Replacing Chef’s self-signed certificates

Having gotten my home network and logging to a point where I wanted it, my next project was going to be Chef. Life intervened before I got too much involved with Chef, but now that things are approaching a sense of normalcy, I’m trying to pick up where I left off. My ultimate goal is to set up my CentOS server as a Chef server, and control my virtual machines via Chef automation. One minor speed bump along the way was the web interface for Chef, which uses self-signed certificates and so gave me the annoying warning when accessing it. I fixed that problem by replacing the certs with my own, below the fold.

Chef server is itself configured by Chef, which makes it not too difficult to make changes. However, I still had some problems with figuring out where to put the certificates so that nginx, the web server that Chef uses, could find them. After messing around for a bit, I came across this excellent tutorial. Using the PKI hierarchy I set up earlier, I created a new key, signed it, installed it, and pointed Chef at that location.

Before everything worked, I had to make one minor tweak: Chef uses the fully-qualified domain name (FQDN) as the server name. Ohai grabs this from the hosts file, and I had “localhost” set as the first hostname, which is the one it grabs. That’s not the name on the certificate, so I had move my server name first in the hosts file, before localhost. Easy enough.

With all that in place and a “chef-server-ctl reconfigure” command executed, I have a proper certificate path in place. Next time, I hope to start making some recipes to create my VMs.