Chef, Ops, Ruby, Linux/Unix. Opinions are mine, not my employer's (CHEF).
Chef 12: Fix Untrusted Self Sign Certs
Scenario: You’ve started up a brand new Chef Server using version 12, and you have installed Chef 12 on your local system. You log into the Management Console to create a user and organization (or do this with the command-line chef-server-ctl commands), and you’re ready to rock with this knife.rb:
This is because Chef client 12 has SSL verification enabled by default for all requests. Since the certificate generated by the Chef Server 12 installation is self-signed, there isn’t a signing CA that can be verified, and this fails. Never fear intrepid user, for you can get the SSL certificate from the server and store it as a “trusted” certificate. To find out how, use knife ssl check.
Connectingtohostchef-server.example.com:443ERROR:TheSSLcertificateofchef-server.example.comcouldnotbeverifiedCertificateissuerdata:/C=US/ST=WA/L=Seattle/O=YouCorp/OU=Operations/CN=chef-server.example.com/emailAddressfirstname.lastname@example.orgConfigurationInfo:OpenSSLConfiguration:*Version:OpenSSL1.0.1j15Oct2014*Certificatefile:/opt/chefdk/embedded/ssl/cert.pem*Certificatedirectory:/opt/chefdk/embedded/ssl/certsChefSSLConfiguration:*ssl_ca_path:nil*ssl_ca_file:nil*trusted_certs_dir:"/Users/jtimberman/Downloads/chef-repo/.chef/trusted_certs"TOFIXTHISERROR:Iftheserveryouareconnectingtousesaself-signedcertificate,youmustconfigurecheftotrustthatserver's certificate.By default, the certificate is stored in the following location on the hostwhere your chef-server runs: /var/opt/chef-server/nginx/ca/SERVER_HOSTNAME.crtCopy that file to your trusted_certs_dir (currently: /Users/jtimberman/Downloads/chef-repo/.chef/trusted_certs)using SSH/SCP or some other secure method, then re-run this command to confirmthat the server'scertificateisnowtrusted.
Now, we need to get the ceritficate out to every node in the infrastructure in its trusted_certs_dir – by default this is /etc/chef/trusted_certs. The most simple way to do this is to use knife ssh to run knife on the target nodes.