[chef] Re: Re: Re: 403 errors when bootstrapping


Chronological Thread 
  • From: Adam Leff < >
  • To: stolfi < >
  • Cc:
  • Subject: [chef] Re: Re: Re: 403 errors when bootstrapping
  • Date: Wed, 20 Feb 2013 13:37:55 -0500

I tried that and worked well for a while, but some other things broke - hell if I remember the details though.  I ended up hacking the nginx.conf to make the :80 section like the :443 but with no SSL enabled.  That seems to have made things happy.

Of course, every time I run chef-server-ctl reconfigure, I am unhappy again.  Not unsurprising.. and I don't think I was successful finding the server.rb setting that disabled that redirect.  Perhaps, time for a pull request? :)

Good to see such great support from Ex-AOLer-and-current-OpsCoder Mandi Walls, too.  Thank you, dear.  Always a pleasure. :)

~Adam


On Wed, Feb 20, 2013 at 1:27 PM, stolfi < " target="_blank"> > wrote:

I seemingly worked my way around this by updating the chef_server_url from http to https in client.rb/knife.rb...  When it avoids the redirect, it's happy.

-s


-----Original Message-----
From: Adam Leff < " target="_blank"> >
To: chef < " target="_blank"> >
Sent: Wed, Feb 20, 2013 1:24 pm
Subject: [chef] Re: Re: 403 errors when bootstrapping

I wish it was that easy, but thank you for the response. :)

I narrowed this down to nginx ssl.  When I hacked up the nginx.conf to not listen on 443, not rewrite :80 traffic and simply pass it directly to erchef without any SSL, happiness ensued shortly thereafter.  This also include any knife operations of creating environments (knife reported successful creation, but "knife environment list" did not agree), uploading cookbooks returned "method not supported" (or something similar), etc.

I'll hopefully get some time on a long flight tomorrow to dig into why.

~Adam



On Thu, Feb 7, 2013 at 3:28 AM, Josiah Kiehl < > wrote:
Are you trying to bootstrap to an environment that doesn't exist? I'm less familiar with Chef 11, but I know you will get a puzzling 403 if the environment does not exist on Chef 10.


On Wed, Feb 6, 2013 at 1:22 PM, Adam Leff < > wrote:
Ohai, Chefs!

On a fresh open-source Chef 11 server install on CentOS 5.8, I'm receiving 403 errors when bootstrapping a new client, at the step when the bootstrap process attempts to create the client.  The issue appears to be when the client makes a "GET /clients" call.

I have attempted to create a new validator client/key/cert, and an admin client/key/cert (to be used as a validator) with no luck.  The bootstrapping does indeed install the proper validator certificate and a valid client.rb.

Server logs:

==> /var/log/chef-server/nginx/access.log <==
192.168.100.3 - - [06/Feb/2013:18:34:59 +0000]  "GET /clients HTTP/1.1" 403 "0.010" 54 "-" "Chef Client/11.0.0 (ruby-1.9.3-p286; ohai-6.16.0; x86_64-linux; +http://opscode.com)" "127.0.0.1:8000" "403" "0.006" "11.0.0" "algorithm=sha1;version=1.0;" "chef-validator" "2013-02-06T18:34:56Z" "2jmj7l5rSw0yVb/vlWAYkK/YBwk=" 931

==> /var/log/chef-server/erchef/erchef.log.1 <==
2013-02-06T18:34:59Z INFO req_id=Uz6MB8/WWFUMIPUdWD3TqQ==; status=403; method=GET; path=/clients; user=chef-validator; msg={forbidden}; req_time=3; rdbms_time=0; rdbms_count=1

Client logs:

192.168.100.3 Authorization Error:
192.168.100.3 --------------------
192.168.100.3 Your validation client is not authorized to create the client for this node (HTTP 403).
192.168.100.3 
192.168.100.3 Possible Causes:
192.168.100.3 ----------------
192.168.100.3 * There may already be a client named "chef-client-11"
192.168.100.3 * Your validation client (chef-validator) may have misconfigured authorization permissions.

192.168.100.3 [2013-02-06T18:34:56+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
192.168.100.3 [2013-02-06T18:34:56+00:00] FATAL: Net::HTTPServerException: 403 "Forbidden"

I have confirmed that no client named "chef-client-11" exists, but I'm stuck on the authorization permissions that may need to be addressed.

Any help would be GREATLY appreciated - many thanks. :)

~Adam







Archive powered by MHonArc 2.6.16.

§