So today i wanted to switch our chef-server certificates from an old internal pki with issues (SHA1 …) to another solution, and since we are avid users of Let’s Encrypt this was my first idea.
However i quickly stumble onto an issue, the chef-server private cookbook aren’t ‘compatible’ with this (ie there is no way to insert some custom nginx rules on the correct location to allow serving of /.well-known/acme-challenge/) …
So i had to be creative, and the first idea is: put an nginx in front of chef’s nginx on port 80, and there is how i did it:
Setting up the webproxy
So, first things first, we have to tell chef to free our beloved port 80 for our internal use, we start by editing ‘/etc/opscode/chef-server.rb’ to add/modify the non_ssl_port attribute:
And then we can trigger chef-server reconfiguration:
After that’s done, we can install and set-up nginx on the linux host, here is the ubuntu/debian way but i’m sure you can adapt to your liking:
Setting up the acme client
I am pretty fond of Lukas Schauer @lukas2511 bash solution dehydrated so there is how i set it up, it shouldn’t be difficult to adapt this to any other acme client:
Installing dehydrated (my way)
And there you go !
… Well almost ^^ we still have a bit of setup to do.
So we have three files to create: the global configuration, the domain list and the hook script who will take care of restarting chef-server when needed.
For the global configuration (default path /usr/local/etc/dehydrated/config), i mostly setup the bare minimum: CONTACT_EMAIL for the account creation / mail notifications from LE, WELLKNOWN which is the path that will publish the challenges and HOOK to define our custom-made scripts, exemple:
For the ssl domain, if as i did you only need the host name there is an easy way:
If not you’ll need to fire-up your favorite EDITOR (echo or cat, as you wish ^^) and create ‘/usr/local/etc/dehydrated/domains.txt’.
And as for the hook script there is a base for you to extend if you want:
Easy enough, you only need to register the account (once) and trigger a first run of dehydrated using “-c”:
Setting up the new certificate for chef-server
Easy enough, fire up this good old $EDITOR onto ‘/etc/opscode/chef-server.rb’ and modify the two ssl_certificate/ssl_certificate_key attributes, exemple: