knife ssl check

[edit on GitHub]

Use the knife ssl check subcommand to verify the SSL configuration for the Chef server or a location specified by a URL or URI. Invalid certificates will not be used by OpenSSL.

When this command is run, the certificate files (*.crt and/or *.pem) that are located in the /.chef/trusted_certs directory are checked to see if they have valid X.509 certificate properties. A warning is returned when certificates do not have valid X.509 certificate properties or if the /.chef/trusted_certs directory does not contain any certificates.

Warning

When verification of a remote server’s SSL certificate is disabled, the chef-client will issue a warning similar to “SSL validation of HTTPS requests is disabled. HTTPS connections are still encrypted, but the chef-client is not able to detect forged replies or man-in-the-middle attacks.” To configure SSL for the chef-client, set ssl_verify_mode to :verify_peer (recommended) or verify_api_cert to true in the client.rb file.

Changed in Chef Client 12.5 to support Server Name Indication (SNI).

Syntax

This subcommand has the following syntax:

$ knife ssl check (options)

Options

This subcommand has the following options:

URL_or_URI
The URL or URI for the location at which the SSL certificate is located. Default value: the URL for the Chef server, as defined in the config.rb file.

Examples

The following examples show how to use this knife subcommand:

SSL certificate has valid X.509 properties

If the SSL certificate can be verified, the response to

$ knife ssl check

is similar to:

Connecting to host chef-server.example.com:443
Successfully verified certificates from 'chef-server.example.com'

SSL certificate has invalid X.509 properties

If the SSL certificate cannot be verified, the response to

$ knife ssl check

is similar to:

Connecting to host chef-server.example.com:443
ERROR: The SSL certificate of chef-server.example.com could not be verified
Certificate issuer data:
  /C=US/ST=WA/L=S/O=Corp/OU=Ops/CN=chef-server.example.com/emailAddress=you@example.com

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.1j 15 Oct 2014
* Certificate file: /opt/chefdk/embedded/ssl/cert.pem
* Certificate directory: /opt/chefdk/embedded/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/Users/grantmc/Downloads/chef-repo/.chef/trusted_certs"

TO FIX THIS ERROR:

If the server you are connecting to uses a self-signed certificate,
you must configure chef to trust that certificate.

By default, the certificate is stored in the following location on the
host where your chef-server runs:

  /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to your trusted_certs_dir (currently:

  /Users/grantmc/Downloads/chef-repo/.chef/trusted_certs)

using SSH/SCP or some other secure method, then re-run this command to
confirm that the certificate is now trusted.

Verify the SSL configuration for the chef-client

The SSL certificates that are used by the chef-client may be verified by specifying the path to the client.rb file. Use the --config option (that is available to any knife command) to specify this path:

$ knife ssl check --config /etc/chef/client.rb

Verify an external server’s SSL certificate

$ knife ssl check URL_or_URI

for example:

$ knife ssl check https://www.chef.io