[chef] Re: Re: problems retaining the chef-validator public RSA key

::happy rawr!:: that works. thanks!!


On Wed, 22 Feb 2012, AJ Christensen wrote:

> On 22 February 2012 13:04,  
> <
 >
>  wrote:
> >
> > hiya,
> >
> > i'm having problems retaining the chef-validator public RSA key
> > across chef server builds. i want to retain this key, along with its
> > counterpart validation.pem which all my clients have registered
> > themselves with.
> >
> > i'm building a server which can take the place of my primary chef
> > server in the event the primary dies. if the primary dies, i would
> > load the latest configs and couchdb dump onto the new one. but after
> > i load the couchdb dump, the resulting chef-validator public RSA key
> > on the new server does not match what i know to be the correct one.
> > (as seen with "knife client show chef-validator").
> >
> > i show my steps below. am i doing something wrong?
> >
> > also, i'll note that i've repeated these steps below multiple times.
> > usually the resulting chef-validator key is wrong, but *sometimes* after
> > it bakes, the key is *right*. so i'm seeing inconsistent behavior.
> >
> >
> > dump couchdb on primary chef server:
> >  /usr/bin/couchdb-dump http://127.0.0.1:5984/chef ;| gzip -9c > 
> > $BACKUPDIR/chef_couchdb.$STAMP.gz
> >
> > new, pristine chef server installed with opscode debs:
> >
> >  /etc/init.d/chef-server stop
> >
> > this removes /var/lib/couchdb/1.0.1/chef.couch:
> >  curl -XDELETE http://127.0.0.1:5984/chef
> >
> > at this point, if i try to load the couchdb dump, it won't load, throwing
> > errors like "Error: ('not_found', 'no_db_file')". i guess it needs
> > some kind of baseline /var/lib/couchdb/1.0.1/chef.couch. to provide
> 
> the problem is here where you start the Chef Server
> 
> Instead of doing that, do a
> 
> curl -XPUT http://127.0.0.1:5984/chef/
> 
> Then load the couchdb dump. This will prevent the chef server from
> initializing an empty database with a new validator and webui client
> 
> HTH
> 
> --AJ
> 
> > that, i start chef-server again. a new /var/lib/couchdb/1.0.1/chef.couch
> > is created, and with that, new RSA keypairs generated, which i ultimately
> > want to replace with my current established set from the priamry
> > chef-server.
> >
> >  /etc/init.d/chef-server start
> >  /etc/init.d/chef-server stop
> >
> > now there's have /var/lib/couchdb/1.0.1/chef.couch. but this also
> > provided a *new* chef-validator RSA keypair, which i don't want. but
> > maybe the couchdb-load will overwrite it? let's see..
> >
> >  couchdb-load --input=chef_couchdb.latest http://127.0.0.1:5984/chef ;
> > --ignore-errors 1>couchdb-load.stdout 2>couchdb-load.stderr
> >
> > copy into place the pems from the primary chef server:
> >
> >  cp /etc/chef/webui.pem.backup /etc/chef/webui.pem
> >  cp /etc/chef/validation.pem.backup /etc/chef/validation.pem
> >
> >
> > fire it up:
> >
> >  /etc/init.d/chef-server start
> >
> >  knife client show chef-validator
> > ... usually the key is wrong, sometimes right
> >
> >
> > tia,
> > kallen
> >