cannot validate certificate for 10.90.239.223 because it doesn't contain any IP SANs
Answered in https://devops.stackexchange.com/questions/3168/terraform-chef-provisioning-cannot-validate-certificate-for-10-90-239-223-beca/3170#3170. Short version don't use openssl
to make certs anymore, it's too complex to get right.
Related videos on Youtube
scott
Updated on September 18, 2022Comments
-
scott over 1 year
While configuring the chef provisioner I am running into the following error after running 'terraform apply'
* chef_environment.terraform_01: Post https://10.90.239.223/organizations/mykitchen/environments: x509: cannot validate certificate for 10.90.239.223 because it doesn't contain any IP SANs
I have read that the certs may need a different 'CN' field, but I don't remember manually setting up certs as part of the chef server install process.
I have these certs that I found after the install
$ls /var/opt/opscode/nginx/ca dhparams.pem localhost.crt localhost.key
which I think are the ones being used but I'm not sure.
I also have set
ssl_verify_mode = ":verify_none"
in my chef provisioner configs, but I don't know if that's relevant or working.
Do I need to (re)generate certs, if so how would I do that for chef? I already have certs generated for my matchbox service on the same machine using this script, would I use those?
UPDATE:
I tried this
openssl req -x509 -newkey rsa:4096 -keyout chef.key -out chef.pem -nodes -days 365 -config req.conf sudo chown opscode:opscode chef.* sudo mv chef.* /var/opt/opscode/nginx/ca/. sudo chef-server-ctl stop sudo chef-server-ctl reconfigure sudo chef-server-ctl start
my req.conf
[req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C=US ST=mystate L=mycity O=DevOps OU=myname [email protected] CN = 10.90.239.223 [ req_ext ] subjectAltName = @alt_names [alt_names] IP = 10.90.239.223 DNS.1 = 10.0.90.45 DNS.2 = 10.90.50.8 email = [email protected] URI = https://10.90.239.223/
but I am still getting
chef_environment.terraform_01: Post https://10.90.239.223/organizations/mykitchen/environments: x509: cannot validate certificate for 10.90.239.223 because it doesn't contain any IP SANs
-
Admin over 6 yearsFrom what you are saying the that does sound like the problem. Maybe someone else can help me with the chef provisioning part? I am very new to chef and terraform provisioning. I'm guessing I need to re generate the certs unless I can add the SANs to an existing cert?
-