[chef] Re: Re: Automatic Node Configuration - "Failed to authenticate"


Chronological Thread 
  • From: Douglas Garstang < >
  • To:
  • Subject: [chef] Re: Re: Automatic Node Configuration - "Failed to authenticate"
  • Date: Mon, 24 Nov 2014 13:03:02 -0800

Thanks Daniel.

Can you confirm that the private key on the chef server at /etc/chef-server/chef-validator.pem is what I should be using as a validation key on the client side?

Douglas.

On Mon, Nov 24, 2014 at 12:56 PM, Daniel DeLeo < " target="_blank"> > wrote:
On Monday, November 24, 2014 at 12:45 PM, Douglas Garstang wrote:
>
> Authentication Error:
> ---------------------
> Failed to authenticate to the chef server (http 401).
>
> Server Response:
> ----------------
> Invalid signature for user or client 'chef-validator'
>
> What am I missing here? I've confirmed the validator key is correct. I'm making sure to remove both the node and the client from the chef server before running (as I know that having an existing client cert on the server will break it). Is this something to do with the trusted_certs thing? How is that supposed to work?
>
> Doug.

Either the key is wrong, the validator username is wrong, or your clock is skewed by more than 15 minutes from the server (though the error message should normally indicate the last one).

trusted_certs has nothing to do with Chef’s application level authentication. The only thing it does is add certificates to the root CA bundle OpenSSL uses to check certificate validity for SSL/TLS connections. The point of this is to make it simpler to use chef-client with SSL peer verification (cert checking) enabled if you use self-signed certs (which is many/most people running their own servers).

I don’t know if it works anymore but I wrote this knife plugin a while ago to check client keys: https://github.com/danielsdeleo/knife-plugins/blob/master/key_check.rb You run it from a working admin account and it compares the private key you have (which contains the public key) to the public key you can download from the server. You can accomplish the same with various openssl commands.


--
Daniel DeLeo






--



Archive powered by MHonArc 2.6.16.

§