How To Install Chef Infra Server on Debian 11/Debian 10

Posted on 52 views

The CHEF automation company has been in existence since 2008, bringing together developers and system administrators. CHET Infa is an open-source IaC(Infrastructure as Code) tool that eases administration, configuration, and allocation of resources across a network. Ever since its first release, the CHEF fan base has immensely grown, with companies like Cheezburger, Facebook, Indiegogo, Etsy adopting it.

CHEF infra, written in Ruby and Erlang languages has a simple architecture consisting of the following:

  • Workstation – This is a computer where you write the Chef cookbooks and administer to your nodes. All configurations are developed here.
  • Chef server – acts as the hub for all nodes and cookbooks. All configurations are uploaded here for post development
  • Nodes – These are client machines managed by the Chef server. Normally they have Chef client installed on them.
  • Cookbooks – These are have values and data about the desired state of a node. They contain resources, recipes, attributes, templates, libraries, metadata and everything that supports in conceiving a functioning system.

Below is a diagram to aid understand the CHEF Architecture.


The CHEF Infa is preferred in automation because:

  • High availability – the Chef Infa server is highly available with fault tolerance, immediate and consistent search results, and accurate real-time data about your infrastructure.
  • Graphical management console for the Chef Infra Server which eases administration.
  • Compliance – Chef Automate creates customizable reports that identify compliance issues, security risks, and outdated software.
  • Inbuilt taxonomy for all the basic resources required on a system as well as a defined mechanism to extend this taxonomy using the Ruby language

By following this guide to the end, you will gain the required knowledge on how to install Chef Infra Server, Workstation, and client on Debian 11 / Debian 10.

Getting Started

For this guide, ensure you have the following:

  • Sudo access to your server.
  • A hostname configured on your system
  • 3 Debian 11 / Debian 10 servers

The 3 servers will serve the below tasks:

Server IP Address Hostname
Chef Server
Chef Workstation
Chef Client chef-client.

Configure the hostname on your Server as below.

##On Chef Server
sudo hostnamectl set-hostname --static

If you do not have a valid domain name, add it to the list of known hosts as below.

  • On all the 3 servers
$ sudo vi /etc/hosts chefserver

Now install the required dependencies.

sudo apt -y install git vim wget curl bash-completion
sudo apt update && sudo apt upgrade
sudo reboot

Step 1 – Configure NTP Time synchronization

Chef Infa server is sensitive to clock drifts and requires us to connect our Debian system to Network Time Protocol (NTP)

Begin by installing the Chrony package.

sudo apt -y install chrony

Set your local TimeZone.

sudo timedatectl set-timezone Africa/Nairobi

Now configure the pool list. For example for Kenya, use:

$ sudo vim /etc/chrony/chrony.conf
# pool iburst  //Comment out this line

# Allow NTP client access from local network.

Get more pools from the NTP Pool project page

Set NTP synchronization.

sudo timedatectl set-ntp true

Apply the changes made.

sudo systemctl restart chrony

You will be required to allow NTP through the firewall.

sudo ufw allow ntp

Restart the chronyd service.

sudo systemctl restart chronyd

Step 2 – Install Chef Infra Server on Debian 11 / Debian 10

Download the latest Chef Infra Server package from the Chef Infra Server downloads page. Also using the download link, you can pull the package as below.


Install the downloaded package.

sudo apt install ./chef-server-core_$VERSION-1_amd64.deb

Sample output:

Selecting previously unselected package chef-server-core.
(Reading database ... 142930 files and directories currently installed.)
Preparing to unpack chef-server-core_14.11.36-1_amd64.deb ...
Unpacking chef-server-core (14.11.36-1) ...
Setting up chef-server-core (14.11.36-1) ...
Thank you for installing Chef Infra Server!

Run 'chef-server-ctl reconfigure' to configure your Chef Infra Server

For more information on getting started see

Once the installation is complete, reconfigure your Chef server.

sudo chef-server-ctl reconfigure

Proceed as below.


            Chef License Acceptance

Before you can continue, 3 product licenses
must be accepted. View the license at

Licenses that need accepting:
  * Chef Infra Server
  * Chef Infra Client
  * Chef InSpec

Do you accept the 3 product licenses (yes/no)?

> yes
Running handlers:
Running handlers complete
Chef Infra Client finished, 409/858 resources updated in 04 minutes 00 seconds
Chef Infra Server Reconfigured!

Now check the status of the Chef Server components.

