[chef] Re: Automatic Node Configuration - "Failed to authenticate"

[Daniel DeLeo < >]

On Monday, November 24, 2014 at 12:45 PM, Douglas Garstang wrote:
>  
> Authentication Error:
> ---------------------
> Failed to authenticate to the chef server (http 401).
>  
> Server Response:
> ----------------
> Invalid signature for user or client 'chef-validator'
>  
> What am I missing here? I've confirmed the validator key is correct. I'm 
> making sure to remove both the node and the client from the chef server 
> before running (as I know that having an existing client cert on the server 
> will break it). Is this something to do with the trusted_certs thing? How 
> is that supposed to work?
>  
> Doug.

Either the key is wrong, the validator username is wrong, or your clock is 
skewed by more than 15 minutes from the server (though the error message 
should normally indicate the last one).

trusted_certs has nothing to do with Chef’s application level authentication. 
The only thing it does is add certificates to the root CA bundle OpenSSL uses 
to check certificate validity for SSL/TLS connections. The point of this is 
to make it simpler to use chef-client with SSL peer verification (cert 
checking) enabled if you use self-signed certs (which is many/most people 
running their own servers).

I don’t know if it works anymore but I wrote this knife plugin a while ago to 
check client keys: 
https://github.com/danielsdeleo/knife-plugins/blob/master/key_check.rb You ;
run it from a working admin account and it compares the private key you have 
(which contains the public key) to the public key you can download from the 
server. You can accomplish the same with various openssl commands.


--  
Daniel DeLeo