (2), unnecessarydependschef14 (2), sysctlparamresource (2), simplifyaptppasetup (2), shellouttochocolatey (2), shellouthelper (2), sevenziparchiveresource (2), setorreturninresources (2), respondtoresourcename (2), respondtoprovides (2), respondtoinmetadata (2), respondtocompiletime (2), resourcenamefrominitialize (2), resourceforcingcompiletime (2), providesfrominitialize (2), propertywithnameattribute (2), powershellscriptexpandarchive (2), powershellinstallwindowsfeature (2), powershellinstallpackage (2), powershellguardinterpreter (2), osxconfigprofileresource (2), opensslx509resource (2), opensslrsakeyresource (2), noderolesinclude (2), nodeinitpackage (2), minitesthandlerusage (2), macosxuserdefaults (2), libarchivefileresource (2), legacyberksfilesource (2), includingwindowsdefaultrecipe (2), includingohaidefaultrecipe (2), includingmixinshelloutinresources (2), includingaptdefaultrecipe (2), ifprovidesdefaultaction (2), foodcriticcomments (2), executetzutil (2), executesysctl (2), executesleep (2), executescexe (2), executeaptupdate (2), emptyresourceinitializemethod (2), dslincludeinresource (2), dependsonzyppercookbook (2), dependsonwindowsfirewallcookbook (2), dependsontimezonelwrpcookbook (2), dependsonopensslcookbook (2), dependsonlocalecookbook (2), dependsonkernelmodulecookbook (2), dependsonchocolateycookbooks (2), dependsonchefvaultcookbook (2), definitions (2), defineschefspecmatchers (2), defaultactionfrominitialize (2), declareactionclass (2), databaghelpers (2), customresourcewithattributes (2), cronmanageresource (2), crondfileortemplate (2), conditionalusingtest (2), classevalactionclass (2), chefgemnokogiri (2), allowedactionsfrominitialize (2), actionmethodinresource (2), modernize (2), searchforenvironmentsorroles (2), dependschefvault (2), cookbookusessearch (2), cookbookusesroles (2), cookbookusespolicygroups (2), cookbookusesenvironments (2), cookbookusesdatabags (2), chefvaultused (2), berksfile (2), windowsversionhelpers (2), windowstaskchangeaction (2), windowspackageinstallertypestring (2), windowsfeatureservermanagercmd (2), verifypropertyusesfileexpansion (2), useyamldump (2), usesruncommandhelper (2), usesdeprecatedmixins (2), useschefresthelpers (2), userdeprecatedsupportsproperty (2), useinlineresourcesdefined (2), useautomaticresourcename (2), searchusespositionalparameters (2), rubyblockcreateaction (2), ruby27keywordargumentwarnings (2), resourcewithoutunifiedtrue (2), resourceusesupdatedmethod (2), resourceusesproviderbasemethod (2), resourceusesonlyresourcename (2), resourceusesdslnamemethod (2), resourceoverridesprovidesmethod (2), resourceinheritsfromcompatresource (2), requirerecipe (2), powershellcookbookhelpers (2), policyfilecommunitysource (2), poisearchiveusage (2), partialsearchhelperusage (2), partialsearchclassusage (2), nodesetwithoutlevel (2), nodesetunless (2), nodeset (2), nodemethodsinsteadofattributes (2), nodedeepfetch (2), namepropertywithdefaultvalue (2), macosuserdefaultsglobalproperty (2), logresourcenotifications (2), localedeprecatedlcallproperty (2), librarianchefspec (2), legacyyumcookbookrecipes (2), legacynotifysyntax (2), launchddeprecatedhashproperty (2), includingyumdnfcompatrecipe (2), includingxmlrubyrecipe (2), hwrpwithoutunifiedtrue (2), hwrpwithoutprovides (2), foodcritictesting (2), foodcriticfile (2), executerelativecreateswithoutcwd (2), executepathproperty (2), erlcallresource (2), epicfail (2), eolauditmodeusage (2), easyinstallresource (2), deprecatedyumrepositoryproperties (2), deprecatedyumrepositoryactions (2), deprecatedwindowsversioncheck (2), deprecatedsudoactions (2), deprecatedshelloutmethods (2), deprecatedplatformmethods (2), deprecatedchefspecplatform (2), dependsonomnibusupdatercookbook (2), dependsonchefreportingcookbook (2), dependsonchefnginxcookbook (2), delivery (2), cookbooksdependsonself (2), cookbookdependsonpoise (2), cookbookdependsonpartialsearch (2), cookbookdependsoncompatresource (2), chocolateypackageuninstallaction (2), chefwindowsplatformhelper (2), chefsugarhelpers (2), chefspeclegacyrunner (2), chefspeccoveragereport (2), chefshellout (2), chefrewind (2), chefhandlerusessupports (2), chefhandlerrecipe (2), cheffile (2), chefdkgenerators (2), tmppath (2), supportsmustbefloat (2), serviceresource (2), scopedfileexist (2), resourcewithnoneaction (2), resourcesetsnameproperty (2), resourcesetsinternalproperties (2), propertywithouttype (2), powershellscriptdeletefile (2), powershellfileexists (2), opensslpasswordhelpers (2), octalmodeasstring (2), notifiesactionnotsymbol (2), nodenormalunless (2), nodenormal (2), metadatamissingversion (2), metadatamissingname (2), metadatamalformeddepends (2), malformedplatformvalueforplatformhelper (2), macosuserdefaultsinvalidtype (2), lazyinresourceguard (2), lazyevalnodeattributedefaults (2), invalidversionmetadata (2), invalidplatformvalueforplatformhelper (2), invalidplatformvalueforplatformfamilyhelper (2), invalidplatformmetadata (2), invalidplatformincase (2), invalidplatformhelper (2), invalidplatformfamilyincase (2), invalidplatformfamilyhelper (2), invalidnotificationtiming (2), invalidnotificationresource (2), invaliddefaultaction (2), invalidcookbookname (2), incorrectlibraryinjection (2), emptyresourceguard (2), dnfpackageallowdowngrades (2), cookbookusesnodesave (2), conditionalrubyshellout (2), chefapplicationfatal (2), blockguardwithonlystring (2), correctness (2), v25 (2), v26 (2), optional (2), usage (2), tiered (2), airgap (2), capacity (2), planning (2), plan (2), base (2), 2025 (2), refresh (2), strategy (2), account (2), bootstrap (2), membership (2), rbac (2), rotate (2), separate (2), scale (2), frontend (2), artifactory (2), artifact (2), store (2), warm (2), spare (2), env (2), connect (2), windows_update_settings (2), windows_power_management (2), windows_password_policy (2), windows_ie_esc (2), windows_firewall (2), windows_disk_encryption (2), windows_desktop_winrm_settings (2), windows_desktop_screensaver (2), windows_defender_exclusion (2), windows_defender (2), windows_choco_installer (2), windows_automatic_logout (2), windows_app_management (2), windows_admin_control (2), rescue_account (2), macos_power_management (2), macos_password_policy (2), macos_firewall (2), macos_disk_encryption (2), macos_desktop_screensaver (2), macos_automatic_software_updates (2), macos_automatic_logout (2), macos_app_management (2), macos_admin_control (2), zero (2), touch (2), redirect (2), sso (2), opsworks (2), skills (2), guides (2), enroll (2), clis (2), san (2), best (2), practices (2), feature (2), flags (2), cli (2), architecture (2), administrator (2), incident (2), servicenow (2), marketplace (2), runs (2), scan (2), reports (2), eas (2), event (2), feed (2), teams (2), policies (2), actions (2), projects (2), lifecycle (2), feeds (2), notifications (2), cleanup (2), monitoring (2), centralize (2), large (2), report (2), ingestion (2), invalid (2), login (2), attempts (2), telemetry (2), timeout (2), disclosure (2), panel (2), banner (2), collection (2), topics (2), manager (2), bastion (2), rds (2), vpc (2), cidr (2), balancer (2), faqs (2), performance (2), benchmarks (2), view (2), bootstrapping (2), generation (2), remove (2), existing (2), efs (2), object (2), storage (2), filesystem (2), customer (2), airgapped (2), tutorial (2), shortcodes (2), front (2), matter (2), reuse (2), hugo (2), procedures (2), tables (2), headings (2), notices (2), markdown (2), linking (2), formatting (2), tools (2), house (2), contribute (2), guidelines (2), contributions (2), commercial (2), script (2), accept (2), training (2), blog (2), main (2), certain, registered, countries, appropriate, markings, contained, inclusion, imply, endorsement, affiliation, sponsorship, copyright, last, february, cookie, privacy, trademark, site, map, thank, submit, fill, field, ask, contact, stuck, help, yes, helpful, 16119, 16102, 16101, 16100, 16099, 16098, 16097, 16096, 16095, 16094, 16093, 16092, 16091, 16090, 16089, 16088, 16087, 16086, 16085, 16084, 16083, pid, bits, compression, clientdn, return, true, row, opscode_chef, way, examine, sql, queries, sslmode, line, typically, 192, 168, 100, nonlocal, 128, ipv6, 