knife ssl check
Use the knife ssl check
subcommand to verify the SSL configuration for
the Chef Infra Server or a location specified by a URL or URI. Invalid
certificates will not be used by OpenSSL.
When this command is run, the certificate files (*.crt
and/or *.pem
)
that are located in the /.chef/trusted_certs
directory are checked to
see if they have valid X.509 certificate properties. A warning is
returned when certificates do not have valid X.509 certificate
properties or if the /.chef/trusted_certs
directory does not contain
any certificates.
Warning
When verification of a remote server’s SSL certificate is disabled, Chef
Infra Client will issue a warning similar to “SSL validation of HTTPS
requests is disabled. HTTPS connections are still encrypted, but Chef
Infra Client is not able to detect forged replies or man-in-the-middle
attacks.” To configure SSL for Chef Infra Client, set ssl_verify_mode
to :verify_peer
(recommended) or verify_api_cert
to true
in
the client.rb file.
Syntax
This subcommand has the following syntax:
knife ssl check (options)
Options
This subcommand has the following options:
URL_or_URI
The URL or URI for the location at which the SSL certificate is located. Default value: the URL of the Chef Infra Server, as defined in the config.rb file.
Examples
The following examples show how to use this knife subcommand:
SSL certificate has valid X.509 properties
If the SSL certificate can be verified, the response to
knife ssl check
is similar to:
Connecting to host chef-server.example.com:443
Successfully verified certificates from 'chef-server.example.com'
SSL certificate has invalid X.509 properties
If the SSL certificate cannot be verified, the response to
knife ssl check
is similar to:
Connecting to host chef-server.example.com:443
ERROR: The SSL certificate of chef-server.example.com could not be verified
Certificate issuer data:
/C=US/ST=WA/L=S/O=Corp/OU=Ops/CN=chef-server.example.com/emailAddress=you@example.com
Configuration Info:
OpenSSL Configuration:
* Version: OpenSSL 1.0.2u 20 Dec 2019
* Certificate file: /opt/chef-workstation/embedded/ssl/cert.pem
* Certificate directory: /opt/chef-workstation/embedded/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/Users/grantmc/Downloads/chef-repo/.chef/trusted_certs"
TO FIX THIS ERROR:
If the server you are connecting to uses a self-signed certificate,
you must configure chef to trust that certificate.
By default, the certificate is stored in the following location on the
host where your Chef Infra Server runs:
/var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt
Copy that file to your trusted_certs_dir (currently:
/Users/grantmc/Downloads/chef-repo/.chef/trusted_certs)
using SSH/SCP or some other secure method, then re-run this command to
confirm that the certificate is now trusted.
Verify the SSL configuration for Chef Infra Client
The SSL certificates that are used by Chef Infra Client may be verified
by specifying the path to the client.rb file. Use the --config
option
(that is available to any knife command) to specify this path:
knife ssl check --config /etc/chef/client.rb
Verify an external server’s SSL certificate
knife ssl check URL_or_URI
for example:
knife ssl check https://www.chef.io