Skip to content

Instantly share code, notes, and snippets.

@sean-horn
Last active December 17, 2015 02:06
Show Gist options
  • Save sean-horn/4e688fc7e163624e714c to your computer and use it in GitHub Desktop.
Save sean-horn/4e688fc7e163624e714c to your computer and use it in GitHub Desktop.
Create SHA256-Signed Testing Cert for Tiered Chef Server with CA

Used this guy to generate a new cert, then concatenated its root ca.crt with the server cert and put it in place. https://github.com/xenolinguist/pseudo_ca

cd /etc/ssl

git clone https://github.com/xenolinguist/pseudo_ca.git

rake generate_server[hr.puffin.stuff.lxc]

Concatenate the certs https://docs.chef.io/server_security.html#intermediate-certificates

Place the concatenated cert and the server key in the location pointed to in chef-server.rb

Do reconfigures on the frontend and backend. Don’t forget the opscode-manage-ctl reconfigure and it doesn’t hurt to restart nginx just in case either.

cat /etc/opscode/chef-server.rb

api_fqdn “hr.puffin.stuff.lxc”

nginx['ssl_certificate'] = "/var/opt/opscode/nginx/ca/hr.puffin.stuff.lxc.crt"
nginx['ssl_certificate_key'] = "/var/opt/opscode/nginx/ca/hr.puffin.stuff.lxc.key”

root@default-ubuntu-1404:~/cluster/tier/chef-repo ()# knife ssl fetch

....

Adding certificate for hr.puffin.stuff.lxc in /root/cluster/tier/chef-repo/.chef/trusted_certs/hr_puffin_stuff_lxc.crt
Adding certificate for Root CA in /root/cluster/tier/chef-repo/.chef/trusted_certs/Root_CA.crt

root@default-ubuntu-1404:~/cluster/tier/chef-repo ()# knife ssl check

...

Connecting to host hr.puffin.stuff.lxc:443
Successfully verified certificates from `hr.puffin.stuff.lxc'

root@default-ubuntu-1404:~/cluster/tier/chef-repo ()# knife client list
heyoclient
ponyville-validator
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment