By default, the connections between the chef-client and the chef-server are not secured. This is a short post on howto encrypt and verify your connections.
As of chef-11 (unlike chef-10), SSL is enabled by default. But (naturally, as Opscode cannot create trusted certificates for your domain) the certificates are not verified. This essentially means that the connection is not secure at all.
Unless you only use chef in a trusted network, you should invest some time in securing your clients connections.
# Installing a certificate on your server
First, grab yourself a certificate for your chef server. This post will use a certificate from cacerg.org.
Installing the certificate to the chef-servers nginx is a little annoying. chef-11 (at least when installed using the official packages from opscode) uses a bundled nginx, instead of a system-wide one. Therefore, you need to change the configuration in
/var/opt/chef-server/nginx/etc which feels a little unsafe, as it might get overwritten automatically by upgrades.
First, set up a resource to reconfigure chef-server when something is changed:
1 2 3
Deploy your certificate using the certificate cookbook. After that, notify the reconfigure resource, so it reconfigures in case we renew the certificate later.
1 2 3 4 5 6 7 8 9
/etc/chef-server/chef-server.rb using a template. Feel free to add additional settings, I chose to disable the webgui.
Again, we notify the reconfigure resource to automatically reconfigure chef in case the configuration is changed.
1 2 3 4 5 6 7
1 2 3 4 5 6 7 8
# Tell your chef-clients to verify peers
If you use the chef-client cookbook you can tell your clients to verify the certificate by overriding the following attributes in your wrapper cookbook (support for verify_mode was added in chef-client-0.3.0). Note, that you need to specify ssl_ca_path manually, as it is not set by default.
1 2 3
Or do it manually in your client.rb
1 2 3
# Be careful with the remote_file resource!
What I also stumbled across is, that the remote_file resource doesn’t check certificates for https addresses either. So you might be very cautious if you use it for sensitive data, or to download scripts from the internet that will be executed later. I’m sure you do not want a script run by root modified on the way.