Skip to main content

knife ssl check

Use the knife ssl check subcommand to verify the SSL configuration for the Chef Infra Server or a location specified by a URL or URI. Invalid certificates will not be used by OpenSSL.

When this command is run, the certificate files (*.crt and/or *.pem) that are located in the /.chef/trusted_certs directory are checked to see if they have valid X.509 certificate properties. A warning is returned when certificates do not have valid X.509 certificate properties or if the /.chef/trusted_certs directory does not contain any certificates.


When verification of a remote server’s SSL certificate is disabled, Chef Infra Client will issue a warning similar to “SSL validation of HTTPS requests is disabled. HTTPS connections are still encrypted, but Chef Infra Client is not able to detect forged replies or man-in-the-middle attacks.” To configure SSL for Chef Infra Client, set ssl_verify_mode to :verify_peer (recommended) or verify_api_cert to true in the client.rb file.


This subcommand has the following syntax:

knife ssl check (options)


This subcommand has the following options:


The URL or URI for the location at which the SSL certificate is located. Default value: the URL of the Chef Infra Server, as defined in the config.rb file.


The following examples show how to use this knife subcommand:

SSL certificate has valid X.509 properties

If the SSL certificate can be verified, the response to

knife ssl check

is similar to:

Connecting to host
Successfully verified certificates from ''

SSL certificate has invalid X.509 properties

If the SSL certificate cannot be verified, the response to

knife ssl check

is similar to:

Connecting to host
ERROR: The SSL certificate of could not be verified
Certificate issuer data:

Configuration Info:

OpenSSL Configuration:
* Version: OpenSSL 1.0.2u  20 Dec 2019
* Certificate file: /opt/chef-workstation/embedded/ssl/cert.pem
* Certificate directory: /opt/chef-workstation/embedded/ssl/certs
Chef SSL Configuration:
* ssl_ca_path: nil
* ssl_ca_file: nil
* trusted_certs_dir: "/Users/grantmc/Downloads/chef-repo/.chef/trusted_certs"


If the server you are connecting to uses a self-signed certificate,
you must configure chef to trust that certificate.

By default, the certificate is stored in the following location on the
host where your Chef Infra Server runs:


Copy that file to your trusted_certs_dir (currently:


using SSH/SCP or some other secure method, then re-run this command to
confirm that the certificate is now trusted.

Verify the SSL configuration for Chef Infra Client

The SSL certificates that are used by Chef Infra Client may be verified by specifying the path to the client.rb file. Use the --config option (that is available to any knife command) to specify this path:

knife ssl check --config /etc/chef/client.rb

Verify an external server’s SSL certificate

knife ssl check URL_or_URI

for example:

knife ssl check
Edit this page on GitHub

Thank you for your feedback!


Search Results