[chef] Re: Re: Re: Re: problems retaining the chef-validator public RSA key

On Wed, 22 Feb 2012, AJ Christensen wrote:

> it would be great if you get this process working well to have it
> documented on the wiki!


are there any "how to contribute" rules for contributing to the wiki?
and, is there a way i can create scratch space in the wiki for creating
a draft of the document when i get to it? i like making drafts, asking
for feedback.


> On 22 February 2012 13:48,  
> <
 >
>  wrote:
> >
> > ::happy rawr!:: that works. thanks!!
> >
> >
> > On Wed, 22 Feb 2012, AJ Christensen wrote:
> >
> >> On 22 February 2012 13:04,  
> >> <
 >
> >>  wrote:
> >> >
> >> > hiya,
> >> >
> >> > i'm having problems retaining the chef-validator public RSA key
> >> > across chef server builds. i want to retain this key, along with its
> >> > counterpart validation.pem which all my clients have registered
> >> > themselves with.
> >> >
> >> > i'm building a server which can take the place of my primary chef
> >> > server in the event the primary dies. if the primary dies, i would
> >> > load the latest configs and couchdb dump onto the new one. but after
> >> > i load the couchdb dump, the resulting chef-validator public RSA key
> >> > on the new server does not match what i know to be the correct one.
> >> > (as seen with "knife client show chef-validator").
> >> >
> >> > i show my steps below. am i doing something wrong?
> >> >
> >> > also, i'll note that i've repeated these steps below multiple times.
> >> > usually the resulting chef-validator key is wrong, but *sometimes* 
> >> > after
> >> > it bakes, the key is *right*. so i'm seeing inconsistent behavior.
> >> >
> >> >
> >> > dump couchdb on primary chef server:
> >> >  /usr/bin/couchdb-dump http://127.0.0.1:5984/chef ;| gzip -9c > 
> >> > $BACKUPDIR/chef_couchdb.$STAMP.gz
> >> >
> >> > new, pristine chef server installed with opscode debs:
> >> >
> >> >  /etc/init.d/chef-server stop
> >> >
> >> > this removes /var/lib/couchdb/1.0.1/chef.couch:
> >> >  curl -XDELETE http://127.0.0.1:5984/chef
> >> >
> >> > at this point, if i try to load the couchdb dump, it won't load, 
> >> > throwing
> >> > errors like "Error: ('not_found', 'no_db_file')". i guess it needs
> >> > some kind of baseline /var/lib/couchdb/1.0.1/chef.couch. to provide
> >>
> >> the problem is here where you start the Chef Server
> >>
> >> Instead of doing that, do a
> >>
> >> curl -XPUT http://127.0.0.1:5984/chef/
> >>
> >> Then load the couchdb dump. This will prevent the chef server from
> >> initializing an empty database with a new validator and webui client
> >>
> >> HTH
> >>
> >> --AJ
> >>
> >> > that, i start chef-server again. a new 
> >> > /var/lib/couchdb/1.0.1/chef.couch
> >> > is created, and with that, new RSA keypairs generated, which i 
> >> > ultimately
> >> > want to replace with my current established set from the priamry
> >> > chef-server.
> >> >
> >> >  /etc/init.d/chef-server start
> >> >  /etc/init.d/chef-server stop
> >> >
> >> > now there's have /var/lib/couchdb/1.0.1/chef.couch. but this also
> >> > provided a *new* chef-validator RSA keypair, which i don't want. but
> >> > maybe the couchdb-load will overwrite it? let's see..
> >> >
> >> >  couchdb-load --input=chef_couchdb.latest http://127.0.0.1:5984/chef ;
> >> > --ignore-errors 1>couchdb-load.stdout 2>couchdb-load.stderr
> >> >
> >> > copy into place the pems from the primary chef server:
> >> >
> >> >  cp /etc/chef/webui.pem.backup /etc/chef/webui.pem
> >> >  cp /etc/chef/validation.pem.backup /etc/chef/validation.pem
> >> >
> >> >
> >> > fire it up:
> >> >
> >> >  /etc/init.d/chef-server start
> >> >
> >> >  knife client show chef-validator
> >> > ... usually the key is wrong, sometimes right
> >> >
> >> >
> >> > tia,
> >> > kallen
> >> >