Chef Server – ERROR: The SSL cert is signed by a trusted authority but is not valid for the given hostname

So you’ve rolled up an Ubuntu 16.04 Amazon EC2 t2.medium instance and you’ve installed the Chef Server software package (https://learn.chef.io/modules/manage-a-node-chef-server/rhel/bring-your-own-system/set-up-your-chef-server)

Next you’ve generated certficates and downloaded the private key to your Chef client. Firing up knife you see the following:

MacBookAir:learn-chef <username>$ knife ssl fetch
WARNING: Certificates from chefsrv.<domain_name>.com will be fetched and placed in your trusted_cert
directory (/Users/<username>/learn-chef/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for ip-172-XX-XX-XXX_eu-west-1_compute_internal in /Users/<username>/learn-chef/.chef/trusted_certs/ip-172-XX-XX-XXX_eu-west-1_compute_internal.crt

Hmmm… it’s only a warning… so lets do our ssl check and be done:

MacBookAir:learn-chef <username>$ knife ssl check
Connecting to host chefsrv.<domain_name>.com:443
ERROR: The SSL cert is signed by a trusted authority but is not valid for the given hostname
ERROR: You are attempting to connect to:   'chefsrv.<domain_name>.com'
ERROR: The server's certificate belongs to 'ip-172-XX-XX-XXX.eu-west-1.compute.internal'

TO FIX THIS ERROR:
The solution for this issue depends on your networking configuration. If you
are able to connect to this server using the hostname ip-172-XX-XX-XXX.eu-west-1.compute.internal
instead of chefsrv.<domain_name>.com, then you can resolve this issue by updating chef_server_url
in your configuration file.

If you are not able to connect to the server using the hostname ip-172-XX-XX-XXX.eu-west-1.compute.internal
you will have to update the certificate on the server to use the correct hostname.

Aarrgggh!!!

Don’t despair, it’s a pretty simple fix:

For this example I’ll use chefsrv.mydomain.com as my FQDN – replace with whatever fully resolvable FQDN you’re using to connect to your EC2 instance:

First we’ll update hosts:

sudo vi /etc/hosts

replace the text ‘localhost’ with your FQDN. Our hosts file now looks like:

127.0.0.1 chefsrv.mydomain.com 

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Next we’ll update hostnames:

sudo vi/etc/hostname

replace with your FQDN. It should now look like:

chefsrv.mydomain.com

Next let’s reboot:

sudo reboot

Finally we need to reconfigure our chef server:

sudo chef-server-ctl reconfigure

And that’s it. We rerun knife ssl fetch and check and it’s all good:

MacBookAir:learn-chef <username>$ knife ssl fetch
WARNING: Certificates from chefsrv.mydomain.com will be fetched and placed in your trusted_cert
directory (/Users/<username>/learn-chef/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for chefsrv_mydomain_com in /Users/<username>/learn-chef/.chef/trusted_certs/chefsrv_mydomain_com.crt
MacBookAir:learn-chef <username>$ knife ssl check
Connecting to host chefsrv.mydomain.com:443
Successfully verified certificates from `chefsrv.mydomain.com'
Share this:

Leave a Reply