2

In the annual process of renewing SSL certificates, I have a list of infrastructure that needs updating.

This usually included Chef. This is followed by an arduous and painful process of getting every node to re-fetch the self-signed chef-server certificate regenerated from the renewed certificate. I always assumed Chef would simply break if I didn't renew my certificate.

This time I looked a bit closer and noticed the self-signed certificate that chef-server actively uses (specifically the nginx component) doesn't expire for another ten years.

Which leaves me wondering:

  • Is it unnecessary to update the SSL certificate for chef?
  • Will chef break and halt all deploys, chef-client runs, and bootstraps if I let the annual certificate expire?

What I know:

  • I'm using chef server 13.0.17 on Ubuntu Linux 18.04
  • chef uses a self-signed certificate that is distributed to all nodes that are bootstrapped. This is based off of your cert in /etc/ssl/private and generated to /var/opt/opscode/nginx/ca -- this is done by chef-server-ctl reconfigure
  • cat <the_crt> | openssl x509 -noout -enddate reports the expiration date as ~10 years from now
  • When the chef server's certificate is updated, every node must fetch the certificate through knife ssl fetch. I've never had a good way of automating this
  • configuration is explained here, but I couldn't find any information on expiry: https://docs.chef.io/server/server_security/ and https://docs.chef.io/chef_client_security/

What I don't know

  • Does the functionality of chef actually depend on the expiration date of the cert in /var/opt/opscode/nginx/ca -- making the update to this years certificate unnecessary?
  • Do I simply need to regenerate the certificate when the chef self-signed certificate expires? Seems like this would make it an incredibly rare event.

It logically follows that I shouldn't actually have to update the certificate, but I've never encountered something like this and it feels quite odd.

I'm asking here because I want to avoid having all my systems suddenly become inaccessible and fail all deploys. It would also be a huge time saver if I don't actually need to go through the update process every year.

JoSSte
  • 133
  • 1
  • 10
Muradin007
  • 21
  • 1

2 Answers2

1

You only need to renew this certificate when it expires unless you configured the clients to ignore ssl verification with ssl_verify_mode :verify_none in client.rb.

A chef-server-ctl reconfigure should take care of generating a new self-signed certificate if you don't use a specific certificate signed by an internal or external Authority.

ssl_verify_mode

Set the verify mode for HTTPS requests. Use :verify_none for no validation of SSL certificates. Use :verify_peer for validation of all SSL certificates, including the Chef Infra Server connections, S3 connections, and any HTTPS remote_file resource URLs used in Chef Infra Client runs. This is the recommended setting.

Depending on how OpenSSL is configured, the ssl_ca_path may need to be specified. Default value: :verify_peer.

Related about certificates I've made this Q/A as well: How do I include my internal CA certificate to validate SSL exchanges in Chef?

Tensibai
  • 11,416
  • 2
  • 37
  • 63
0

It turns out you don't have to update the SSL certificate for Chef every year. My certificate expired recently and my chef infrastructure is still working. It appears the expiration date set is based on that self-signed certificate it distributes to all the nodes.

Muradin007
  • 21
  • 1