diff options
| author | danielsdeleo <dan@opscode.com> | 2013-10-29 16:02:38 -0700 |
|---|---|---|
| committer | danielsdeleo <dan@getchef.com> | 2014-03-19 22:32:30 -0700 |
| commit | cc2307a9b7774c1b8a70066c84961ecbfd05d5d5 (patch) | |
| tree | aeb4778ef163c00f04d071618d0c7c40941a5a9e /DOC_CHANGES.md | |
| parent | 09f22372674b88e6e3ee7bb9aff406862ae0f27c (diff) | |
| download | chef-cc2307a9b7774c1b8a70066c84961ecbfd05d5d5.tar.gz | |
Add SSL check and certificate fetching commands to knife
Fixes CHEF-4711
Diffstat (limited to 'DOC_CHANGES.md')
| -rw-r--r-- | DOC_CHANGES.md | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/DOC_CHANGES.md b/DOC_CHANGES.md index 688d11e1d5..f54ebdffbf 100644 --- a/DOC_CHANGES.md +++ b/DOC_CHANGES.md @@ -28,3 +28,39 @@ Option similar to `-o` which sets or changes the run_list of a node permanently. ### OHAI 7 Upgrade Unless there are major issues, 11.12.0 will include OHAI 7. We already have ohai 7 docs in place. We probably need to add some notes to ohai 6 notes that one should now use the newer version when possible. + +### New knife command: `knife ssl check [URI]` + +The `knife ssl check` command is used to check or troubleshoot SSL +configuration. When run without arguments, it tests whether chef/knife +can verify the Chef server's SSL certificate. Otherwise it connects to +the server specified by the given URL. + +Examples: + +* Check knife's configuration against the chef-server: `knife ssl check` +* Check chef-client's configuration: `knife ssl check -c /etc/chef/client.rb` +* Check whether an external server's SSL certificate can be verified: + `knife ssl check https://www.getchef.com` + +### New knife command: `knife ssl fetch [URI]` + +The `knife ssl fetch` command is used to copy certificates from an HTTPS +server to the `trusted_certs_dir` of knife or `chef-client`. If the +certificates match the hostname of the remote server, this command is +all that is required for knife or chef-client to verify the remote +server in the future. WARNING: `knife` has no way to determine whether +the certificates were tampered with in transit. If that happens, +knife/chef-client will trust potentially forged/malicious certificates +until they are deleted from the `trusted_certs_dir`. Users are *VERY STRONGLY* +encouraged to verify the authenticity of the certificates downloaded +with `knife fetch` by some trustworthy means. + +Examples: + +* Fetch the chef server's certificates for use with knife: + `knife ssl fetch` +* Fetch the chef server's certificates for use with chef-client: + `knife ssl fetch -c /etc/chef/client.rb` +* Fetch the certificates from an arbitrary server: + `knife ssl fetch https://www.getchef.com` |