cannot validate certificate for 10.90.239.223 because it doesn't contain any IP SANs

5,346

Answered in https://devops.stackexchange.com/questions/3168/terraform-chef-provisioning-cannot-validate-certificate-for-10-90-239-223-beca/3170#3170. Short version don't use openssl to make certs anymore, it's too complex to get right.

Share:
5,346

Related videos on Youtube

scott
Author by

scott

Updated on September 18, 2022

Comments

  • scott
    scott over 1 year

    While configuring the chef provisioner I am running into the following error after running 'terraform apply'

    * chef_environment.terraform_01: Post https://10.90.239.223/organizations/mykitchen/environments: x509: cannot validate certificate for 10.90.239.223 because it doesn't contain any IP SANs
    

    I have read that the certs may need a different 'CN' field, but I don't remember manually setting up certs as part of the chef server install process.

    I have these certs that I found after the install

    $ls /var/opt/opscode/nginx/ca
    dhparams.pem  localhost.crt  localhost.key
    

    which I think are the ones being used but I'm not sure.

    I also have set

    ssl_verify_mode = ":verify_none" 
    

    in my chef provisioner configs, but I don't know if that's relevant or working.

    Do I need to (re)generate certs, if so how would I do that for chef? I already have certs generated for my matchbox service on the same machine using this script, would I use those?

    UPDATE:

    I tried this

    openssl req -x509 -newkey rsa:4096 -keyout chef.key -out chef.pem -nodes -days 365 -config req.conf
    
    sudo chown opscode:opscode chef.*
    sudo mv chef.* /var/opt/opscode/nginx/ca/.
    
    sudo chef-server-ctl stop
    sudo chef-server-ctl reconfigure
    sudo chef-server-ctl start
    

    my req.conf

    [req]
    default_bits = 2048
    prompt = no
    default_md = sha256
    req_extensions = req_ext
    distinguished_name = dn
    
    [ dn ]
    C=US
    ST=mystate
    L=mycity
    O=DevOps
    OU=myname
    [email protected]
    CN = 10.90.239.223
    
    [ req_ext ]
    subjectAltName = @alt_names
    
    [alt_names]
    IP = 10.90.239.223
    DNS.1 = 10.0.90.45
    DNS.2 = 10.90.50.8
    email = [email protected]
    URI = https://10.90.239.223/
    

    but I am still getting

    chef_environment.terraform_01: Post https://10.90.239.223/organizations/mykitchen/environments: x509: cannot validate certificate for 10.90.239.223 because it doesn't contain any                                       IP SANs
    
    • Admin
      Admin over 6 years
      From what you are saying the that does sound like the problem. Maybe someone else can help me with the chef provisioning part? I am very new to chef and terraform provisioning. I'm guessing I need to re generate the certs unless I can add the SANs to an existing cert?