Skip to main content

knife ssl check

Use the knife ssl check subcommand to verify the SSL configuration for the Chef Infra Server or a location specified by a URL or URI. Invalid certificates will not be used by OpenSSL.

When this command is run, the certificate files (*.crt and/or *.pem) that are located in the /.chef/trusted_certs directory are checked to see if they have valid X.509 certificate properties. A warning is returned when certificates do not have valid X.509 certificate properties or if the /.chef/trusted_certs directory does not contain any certificates.

Warning

When verification of a remote server’s SSL certificate is disabled, Chef Infra Client will issue a warning similar to “SSL validation of HTTPS requests is disabled. HTTPS connections are still encrypted, but Chef Infra Client is not able to detect forged replies or man-in-the-middle attacks.” To configure SSL for Chef Infra Client, set ssl_verify_mode to :verify_peer (recommended) or verify_api_cert to true in the client.rb file.

Syntax

This subcommand has the following syntax:

knife ssl check (options)

Options

This subcommand has the following options:

URL_or_URI

The URL or URI for the location at which the SSL certificate is located. Default value: the URL of the Chef Infra Server, as defined in the config.rb file.

Examples

The following examples show how to use this knife subcommand:

SSL certificate has valid X.509 properties

If the SSL certificate can be verified, the response to

knife ssl check

is similar to:

Connecting to host chef-server.example.com:443
Successfully verified certificates from 'chef-server.example.com'

SSL certificate has invalid X.509 properties

If the SSL certificate cannot be verified, the response to

knife ssl check

is similar to:

Connecting to host chef-server.example.com:443
ERROR: The SSL certificate of chef-server.example.com could not be verified
Certificate issuer data:
  /C=US/ST=WA/L=S/O=Corp/OU=Ops/CN=chef-server.example.com/emailAddress=you@example.com

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.2u  20 Dec 2019
* Certificate file: /opt/chef-workstation/embedded/ssl/cert.pem
* Certificate directory: /opt/chef-workstation/embedded/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/Users/grantmc/Downloads/chef-repo/.chef/trusted_certs"

TO FIX THIS ERROR:

If the server you are connecting to uses a self-signed certificate,
you must configure chef to trust that certificate.

By default, the certificate is stored in the following location on the
host where your Chef Infra Server runs:

  /var/opt/opscode/nginx/ca/SERVER_HOSTNAME.crt

Copy that file to your trusted_certs_dir (currently:

  /Users/grantmc/Downloads/chef-repo/.chef/trusted_certs)

using SSH/SCP or some other secure method, then re-run this command to
confirm that the certificate is now trusted.

Verify the SSL configuration for Chef Infra Client

The SSL certificates that are used by Chef Infra Client may be verified by specifying the path to the client.rb file. Use the --config option (that is available to any knife command) to specify this path:

knife ssl check --config /etc/chef/client.rb

Verify an external server’s SSL certificate

knife ssl check URL_or_URI

for example:

knife ssl check https://www.chef.io
Edit this page on GitHub.

Thank you for your feedback!

×









Search Results