[chef] Re: Re: Re: Automatic Node Configuration - "Failed to authenticate"

[Daniel DeLeo < >]

On Monday, November 24, 2014 at 1:08 PM, Douglas Garstang wrote:
> I'm horribly confused. I just got it to work, and the validation key I used 
> is _NOT_ what's on the server at /etc/chef-server/chef-validator.pem.  
>  
> Doug.

If you run `knife client reregister VALIDATOR_NAME` (or the equivalent HTTP 
API calls via some other means) then a new key is generated for the validator 
and the old one becomes invalid. I don’t think there’s a way that this can be 
fixed automatically, since the server doesn’t keep a copy of the private key.

My personal opinion is that the validator mechanism for creating new 
clients/nodes is overly error-prone and should only be used when you 
absolutely must have “self bootstrapping” behavior, for example when PXE 
booting or using AWS autoscaling and you’ve baked the credentials into your 
OS image. From your previous email, it looks like you’re creating node data 
from a script/program you’re writing yourself. If it’s an option for you, you 
might want to do something like the following:

knife client create -u ADMIN_USER -k ADMIN_KEY -f NEW_NODE_KEY.pem 
NEW_NODE_NAME
knife node create -u NEW_NODE_NAME -k NEW_NODE_KEY.pem # or other knife 
command/API tool

Then you need to copy the NEW_NODE_KEY.pem to the new machine and configure 
it with the correct NEW_NODE_NAME. The downside to this approach is that you 
need to protect NEW_NODE_KEY.pem from being disclosed to anyone/anything that 
shouldn’t have it, I _think_ you can achieve this for s3 via IAM but I’m not 
100% sure.

HTH,

--  
Daniel DeLeo