General discussion about Chef

[chef] Client Validation Errors - Argh!


Chronological Thread 
  • From: Douglas Garstang < >
  • To:
  • Subject: [chef] Client Validation Errors - Argh!
  • Date: Fri, 23 Jan 2015 12:16:00 -0800
I swear that every time I install a new chef server it's like getting a root canal. I spend hours mucking around with validation keys, and somehow get it to work in the end, but I don't know how.

Running chef-client is returning:

Authentication Error:
---------------------
Failed to authenticate to the chef server (http 401).

Server Response:
----------------
Failed to authenticate as 'chef-validator'. Ensure that your node_name and client key are correct.

I copied the validation key generated from running this on the server to the client:

chef-server-ctl org-create slice "Slice Technologies" --association_user doug --filename validator

My client.rb contains:

client.rb:
ssl_verify_mode         :verify_peer
log_level               :info
log_location            STDOUT
chef_server_url         'https://chef-003.dev.slicetest.com:443/organizations/slice'
validation_client_name  'chef-validator'
validation_key          "/etc/chef/chef-validator.pem"
client_key              '/etc/chef/client.pem'

The file layout is:

:/etc/chef# ls -l
total 24
lrwxrwxrwx 1 root root   66 Jan 23 19:56 chef-validator.pem -> /etc/chef/validation_keys/validator-chef-003.dev.slicetest.com.pem
-rw-r--r-- 1 root root  326 Jan 23 20:10 client.rb
drwxr-xr-x 2 root root 4096 Jan 23 19:48 keys
-rw-r--r-- 1 root root  368 Jan 23 20:00 knife-opstool.rb
lrwxrwxrwx 1 root root   53 Jan 23 19:56 opstool.pem -> /etc/chef/keys/opstool-chef-003.dev.slicetest.com.pem
drwxr-xr-x 2 root root 4096 Jan 23 19:48 trusted_certs
drwxr-xr-x 2 root root 4096 Jan 23 20:06 validation_keys

/etc/chef
/etc/chef/keys
/etc/chef/keys/opstool-chef01.prod.slicetest.com.pem
/etc/chef/keys/opstool-chef-003.dev.slicetest.com.pem
/etc/chef/opstool.pem
/etc/chef/chef-validator.pem
/etc/chef/knife-opstool.rb
/etc/chef/client.rb
/etc/chef/trusted_certs
/etc/chef/trusted_certs/chef01.prod.slicetest.com.crt
/etc/chef/trusted_certs/chef-003.dev.slicetest.com.crt
/etc/chef/validation_keys
/etc/chef/validation_keys/validator-chef01.prod.slicetest.com.pem
/etc/chef/validation_keys/validator-chef-003.dev.slicetest.com.pem

I have eyeballed the validation key and it matches what the server generated. The trusted cert I obtained from running knife ssl on a different client.

Help. :(

Doug.

Archive powered by MHonArc 2.6.16.

§