Reputation: 73
Chef on AWS: How do you update the certificate on the server?
I am trying to use knife from my laptop to connect to a newly configured Chef server hosted on AWS. I know what is listed below is the right direction for me but I'm not sure how to go about this exactly.
If you are not able to connect to the server using the hostname ip-xx-x-x-xx.ec2.internal
you will have to update the certificate on the server to use the correct hostname.
Upvotes: 3
Views: 2052
Answers (3)
Reputation: 101
- Update public IP on Chef Server
- run chef-server-ctl reconfigure on Server (No reboot needed)
- Update the knife.rb on Workstation with new IP address
- run 'knife ssl fetch' on the Chef Workstation
This should resolve the issue, to confirm run 'knife client list'
Upvotes: 1
Reputation: 675
I had this same problem. The problem is that EC2 instances place their private ip into their hostname file. Which causes chef to self assign certs to the internal ip. When you do knife ssl check you'll probably get an error message that looks like this:
ERROR: The SSL cert is signed by a trusted authority but is not valid for the given hostname
ERROR: You are attempting to connect to: 'ec2-x-x-x-x.us-west-2.compute.amazonaws.com'
ERROR: The server's certificate belongs to 'ip-y-y-y-y.us-west-2.compute.internal'
connecting to the public IP is correct however you'll continue to get this error if you don't configure your chef server to use your public dns when signing the cert.
EDIT: Chef's documentation used to have steps to correct this issue, but since the time I initially answered this question they have removed those steps from their tutorial. The following steps worked for me with Chef 12, Ubuntu 16 on an ec2 instance.
- ssh onto your chef server
- open your hostname file with the following command
sudo vim /etc/hostname - remove the line containing you internal ip and replace it with your public ip and save the file.
- reboot the server with
sudo reboot - run
sudo chef-server-ctl reconfigure(this signs a new certificate, among other things) - Go back to your workstation and use
knife ssl fetchfollowed byknife ssl checkand you should be good to go.
What you could ALSO do, is just complete steps 1 - 4 before you even install chef onto the server.
Upvotes: 4
Reputation: 24643
You can't connect to an internal IP (or DNS that points to an internal IP) from outside AWS. Those are nonroutable IP addresses.
Instead, connect to the public IP of the instance, if you have one.
Upvotes: 0
Related Questions
- How can I renew my SSL certificate on aws normal ec2 instance
- Modify the SSL certificate for Chef Server
- Disable ssl on Chef-server?
- ssl validation error coming while doing chef client setup
- SSL validation failure - knife ec2 with chef 12
- Update SSL certificate on chef-clients
- I need to configure ssl nginx with chef. What is best way to roll out ssl certificate?
- Change Chef server settings - port, url, https?
- Getting a 500 Internal Server Error when uploading cookbooks after updating SSL certificate
- Chef Server Installation error