Do not want to mention what Chef is, or what Let’s Encrypt is. This is just a short step-by-step tutorial to guide you how to install Chef server Lets Encrypt for the server SSL.
Setup Let’s Encrypt
- First, install let’s encrypt to generate a standalone certificate before installing chef server:
[bash]git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto
./letsencrypt-auto certonly –standalone –email [email protected] -d chefserver.DOMAIN.com
[/bash]. Now we will have the SSL certificate located at /etc/letsencrypt/live/chefserver.YOURDOMAIN.com/fullchain.pem and SSL key located at /etc/letsencrypt/live/chefserver.YOURDOMAIN.com/privkey.pem
Chef server with Lets Encrypt
- Install chef server (for ubuntu 14.x. For other OS, we can easily replace the link getting from Chef’s website):
[bash]wget https://packages.chef.io/stable/ubuntu/14.04/chef-server-core_12.6.0-1_amd64.deb
dpkg -i chef-server-core_*.deb
[/bash]. At this step, do not run reconfiguring command to edit the server configuration first.
- Edit /etc/opscode/chef-server.rb to include the SSL certificate from Let’s encrypt:
[ruby]server_name = "chefserver.YOURDOMAIN.com"
api_fqdn server_name
bookshelf[‘vip’] = server_name
nginx[‘url’] = "https://#{server_name}"
nginx[‘server_name’] = server_name
nginx[‘ssl_certificate’] = "/etc/letsencrypt/live/chefserver.YOURDOMAIN.com/fullchain.pem"
nginx[‘ssl_certificate_key’] = "/etc/letsencrypt/live/chefserver.YOURDOMAIN.com/privkey.pem"[/ruby] - Reconfiguring the chef-server to take the setting into account:
[bash]chef-server-ctl reconfigure[/bash]
- Install Chef management console:
[bash]chef-server-ctl install opscode-manage
chef-server-ctl reconfigure
opscode-manage-ctl reconfigure[/bash] - Install Chef reporting features:
[bash]chef-server-ctl install opscode-reporting
chef-server-ctl reconfigure
opscode-reporting-ctl reconfigure[/bash] - Create an admin user:
[bash]mkdir ~/.chef
chef-server-ctl user-create YOUR_USERNAME YOUR_FIRST_NAME YOUR_LAST_NAME YOUR_EMAIL YOUR_PASSWORD –filename ~/.chef/YOUR_USERNAME.pem
[/bash] - Create a new organization:
[bash]chef-server-ctl org-create YOUR_ORGNAME YOUR_FULL_ORGANIZATION_NAME –association_user YOUR_USERNAME –filename ~/.chef/YOUR_ORGNAME.pem[/bash]
- Trying https://chefserver.YOURDOMAIN.com :-).
Setting Up a Workstation
In my machine, I have an existing CentOS 6 VM, so I utilize it. So these instructions are for CentOS 6 instead of Ubuntu in the server, he he.
- Install Chef DK (Chef Development Kit):
[bash]rpm -Uvh https://packages.chef.io/stable/el/6/chefdk-0.14.25-1.el6.x86_64.rpm[/bash]
- Verify its components:
[bash]chef verify[/bash]
- Generate the chef-repo in your home folder:
[bash]cd ~
chef generate repo chef-repo
cd chef-repo[/bash] - Copying RSA Private Keys from Chef Server:
[bash]mkdir .chef
scp root@YOUR_SERVER_IP_ADDRESS:~/.chef/*.pem ~/chef-repo/.chef/
ls ~/chef-repo/.chef[/bash] - Add git for versioning:
[bash]git init
git config –global user.name "YOUR NAME"
git config –global user.email [email protected]
echo ".chef" > .gitignore
git add .
git commit -m "Initial commit"
git status[/bash] - Generate knife.rb with specific Chef server information:
[bash]cd ~/chef-repo/.chef
nano knife.rb[/bash][ruby]
log_level :info
log_location STDOUT
node_name ‘YOUR_USERNAME’
client_key ‘~/chef-repo/.chef/YOUR_USERNAME.pem’
validation_client_name ‘YOUR_ORGNAME-validator’
validation_key ‘~/chef-repo/.chef/YOUR_ORGNAME.pem’
chef_server_url ‘https://chefserver.YOURDOMAIN.com/organizations/YOUR_ORGNAME’
syntax_check_cache_path ‘~/chef-repo/.chef/syntax_check_cache’
cookbook_path [ ‘~/chef-repo/cookbooks’ ][/ruby]
Bootstrap a Node
- We can add a node to client list by calling knife bootstrap as follows:
[bash]knife bootstrap YOUR_CLIENT_SERVER_IP -x root -P YOURPASSWORD –ssh-port SSH_PORT –node-name yournodename[/bash]
- If you face an error regarding not found private key such as “ERROR: Your private key could not be loaded from /etc/chef/client.pem“, you’ll need to “cd” to the chef-repo folder where you put your .chef to in your workstation.
- If you face an error regarding time different such as “The request failed because your clock has drifted by more than 15 minutes.“, you’ll need to login to your client node and update time to a ntp server:
[bash]yum install ntp
ntpdate pool.ntp.org[/bash]
- Confirm that the node is in your client list:
[bash]knife node list[/bash]
Download a Cookbook and Pushing to Chef server
There is a pre-built cookbook to help run the chef-client hourly and delete the validation.pem in the client node for security purpose. We will see how to use the workstation to download the cookbook, push it to the server and apply to the client node.
- First, install thecron-delvalidate cookbook:
[bash]knife cookbook site install cron-delvalidate[/bash]
. We can see the content of the default recipe at cookbooks/cron-delvalidate/recipes/default.rb
- Next, add the recipe to the bootstrapped node:
[bash]knife node run_list add yournodename ‘recipe[cron-delvalidate::default]'[/bash]
- Then, upload the cookbook to the Chef-server:
[bash]knife cookbook upload cron-delvalidate[/bash]
- Finally, switch to your yournodename server and run the initial chef-client command:
[bash]chef-client[/bash]
- We can check the crontab list after that
[bash]crontab -l[/bash]
- We can check the crontab list after that
With both the server and a workstation configured, you can then bootstrap your first node, download / create a cookbook to apply to your client node. For more detail about advanced cookbook / recipe tuts, I’ll try to create another tutorial in the future (not now :lol:).
