By default, Chef Server uses the current fully qualified domain name (FQDN) of the server during the install process to generate SSL certs and configure services. Essentially, the output of:

$ hostname
bob.dfw.example.com

While detailed instructions for installing your own SSL certificates are readily available, I had trouble finding solid directions for changing the hostname Chef Server uses (for example, chef.example.com) and installing SSL certificates for that new hostname. The documentation I was able to find focused on updating the Chef Server URL, but not the API configuration. In that case, I was able to access https://chef.example.com, but wasn’t able to successfully use knife. Here’s hoping this example configuration helps you.

WARNING: I’m not a Chef expert, so please use this at your own risk.

To update, edit /etc/chef-server/chef-server.rb with something similar to the following (you really only have to change the value of the first line):

server_name = "chef.example.com"
api_fqdn = server_name
bookshelf['vip'] = server_name
nginx['url'] = "https://#{server_name}"
nginx['server_name'] = server_name
nginx['ssl_certificate'] = "/var/opt/chef-server/nginx/ca/#{server_name}.crt"
nginx['ssl_certificate_key'] = "/var/opt/chef-server/nginx/ca/#{server_name}.key"
lb['fqdn'] = server_name

Then, make the change live:

$ sudo chef-server-ctl reconfigure

You can test that the SSL is working properly:

$ openssl s_client -connect chef.example.com:443

Hope this helps! Don’t forget to test!

Drop us a line if you want to bend somebody’s ear about your configuration management challenges.