/Chef 12

knife ssl_fetch

Use the knife ssl fetch subcommand to copy SSL certificates from an HTTPS server to the trusted_certs_dir directory that is used by knife and the chef-client to store trusted SSL certificates. When these certificates match the hostname of the remote server, running knife ssl fetch is the only step required to verify a remote server that is accessed by either knife or the chef-client.


It is the user’s responsibility to verify the authenticity of every SSL certificate before downloading it to the /.chef/trusted_certs directory. knife will use any certificate in that directory as if it is a 100% trusted and authentic SSL certificate. knife will not be able to determine if any certificate in this directory has been tampered with, is forged, malicious, or otherwise harmful. Therefore it is essential that users take the proper steps before downloading certificates into this directory.


This subcommand has the following syntax:

$ knife ssl fetch (options)


This subcommand has the following options:

The URL or URI for the location at which the SSL certificate is located. Default value: the URL for the Chef server, as defined in the knife.rb file.


The following examples show how to use this knife subcommand:

Fetch the SSL certificates used by Knife from the Chef server

$ knife ssl fetch

The response is similar to:

WARNING: Certificates from <chef_server_url> will be fetched and placed in your trusted_cert
directory (/Users/grantmc/chef-repo/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for <chef_server_url> in /Users/grantmc/chef-repo/.chef/trusted_certs/grantmc.crt
Adding certificate for DigiCert Secure Server CA in /Users/grantmc/chef-repo/.chef/trusted_certs/DigiCert_Secure_Server_CA.crt

Fetch SSL certificates from a URL or URI

$ knife ssl fetch https://www.example.com

Verify Checksums

The SSL certificate that is downloaded to the /.chef/trusted_certs directory should be verified to ensure that it is, in fact, the same certificate as the one located on the Chef server. This can be done by comparing the SHA-256 checksums.

  1. View the checksum on the Chef server:

    $ ssh ubuntu@chef-server.example.com sudo sha256sum /var/opt/opscode/nginx/ca/chef-server.example.com.crt

    The response is similar to:

    <ABC123checksum>  /var/opt/opscode/nginx/ca/chef-server.example.com.crt
  2. View the checksum on the workstation:

    $ gsha256sum .chef/trusted_certs/chef-server.example.com.crt

    The response is similar to:

    <ABC123checksum>  .chef/trusted_certs/chef-server.example.com.crt
  3. Verify that the checksum values are identical.

© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.