$ sudo chef-server-ctl status
run: bookshelf: (pid 19850) 32s; run: log: (pid 19358) 184s
run: elasticsearch: (pid 19817) 33s; run: log: (pid 19169) 220s
run: nginx: (pid 19803) 33s; run: log: (pid 19626) 41s
run: oc_bifrost: (pid 19707) 34s; run: log: (pid 19059) 237s
run: oc_id: (pid 19800) 33s; run: log: (pid 19097) 226s
run: opscode-erchef: (pid 19934) 32s; run: log: (pid 19502) 179s
run: postgresql: (pid 19696) 34s; run: log: (pid 18554) 253s
run: redis_lb: (pid 19649) 35s; run: log: (pid 20085) 31s

If you have UFW enabled, allow HTTP and HTTPS through the firewall.

sudo ufw allow http
sudo ufw allow https

Step 3 – Create an Administrator account and Organization

The admin account ensures communication between the server, workstations, and nodes. The syntax used is as below:


WE will export the variables first.

EMAIL="[email protected]"

Now run the below command to create an admin user.

sudo chef-server-ctl user-create $USERNAME $FIRST_NAME $LAST_NAME $EMAIL $PASSWORD -f $KEY_PATH

Verify the user creation.

$ sudo chef-server-ctl user-list

Proceed and create an organization to add the above user.

Normally the syntax below is used to create an organization.

chef-server-ctl org-create ORG_NAME "ORG_FULL_NAME" --association_user USERNAME --filename ORGANIZATION-validator.pem (options)

In the command above remember:

  1. The name must begin with a lower-case letter or digit
  2. The full name must begin with a non-white space character
  3. The –association_user option will associate the user with the admins security group on the Chef server.
  4. The –filename option saves the RSA private key to the specified path.
  5. An RSA private key will be generated automatically. This is the chef-validator key and should be saved in a safe location.

For this case, my command will be as below.

sudo chef-server-ctl org-create computingpost 'computingpost, Inc.' \
--association_user chefadmin \
--filename /root/computingpost-validator.pem

View the organization list.

$ sudo chef-server-ctl org-list

You can as well verify if the RSA keys for the user and organization are available.

$ sudo find /root -name "*.pem"

Step 4 – Install and Configure the Chef Workstation.

The Chef Workstation is used to develop configurations and then push them to the Chef server.

It is installed by first downloading the latest package from the Chef Workstation downloads page.

Alternatively, identify the latest version and download it with Wget.

#On Debian 11

#On Debian 10

Install the package using the command:

sudo dpkg -i chef-workstation_$VERSION-1_amd64.deb

Sample Output:

Selecting previously unselected package chef-workstation.
(Reading database ... 141880 files and directories currently installed.)
Preparing to unpack chef-workstation_22.1.745-1_amd64.deb ...
Unpacking chef-workstation (22.1.745-1) ...
Setting up chef-workstation (22.1.745-1) ...

The Chef Workstation App is available.

Launch the App by running 'chef-workstation-app'.
The App will then be available in the system tray.

Thank you for installing Chef Workstation!
You can find some tips on getting started at

Verify the installation.

$ chef --version
Chef Workstation version: 22.1.745
Chef InSpec version: 4.52.9
Chef CLI version: 5.5.0
Chef Habitat version: 1.6.420
Test Kitchen version: 3.2.2
Cookstyle version: 7.26.1
Chef Infra Client version: 17.9.26

The knife is also installed.

$ knife --version
Chef Infra Client: 17.9.26

Now generate a Chef repo as below.

$ chef generate repo chef-repo
            Chef License Acceptance

Before you can continue, 3 product licenses
must be accepted. View the license at

Licenses that need accepting:
  * Chef Workstation
  * Chef Infra Client
  * Chef InSpec

Do you accept the 3 product licenses (yes/no)?

> yes

Persisting 3 product licenses...
 3 product licenses persisted.

Generating Chef Infra repo chef-repo
Loading Chef InSpec profile files:
Loading Chef InSpec input files:
Loading Chef InSpec waiver files:
- Ensuring correct Chef Infra repo file content

Your new Chef Infra repo is ready! Type `cd chef-repo` to enter it.

Proceed and create a directory to store Knife configurations:

mkdir ~/chef-repo/.chef
cd chef-repo

Create a pair of RSA keys.

$ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/thor/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/thor/.ssh/id_rsa
Your public key has been saved in /home/thor/.ssh/
The key fingerprint is:
SHA256:wv055J+g9F6BTODc53tS9P+OBvC4KGCDJa9pNla0PVQ [email protected]
The key's randomart image is:
+---[RSA 4096]----+
|        .        |
|       oEo       |
|       .o o . .  |
|  . o... o.+ . . |
|   * +o S ++o . .|
|  . B o. +..o+  .|
|   = o ...*.+.. .|
|  B   ...o.= +...|
| + .   ...o o...o|

Send the keys to your Chef server. Ensure root login is allowed.

$ ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/thor/.ssh/"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

Copy the .pem files from the Chef Server

scp [email protected]:/root/*.pem ~/chef-repo/.chef/

View the copied keys.

$ ls ~/chef-repo/.chef
chefadmin.pem  computingpost-validator.pem

Generated a Chef Cookbook.

$ chef generate cookbook chef-first-cookbook
Hyphens are discouraged in cookbook names as they may cause problems with custom resources. See for more information.
Generating cookbook chef-first-cookbook
Loading Chef InSpec profile files:
Loading Chef InSpec input files:
Loading Chef InSpec waiver files:
- Ensuring correct cookbook content

Why not start by writing an InSpec test? Tests for the default recipe are stored at:


If you'd prefer to dive right in, the default recipe can be found at:


Step 5 – Configure Knife and Bootstrap a Client Node.

Bootstrapping a client node entails installing the Chef Infra Client on the client system so that communication between it and the Chef server can happen.

There are two ways one can use to bootstrap a client Node.

  1. Unattended install – bootstrap from the node without SSH or WinRM connectivity required
  2. knife bootstrap – from the Chef workstation

This guide demonstrates how to bootstrap a client node using the Knife bootstrap method.

Now on the Workstation node, create a config.rb file as below.

vim ~/chef-repo/.chef/config.rb

Add the below content replacing appropriately.

current_dir = File.dirname(__FILE__)
log_level                :info
log_location             STDOUT
node_name                'chefadmin'
client_key               "chefadmin.pem"
validation_client_name   'computingpost-validator'
validation_key           "computingpost-validator.pem"
chef_server_url          ''
cache_type               'BasicFile'
cache_options( :path => "#ENV['HOME']/.chef/checksums" )
cookbook_path            ["#current_dir/../cookbooks"]

Remember to replace your Chef server and organization details appropriately. Save the file, then proceed to copy the SSL certificates.

$ cd ~/chef-repo
$ knife ssl fetch
WARNING: Certificates from will be fetched and placed in your trusted_cert
       directory (/home/thor/chef-repo/.chef/trusted_certs).
       Knife has no means to verify these are the correct certificates. You should
       verify the authenticity of these certificates after downloading.
Adding certificate for chef-server_computingpost_com in /home/thor/chef-repo/.chef/trusted_certs/chef-server_computingpost_com.crt

Verify if the config.rb is set up.

$ knife client list

Now bootstrap your Chef Client node, for this case, the IP address is, so proceed as below.

cd ~/chef-repo/.chef
knife bootstrap -x root -P ***** --node-name chef-client-node1

Remember, the root user is used for elevated privileges required. Ensure root login is allowed on your Chef Client Node.

Proceed as shown.

$ knife bootstrap -x root -P ***** --node-name chef-client-node1
-x/--winrm-user: This flag is deprecated. Use -U/--connection-user instead.
Connecting to using ssh
The authenticity of host ' ()' can't be established.
fingerprint is SHA256:5iGXeB0Fr2zfznkmmGv8ZDIL5SdHk6nXGKt7vSf1Ufg.

Are you sure you want to continue connecting
? (Y/N) y

The bootstrap process happens as below:


Once complete, verify if the node has been added.

$ knife node list

You can also view more information about the node as below.

knife node show chef-client-node1

Sample Output:


Step 6 – (Optional) Install Chef Manage.

Chef manage offers a Web interface where you can manage Chef server tasks. It is installed as below.

On the Chef server, download the Chef manage package from the Chef manage downloads page


Install the package as below:

$ sudo dpkg -i chef-manage_$VER-1_amd64.deb
Selecting previously unselected package chef-manage.
(Reading database ... 199475 files and directories currently installed.)
Preparing to unpack chef-manage_3.2.35-1_amd64.deb ...
Unpacking chef-manage (3.2.35-1) ...
Setting up chef-manage (3.2.35-1) ...

Thank you for installing the Chef Management Console add-on!

The next step in the process is to run:

chef-manage-ctl reconfigure

Reconfigure the Chef server and addons as below

sudo chef-server-ctl reconfigure 
sudo chef-manage-ctl reconfigure

Once complete, access the Web UI using the URL https://serverip/login. On the login page, provide the credentials for the Admin user created in step 3.


You should be able to see the Chef dashboard with the client node added as below.



This guide has provided you with the basic knowledge to get started with Chef Infa. I hope you found this guide on how to install Chef Infra Server on Debian 11 / Debian 10 thrilling.


Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.