Used this guy to generate a new cert, then concatenated its root ca.crt with the server cert and put it in place. https://github.com/xenolinguist/pseudo_ca
cd /etc/ssl
git clone https://github.com/xenolinguist/pseudo_ca.git
rake generate_server[hr.puffin.stuff.lxc]
Concatenate the certs https://docs.chef.io/server_security.html#intermediate-certificates
Place the concatenated cert and the server key in the location pointed to in chef-server.rb
Do reconfigures on the frontend and backend. Don’t forget the opscode-manage-ctl reconfigure and it doesn’t hurt to restart nginx just in case either.
cat /etc/opscode/chef-server.rb
api_fqdn “hr.puffin.stuff.lxc”
nginx['ssl_certificate'] = "/var/opt/opscode/nginx/ca/hr.puffin.stuff.lxc.crt"
nginx['ssl_certificate_key'] = "/var/opt/opscode/nginx/ca/hr.puffin.stuff.lxc.key”
root@default-ubuntu-1404:~/cluster/tier/chef-repo ()# knife ssl fetch
....
Adding certificate for hr.puffin.stuff.lxc in /root/cluster/tier/chef-repo/.chef/trusted_certs/hr_puffin_stuff_lxc.crt
Adding certificate for Root CA in /root/cluster/tier/chef-repo/.chef/trusted_certs/Root_CA.crt
root@default-ubuntu-1404:~/cluster/tier/chef-repo ()# knife ssl check
...
Connecting to host hr.puffin.stuff.lxc:443
Successfully verified certificates from `hr.puffin.stuff.lxc'
root@default-ubuntu-1404:~/cluster/tier/chef-repo ()# knife client list
heyoclient
ponyville-validator