127, ipv4, peer, socket, sample, different, accepting, change, relevant, ssl_key_file, ssl_cert_file, cert, enable, editing, directories, they, filenames, ownerships, applies, whether, compiling, own, source, pre, binary, installed, gain, typical, scenario, enabling, networked, together, accessible, encrypt, traffic, instructions, encompassing, assume, some, familiarity, consult, documentation, while, plaintext, safe, untrusted, format, deployments, conform, regulations, forbid, appearance, sensitive, plain, text, however, meaningfully, read, contains, underlying, stores, thus, restricted, newer, also, minimum, restrictive, greater, via, provide, multiple, inside, designed, maintain, option, further, restrict, latest, location, limits, disk, created, defined, referenced, two, please, found, hostname, located, named, determine, stop, regenerated, periodically, important, protecting, vulnerabilities, helps, stored, being, compromised, fix, generate, produce, along, away, tell, sure, doesn, emerg, ssl_ctx_use_privatekey_file, failed, 0b080074, routines, x509_check_private_key, your_hostname, certificatesigningrequest, question, always, output, don, random, newly, symptoms, issue, look, 3rd, party, providers, verisign, usual, treatment, but, mimics, behaves, followed, fetch, verbose, purpose, sslserver, cafile, check, combined, validity, well, appear, ships, operating, web, browsers, currently, deployed, able, issued, manner, trust, follow, chain, enough, globally, known, cacerts, design, until, verifiable, added, request, sent, sslerror, ssl_connect, sslv3, errno, returned, validation, connecting, com, responds, similar, downloading, enables, verification, means, recognized, downloaded, run_action, days, 3650, run_context, block, ruby_block, crtfile, emailaddress, ssl_email_address, ssl_organizational_unit_name, ssl_company_name, ssl_locality_name, ssl_state_name, ssl_country_name, prompt, distinguished_name, genrsa, 2048, unless, shows, sets, configures, suite, configurable, starting, defaults, enhanced, defaulted, allowed, less, linux, life, protocol, suites, establish, connection, favor, forward, drop, prefix, sha, copying, reflect, desired, level, hardness, www, org, ciphers, html, note, often, effort, resolvable, lowercase, fewer, suffix, requires, longer, warning, replace, been, updated, manually, placing, obtained, save, define, description, adding, section, details, updating, covers, features, menu, search, skip,
Text of the page (random words):
kages overview bootstrap core packages update packages troubleshooting saas builder about habitat saas builder create an account builder profile origins origin packages builder api supported packages habitat package refresh strategy core base 2025 packages chef infra client chef infra client 19 chef infra client 18 chef infra server overview infra server overview services plan chef infra server prerequisites capacity planning install install chef infra server install high availability airgap tiered installation upgrades upgrade ha cluster license usage configure chef server rb settings chef infra server optional settings chef backend rb settings server firewalls and ports security manage backup and restore backend failure recovery monitor tuning log files users authentication and authorization organizations groups server users reference chef server ctl chef backend ctl chef infra server api firewalls ports chef inspec version 7 1 version 7 0 version 6 8 version 5 24 version 5 23 resource packs chef workstation workstation v26 workstation v25 cookstyle about cookstyle cookstyle cops list cops chef correctness blockguardwithonlystring chefapplicationfatal conditionalrubyshellout cookbookusesnodesave dnfpackageallowdowngrades emptyresourceguard incorrectlibraryinjection invalidcookbookname invaliddefaultaction invalidnotificationresource invalidnotificationtiming invalidplatformfamilyhelper invalidplatformfamilyincase invalidplatformhelper invalidplatformincase invalidplatformmetadata invalidplatformvalueforplatformfamilyhelper invalidplatformvalueforplatformhelper invalidversionmetadata lazyevalnodeattributedefaults lazyinresourceguard macosuserdefaultsinvalidtype malformedplatformvalueforplatformhelper metadatamalformeddepends metadatamissingname metadatamissingversion nodenormal nodenormalunless notifiesactionnotsymbol octalmodeasstring opensslpasswordhelpers powershellfileexists powershellscriptdeletefile propertywithouttype resourcesetsinternalproperties resourcesetsnameproperty resourcewithnoneaction scopedfileexist serviceresource supportsmustbefloat tmppath chef deprecations chefdkgenerators cheffile chefhandlerrecipe chefhandlerusessupports chefrewind chefshellout chefspeccoveragereport chefspeclegacyrunner chefsugarhelpers chefwindowsplatformhelper chocolateypackageuninstallaction cookbookdependsoncompatresource cookbookdependsonpartialsearch cookbookdependsonpoise cookbooksdependsonself delivery dependsonchefnginxcookbook dependsonchefreportingcookbook dependsonomnibusupdatercookbook deprecatedchefspecplatform deprecatedplatformmethods deprecatedshelloutmethods deprecatedsudoactions deprecatedwindowsversioncheck deprecatedyumrepositoryactions deprecatedyumrepositoryproperties easyinstallresource eolauditmodeusage epicfail erlcallresource executepathproperty executerelativecreateswithoutcwd foodcriticfile foodcritictesting hwrpwithoutprovides hwrpwithoutunifiedtrue includingxmlrubyrecipe includingyumdnfcompatrecipe launchddeprecatedhashproperty legacynotifysyntax legacyyumcookbookrecipes librarianchefspec localedeprecatedlcallproperty logresourcenotifications macosuserdefaultsglobalproperty namepropertywithdefaultvalue nodedeepfetch nodemethodsinsteadofattributes nodeset nodesetunless nodesetwithoutlevel partialsearchclassusage partialsearchhelperusage poisearchiveusage policyfilecommunitysource powershellcookbookhelpers requirerecipe resourceinheritsfromcompatresource resourceoverridesprovidesmethod resourceusesdslnamemethod resourceusesonlyresourcename resourceusesproviderbasemethod resourceusesupdatedmethod resourcewithoutunifiedtrue ruby27keywordargumentwarnings rubyblockcreateaction searchusespositionalparameters useautomaticresourcename useinlineresourcesdefined userdeprecatedsupportsproperty useschefresthelpers usesdeprecatedmixins usesruncommandhelper useyamldump verifypropertyusesfileexpansion windowsfeatureservermanagercmd windowspackageinstallertypestring windowstaskchangeaction windowsversionhelpers chef effortless berksfile chefvaultused cookbookusesdatabags cookbookusesenvironments cookbookusespolicygroups cookbookusesroles cookbookusessearch dependschefvault searchforenvironmentsorroles chef modernize actionmethodinresource allowedactionsfrominitialize chefgemnokogiri classevalactionclass conditionalusingtest crondfileortemplate cronmanageresource customresourcewithattributes databaghelpers declareactionclass defaultactionfrominitialize defineschefspecmatchers definitions dependsonchefvaultcookbook dependsonchocolateycookbooks dependsonkernelmodulecookbook dependsonlocalecookbook dependsonopensslcookbook dependsontimezonelwrpcookbook dependsonwindowsfirewallcookbook dependsonzyppercookbook dslincludeinresource emptyresourceinitializemethod executeaptupdate executescexe executesleep executesysctl executetzutil foodcriticcomments ifprovidesdefaultaction includingaptdefaultrecipe includingmixinshelloutinresources includingohaidefaultrecipe includingwindowsdefaultrecipe legacyberksfilesource libarchivefileresource macosxuserdefaults minitesthandlerusage nodeinitpackage noderolesinclude opensslrsakeyresource opensslx509resource osxconfigprofileresource powershellguardinterpreter powershellinstallpackage powershellinstallwindowsfeature powershellscriptexpandarchive propertywithnameattribute providesfrominitialize resourceforcingcompiletime resourcenamefrominitialize respondtocompiletime respondtoinmetadata respondtoprovides respondtoresourcename setorreturninresources sevenziparchiveresource shellouthelper shellouttochocolatey simplifyaptppasetup sysctlparamresource unnecessarydependschef14 unnecessarydependschef15 unnecessarymixlibshelloutrequire usebuildessentialresource usecheflanguagecloudhelpers usecheflanguageenvhelpers usecheflanguagesystemdhelper usemultipackageinstalls userequirerelative useszypperrepo whyrunsupportedtrue windowsregistryuac windowsscresource windowszipfileusage zipfileresource chef redundantcode aptrepositorydistributiondefault aptrepositorynotifiesaptupdate attributemetadata conflictsmetadata customresourcewithallowedactions doublecompiletime groupingmetadata longdescriptionmetadata multipleplatformchecks namepropertyisrequired ohaiattributetostring propertysplatregex propertywithrequiredanddefault providesmetadata recipemetadata replacesmetadata resourcewithnothingaction sensitivepropertyinresource stringpropertywithnildefault suggestsmetadata unnecessarydesiredstate