[chef] RE: Re: location of client.pem when using knife bootstrap

["Jeff Storey" < >]

Thank you for the explanation.

-----Original Message-----
From: Daniel Condomitti 
[mailto:
 
Sent: Fri 10/19/2012 7:51 PM
To: 

 
Subject: [chef] Re: location of client.pem when using knife bootstrap
 
client.pem gets generated the first time the client connects to the server. 
The node you're running knife bootstrap on needs to have a copy of your 
organization's validator (private key) on disk and defined correctly in 
knife.rb. When it connects to the node, it'll install chef (and anything else 
in your bootstrap template) and then use the validator private key to obtain 
a client.pem.

See http://wiki.opscode.com/display/chef/Nodes:

When a node runs chef-client for the first time, it generally does not yet 
have an API client identity, and so cannot make authenticated requests to the 
server. This is where the validation client-named "chef-validator" by default 
comes in. When the chef-client runs, it checks if it has a client key. If the 
client key does not exist, it then attempts to "borrow" the validation 
client's identity to register itself with the server. In order to do that, 
the validation client's private key needs to be copied to the host and placed 
in /etc/chef/validation.pem. Once the client machine has registered itself 
with the chef server, it no longer uses the validation client for anything. 
It is recommended that you delete the validation client's private key from 
the host after the host has registered.

Look at the bootstrap file you're using if you're interested in how it works: 
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap  ;

On Friday, October 19, 2012 at 4:24 PM, 

 
 wrote:

> When using the knife bootstrap command, does the client.pem file get copied 
> to
> /etc/chef on the chef client node? Is there a way to copy it there so the
> client can properly connect to the server?
>  
>

<<winmail.dat>>