How to import self-signed certificate generated by chef-manage?

0
votes

TL:DR; How does one import the chef-manage ssl certificate into chromium/firefox? Is /var/opt/opscode/nginx/ca/[fqdn].crt the appropriate file?

I'm generating a chef-server machine using vagrant, vagrant-berkshelf, and the chef-server supermarket cookbook. Once complete, I'm running chef-server-ctl install chef-manage chef-server-ctl reconfigure chef-manage-ctl reconfigure ...in order to install and setup the chef-manage addon. With the addon installed, I attempt to import the generated certificate at /var/opt/opscode/nginx/ca/[fqdn].crt into the browser (chromium/firefox) through the browser's certificate management interface, but I receive the following error(s):

Chromium:

Certificate Import Error Invalid or corrupt file.

Firefox:

This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested.

The file looks like a ssh public key but with "BEGIN / END CERTIFICATE" instead of "BEGIN / END RSA PUBLIC KEY". The format and content of the cert seems correct.

Any tips, hints, or suggestions would be greatly appreciated!

  • K.E.
1
chef-infra

1 Answers

0
votes

You're looking in the "TLS Key" sections of each config path, what you want to find is the root CA options. For Firefox under macOS you can find it under Preferences -> Advanced -> Certificates -> View Certificates -> Servers -> Add Excetion. Granted you can also just navigate to the page and on the TLS warning it will ask if you want to add an exception, which seems easier. You could also just set up a real TLS certificate from LetsEncrypt or similar (use the DNS validation method).