unnecessarynameproperty usecreateifmissing chef ruby gemspeclicense gemspecrequirerubygems legacypowershelloutmethods requirenethttps unlessdefinedrequire chef security sshprivatekey chef sharing defaultmetadatamaintainer emptymetadatafield includepropertydescriptions includeresourcedescriptions includeresourceexamples insecurecookbookurl invalidlicensestring chef style attributekeys chefwhaaat commentformat commentsentencespacing copyrightcommentformat defaultcopyrightcomments filemode immediatenotificationtiming includerecipewithparentheses negatingonlyif overlycomplexsupportsdependsmetadata simplifyplatformmajorversioncheck trueclassfalseclassresourceproperties unnecessaryoscheck unnecessaryplatformcasestatement useplatformhelpers inspec deprecations attributedefault attributehelper effortless pattern effortless overview quick start effortless audit effortless config variables and config what is scaffolding supermarket about supermarket share cookbooks private supermarket about private supermarket install configure backup and restore monitor log files upgrades reference supermarket ctl supermarket api release notes chef 360 platform chef automate chef backend chef download apis chef habitat chef infra client chef infra server chef inspec chef local license service chef manage chef migrate chef supermarket chef workstation chef compliance chef compliance audit profiles chef compliance remediation chef cloud resource packs aws cloud resources azure cloud resources legacy chef manage about the management console uninstall manage rb chef manage ctl active directory ldap configure saml clients cookbooks data bags environments nodes roles organizations groups users uninstall available on github downloads send feedback support security table of contents this guide covers the security features available in chef infra server ssl certificates initial configuration of the chef infra server is done automatically using a self signed certificate to create the certificate and private key files for nginx this section details the process for updating a chef infra server s ssl certificate automatic installation recommended the chef infra server can be configured to use ssl certificates by adding the following settings to the server configuration file setting description nginx ssl_certificate the ssl certificate used to verify communication over https nginx ssl_certificate_key the certificate key used for ssl communication and then setting their values to define the paths to the certificate and key for example nginx ssl_certificate etc pki tls certs your host crt nginx ssl_certificate_key etc pki tls private your host key save the file and then run the following command sudo chef server ctl reconfigure for more information about the server configuration file see chef server rb manual installation ssl certificates can be updated manually by placing the certificate and private key file obtained from the certifying authority in the correct files after the initial configuration of chef infra server the locations of the certificate and private key files are var opt opscode nginx ca fqdn crt var opt opscode nginx ca fqdn key because the fqdn has already been configured do the following replace the contents of var opt opscode nginx ca fqdn crt and var opt opscode nginx ca fqdn key with the certifying authority s files reconfigure the chef infra server chef server ctl reconfigure restart the nginx service to load the new key and certificate chef server ctl restart nginx warning the fqdn for the chef infra server should be resolvable lowercase and have fewer than 64 characters including the domain suffix when using openssl as openssl requires the cn in a certificate to be no longer than 64 characters ssl protocols the following settings are often modified from the default as part of the tuning effort for the nginx service and to configure the chef infra server to use ssl certificates note see https www openssl org docs man1 0 2 man1 ciphers html for more information about the values used with the nginx ssl_ciphers and nginx ssl_protocols settings after copying ssl certificate files to the chef infra server update the nginx ssl_certificate and nginx ssl_certificate_key settings to specify the paths to those files and then optionally