- From: "Jeff Storey" <
>
- To: <
>
- Subject: [chef] RE: Re: location of client.pem when using knife bootstrap
- Date: Fri, 19 Oct 2012 20:14:03 -0400
Thank you for the explanation.
-----Original Message-----
From: Daniel Condomitti
[mailto:
Sent: Fri 10/19/2012 7:51 PM
To:
Subject: [chef] Re: location of client.pem when using knife bootstrap
client.pem gets generated the first time the client connects to the server.
The node you're running knife bootstrap on needs to have a copy of your
organization's validator (private key) on disk and defined correctly in
knife.rb. When it connects to the node, it'll install chef (and anything else
in your bootstrap template) and then use the validator private key to obtain
a client.pem.
See
http://wiki.opscode.com/display/chef/Nodes:
When a node runs chef-client for the first time, it generally does not yet
have an API client identity, and so cannot make authenticated requests to the
server. This is where the validation client-named "chef-validator" by default
comes in. When the chef-client runs, it checks if it has a client key. If the
client key does not exist, it then attempts to "borrow" the validation
client's identity to register itself with the server. In order to do that,
the validation client's private key needs to be copied to the host and placed
in /etc/chef/validation.pem. Once the client machine has registered itself
with the chef server, it no longer uses the validation client for anything.
It is recommended that you delete the validation client's private key from
the host after the host has registered.
Look at the bootstrap file you're using if you're interested in how it works:
https://github.com/opscode/chef/blob/master/chef/lib/chef/knife/bootstrap
On Friday, October 19, 2012 at 4:24 PM,
wrote:
>
When using the knife bootstrap command, does the client.pem file get copied
>
to
>
/etc/chef on the chef client node? Is there a way to copy it there so the
>
client can properly connect to the server?
>
>
<<winmail.dat>>
Archive powered by MHonArc 2.6.16.