A remote node running chef to checkin to the chef-server requires the certificate file to be in /etc/chef/trusted_certs/. I initially handle this through a script that I wrote during my node provisioning process.
However, for deployed hosts, I can't do that anymore. I just had to update my SSL certificate for my chef-server, so now I need to update the remote nodes.
So what's the best way to update the needed SSL certificates on deployed chef-clients that I don't have direct access to?
The best way would be to update it using Chef itself, though this would mean you need to be careful to fully roll out the new public/CA certificate before to all hosts before updating the private half on the Chef server. In general this shouldn't come up much. If you expect to be regenerating the server's key a lot, you should probably use a more formal internal CA and just deploy the CA cert (which rarely changes) to the hosts.
The specifics of the update would probably be a cookbook_file resource and cram all the certs to trust in a cookbook somewhere.
Asked in February 2016Viewed 1,796 timesVoted 8Answered 1 times