update the nginx ssl_ciphers and nginx ssl_protocols settings to reflect the desired level of hardness for the chef infra server for example nginx ssl_certificate etc pki tls private name of pem nginx ssl_certificate_key etc pki tls private name of key nginx ssl_ciphers high medium low kedh anull adh enull exp sslv2 seed camellia psk nginx ssl_protocols tlsv1 2 nginx ssl_certificate the ssl certificate used to verify communication over https default value nil nginx ssl_certificate_key the certificate key used for ssl communication default value nil nginx ssl_ciphers the list of supported cipher suites that are used to establish a secure connection to favor aes256 with ecdhe forward security drop the rc4 sha rc4 md5 rc4 rsa prefix for example nginx ssl_ciphers high medium low kedh anull adh enull exp sslv2 seed camellia psk nginx ssl_protocols the ssl protocol versions that are enabled for the chef infra server api starting with chef infra server 14 3 this value defaults to tlsv1 2 for enhanced security previous releases defaulted to tlsv1 tlsv1 1 tlsv1 2 which allowed for less secure ssl connections tls 1 2 is supported on chef infra client 10 16 4 and later on linux unix and macos and on chef infra client 12 8 and later on windows if it is necessary to support these older end of life chef infra client releases set this value to tlsv1 1 tlsv1 2 example configure ssl keys for nginx the following example shows how the chef infra server sets up and configures ssl certificates for nginx the cipher suite used by nginx is configurable using the ssl_protocols and ssl_ciphers settings ssl_keyfile file join nginx_ca_dir node private_chef nginx server_name key ssl_crtfile file join nginx_ca_dir node private_chef nginx server_name crt ssl_signing_conf file join nginx_ca_dir node private_chef nginx server_name ssl conf unless file exist ssl_keyfile file exist ssl_crtfile file exist ssl_signing_conf file ssl_keyfile do owner root group root mode 0755 content opt opscode embedded bin openssl genrsa 2048 not_if file exist ssl_keyfile end file ssl_signing_conf do owner root group root mode 0755 not_if file exist ssl_signing_conf content eoh req distinguished_name req_distinguished_name prompt no req_distinguished_name c node private_chef nginx ssl_country_name st node private_chef nginx ssl_state_name l node private_chef nginx ssl_locality_name o node private_chef nginx ssl_company_name ou node private_chef nginx ssl_organizational_unit_name cn node private_chef nginx server_name emailaddress node private_chef nginx ssl_email_address eoh end ruby_block create crtfile do block do r chef resource file new ssl_crtfile run_context r owner root r group root r mode 0755 r content opt opscode embedded bin openssl req config ssl_signing_conf new x509 nodes sha1 days 3650 key ssl_keyfile r not_if file exist ssl_crtfile r run_action create end end end knife chef infra client chef infra server 12 and later enables ssl verification by default for all requests made to the server such as those made by knife and chef infra client the certificate that is generated during the installation of the chef infra server is self signed which means the certificate is not signed by a trusted certificate authority ca recognized by chef infra client the certificate generated by the chef infra server must be downloaded to any machine from which knife and or chef infra client will make requests to the chef infra server for example without downloading the ssl certificate the following knife command knife client list responds with an error similar to error ssl validation failure connecting to host chef server example com error openssl ssl sslerror ssl_connect returned 1 errno 0 state sslv3 this is by design and will occur until a verifiable certificate is added to the machine from which the request is sent see chef infra client ssl certificates for more information on how knife and chef infra client use ssl certificates generated by the chef infra server private certificate authority if an organization is using an internal certificate authority then the root certificate will not appear in any cacerts pem file that ships by default with operating systems and web browsers because of this no currently deployed system will be able to verify certificates ...
|