knife ssl check

[edit on GitHub]

Use the knife ssl check subcommand to verify the SSL configuration for the Chef server or a location specified by a URL or URI. Invalid certificates will not be used by OpenSSL.

When this command is run, the certificate files (*.crt and/or *.pem) that are located in the /.chef/trusted_certs directory are checked to see if they have valid X.509 certificate properties. A warning is returned when certificates do not have valid X.509 certificate properties or if the /.chef/trusted_certs directory does not contain any certificates.


When verification of a remote server’s SSL certificate is disabled, the chef-client will issue a warning similar to “SSL validation of HTTPS requests is disabled. HTTPS connections are still encrypted, but the chef-client is not able to detect forged replies or man-in-the-middle attacks.” To configure SSL for the chef-client, set ssl_verify_mode to :verify_peer (recommended) or verify_api_cert to true in the client.rb file.


This subcommand has the following syntax:

$ knife ssl check (options)


This subcommand has the following options:

The URL or URI for the location at which the SSL certificate is located. Default value: the URL for the Chef server, as defined in the knife.rb file.


The following examples show how to use this knife subcommand:

SSL certificate has valid X.509 properties

If the SSL certificate can be verified, the response to

$ knife ssl check

is similar to:

Connecting to host
Successfully verified certificates from ''

SSL certificate has invalid X.509 properties

If the SSL certificate cannot be verified, the response to

$ knife ssl check

is similar to:

Connecting to host
ERROR: The SSL certificate of could not be verified
Certificate issuer data:

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.1j 15 Oct 2014
* Certificate file: /opt/chefdk/embedded/ssl/cert.pem
* Certificate directory: /opt/chefdk/embedded/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/Users/grantmc/Downloads/chef-repo/.chef/trusted_certs"


If the server you are connecting to uses a self-signed certificate,
you must configure chef to trust that certificate.

By default, the certificate is stored in the following location on the
host where your chef-server runs:


Copy that file to your trusted_certs_dir (currently:


using SSH/SCP or some other secure method, then re-run this command to
confirm that the certificate is now trusted.

Verify the SSL configuration for the chef-client

The SSL certificates that are used by the chef-client may be verified by specifying the path to the client.rb file. Use the --config option (that is available to any knife command) to specify this path:

$ knife ssl check --config /etc/chef/client.rb

Verify an external server’s SSL certificate

$ knife ssl check URL_or_URI

for example:

$ knife ssl check