Skip to content

Latest commit

 

History

History
156 lines (108 loc) · 6.41 KB

chef_client_security.md

File metadata and controls

156 lines (108 loc) · 6.41 KB

+++ title = "Chef Infra Client Security" draft = false

gh_repo = "chef-web-docs"

aliases = ["/chef_client_security.html", "/auth.html"]

[menu] [menu.infra] title = "Chef Infra Client Security" identifier = "chef_infra/security/chef_client_security.md Security" parent = "chef_infra/security" weight = 10 +++

{{< readfile file="content/server/reusable/md/chef_auth.md" >}}

Authentication

{{< readfile file="content/server/reusable/md/chef_auth_authentication.md" >}}

chef-validator

{{< readfile file="content/reusable/md/security_chef_validator.md" >}}

{{< readfile file="content/reusable/md/security_chef_validator_context.md" >}}

SSL Certificates

{{< warning >}}

The following information applies to on-premises Chef Infra Server and does not apply to Hosted Chef.

{{< /warning >}}

{{< readfile file="content/server/reusable/md/server_security_ssl_cert_client.md" >}}

trusted_certs Directory

Your organization may use a private Certificate Authority (CA) to generate SSL Certificates or they may create self-signed SSL certificates to use on internal networks or during software development and testing.

The trusted_certs directory on Chef Workstation and in Chef Infra Client works as a trusted certificate store for all communication in the Chef Infra system. Chef Infra trusts all SSL certificates stored in this directory--including certificates that are not issued by a trusted Certificate Authority (CA).

Place private and self-signed certificates in the trusted_certs directory to use them within Chef Infra Client and Workstation tools.

Use the the [chef_client_trusted_certificate]({{< relref "/resources/chef_client_trusted_certificate" >}}) Chef Infra Client resource to manage these certificates continuously.

trusted_certs Locations

Chef Workstation

When you install Chef Workstation, it creates a trusted_certs directory located at:.

  • Windows: C:\.chef\trusted_certs
  • All other systems: ~/.chef/trusted_certs
Chef Infra Client Nodes

When you bootstrap a node, the Chef Infra Client copies the SSL certificates for the Chef Infra Server onto the node. The trusted_certs directory on the node is located at:

  • Windows: C:\chef\trusted_certs
  • All other systems: /etc/chef/trusted_certs

SSL_CERT_FILE

Use the SSL_CERT_FILE environment variable to specify the location for the SSL certificate authority (CA) bundle for Chef Infra Client.

A value for SSL_CERT_FILE is not set by default. Unless updated, the locations in which Chef Infra will look for SSL certificates are:

  • Chef Infra Client: /opt/chef/embedded/ssl/certs/cacert.pem
  • Chef Workstation: /opt/chef-workstation/embedded/ssl/certs/cacert.pem

To use a custom CA bundle, update the environment variable to specify the path to the custom CA bundle. The first step to troubleshoot a failing SSL certificate is to verify the location of the SSL_CERT_FILE.

client.rb Settings

Use following client.rb settings to manage SSL certificate preferences:

Setting Description
local_key_generation Whether the Chef Infra Server or Chef Infra Client generates the private/public key pair. When true, Chef Infra Client generates the key pair, and then sends the public key to the Chef Infra Server. Default value: true.
ssl_ca_file The file for the OpenSSL key. Chef Infra Client generates this setting automatically.
ssl_ca_path The location of the OpenSSL key file. Chef Infra Client generates this setting automatically.
ssl_client_cert The OpenSSL X.509 certificate for mutual certificate validation. Required for mutual certificate validation on the Chef Infra Server. Default value: nil.
ssl_client_key The OpenSSL X.509 key used for mutual certificate validation. Required for mutual certificate validation on the Chef Infra Server. Default value: nil.

ssl_verify_mode

Set the verification mode for HTTPS requests. The recommended setting is:verify_peer. Depending on your OpenSSL configuration, you may need to set the ssl_ca_path. Default value: :verify_peer.

  • Use :verify_none to run without validating any SSL certificates.
  • Use :verify_peer to validate all SSL certificates, including the Chef Infra Server connections, S3 connections, and any HTTPS remote_file resource URLs used in a Chef Infra Client run.
verify_api_cert Verify the SSL certificate on the Chef Infra Server. Set to true, Chef Infra Client always verifies the SSL certificate. Set to false, Chef Infra Client uses ssl_verify_mode to determine if the SSL certificate requires verification. Default value: false.

Knife Subcommands

The Chef Infra Client includes two knife commands for managing SSL certificates:

  • Use knife ssl check to troubleshoot SSL certificate issues
  • Use knife ssl fetch to pull down a certificate from the Chef Infra Server to the /.chef/trusted_certs directory on the workstation.

After the workstation has the correct SSL certificate, bootstrap operations from that workstation will use the certificate in the /.chef/trusted_certs directory during the bootstrap operation.

knife ssl check

Run the knife ssl check subcommand to verify the state of the SSL certificate, and then use the response to help troubleshoot issues that may be present.

Verified

{{< readfile file="content/workstation/reusable/md/knife_ssl_check_verify_server_config.md" >}}

Unverified

{{< readfile file="content/workstation/reusable/md/knife_ssl_check_bad_ssl_certificate.md" >}}

knife ssl fetch

Run the knife ssl fetch to download the self-signed certificate from the Chef Infra Server to the /.chef/trusted_certs directory on a workstation.

Verify Checksums

{{< readfile file="content/workstation/reusable/md/knife_ssl_fetch_verify_certificate.md" >}}