403 errors when bootstrapping

adamleff · 2013-02-06 21:22:56 UTC

Ohai, Chefs!

On a fresh open-source Chef 11 server install on CentOS 5.8, I’m receiving
403 errors when bootstrapping a new client, at the step when the bootstrap
process attempts to create the client. The issue appears to be when the
client makes a “GET /clients” call.

I have attempted to create a new validator client/key/cert, and an admin
client/key/cert (to be used as a validator) with no luck. The
bootstrapping does indeed install the proper validator certificate and a
valid client.rb.

Server logs:

==> /var/log/chef-server/nginx/access.log <==
192.168.100.3 - - [06/Feb/2013:18:34:59 +0000] “GET /clients HTTP/1.1” 403
"0.010" 54 “-” “Chef Client/11.0.0 (ruby-1.9.3-p286; ohai-6.16.0;
x86_64-linux; +http://opscode.com)” “127.0.0.1:8000” “403” “0.006” "11.0.0"
“algorithm=sha1;version=1.0;” “chef-validator” “2013-02-06T18:34:56Z”
“2jmj7l5rSw0yVb/vlWAYkK/YBwk=” 931

==> /var/log/chef-server/erchef/erchef.log.1 <==
2013-02-06T18:34:59Z erchef@127.0.0.1 INFO req_id=Uz6MB8/WWFUMIPUdWD3TqQ==;
status=403; method=GET; path=/clients; user=chef-validator;
msg={forbidden}; req_time=3; rdbms_time=0; rdbms_count=1

Client logs:

192.168.100.3 Authorization Error:
192.168.100.3 --------------------
192.168.100.3 Your validation client is not authorized to create the client
for this node (HTTP 403).
192.168.100.3
192.168.100.3 Possible Causes:
192.168.100.3 ----------------
192.168.100.3 * There may already be a client named "chef-client-11"
192.168.100.3 * Your validation client (chef-validator) may have
misconfigured authorization permissions.

192.168.100.3 [2013-02-06T18:34:56+00:00] FATAL: Stacktrace dumped to
/var/chef/cache/chef-stacktrace.out
192.168.100.3 [2013-02-06T18:34:56+00:00] FATAL: Net::HTTPServerException:
403 “Forbidden”

I have confirmed that no client named “chef-client-11” exists, but I’m
stuck on the authorization permissions that may need to be addressed.

Any help would be GREATLY appreciated - many thanks.

~Adam

Josiah_Kiehl · 2013-02-07 08:28:41 UTC

Are you trying to bootstrap to an environment that doesn’t exist? I’m less
familiar with Chef 11, but I know you will get a puzzling 403 if the
environment does not exist on Chef 10.

On Wed, Feb 6, 2013 at 1:22 PM, Adam Leff adam@leff.co wrote:

Ohai, Chefs!

On a fresh open-source Chef 11 server install on CentOS 5.8, I’m receiving
403 errors when bootstrapping a new client, at the step when the bootstrap
process attempts to create the client. The issue appears to be when the
client makes a “GET /clients” call.

I have attempted to create a new validator client/key/cert, and an admin
client/key/cert (to be used as a validator) with no luck. The
bootstrapping does indeed install the proper validator certificate and a
valid client.rb.

Server logs:

==> /var/log/chef-server/nginx/access.log <==
192.168.100.3 - - [06/Feb/2013:18:34:59 +0000] "GET /clients HTTP/1.1"
403 “0.010” 54 “-” “Chef Client/11.0.0 (ruby-1.9.3-p286; ohai-6.16.0;
x86_64-linux; +http://opscode.com)” “127.0.0.1:8000” “403” "0.006"
“11.0.0” “algorithm=sha1;version=1.0;” “chef-validator”
“2013-02-06T18:34:56Z” “2jmj7l5rSw0yVb/vlWAYkK/YBwk=” 931

==> /var/log/chef-server/erchef/erchef.log.1 <==
2013-02-06T18:34:59Z erchef@127.0.0.1 INFO
req_id=Uz6MB8/WWFUMIPUdWD3TqQ==; status=403; method=GET; path=/clients;
user=chef-validator; msg={forbidden}; req_time=3; rdbms_time=0;
rdbms_count=1

Client logs:

192.168.100.3 Authorization Error:
192.168.100.3 --------------------
192.168.100.3 Your validation client is not authorized to create the
client for this node (HTTP 403).
192.168.100.3
192.168.100.3 Possible Causes:
192.168.100.3 ----------------
192.168.100.3 * There may already be a client named "chef-client-11"
192.168.100.3 * Your validation client (chef-validator) may have
misconfigured authorization permissions.

192.168.100.3 [2013-02-06T18:34:56+00:00] FATAL: Stacktrace dumped to
/var/chef/cache/chef-stacktrace.out
192.168.100.3 [2013-02-06T18:34:56+00:00] FATAL: Net::HTTPServerException:
403 “Forbidden”

I have confirmed that no client named “chef-client-11” exists, but I’m
stuck on the authorization permissions that may need to be addressed.

Any help would be GREATLY appreciated - many thanks.

~Adam

adamleff · 2013-02-07 17:40:34 UTC

I wish it was that easy, but thank you for the response.

I narrowed this down to nginx ssl. When I hacked up the nginx.conf to not
listen on 443, not rewrite :80 traffic and simply pass it directly to
erchef without any SSL, happiness ensued shortly thereafter. This also
include any knife operations of creating environments (knife reported
successful creation, but “knife environment list” did not agree), uploading
cookbooks returned “method not supported” (or something similar), etc.

I’ll hopefully get some time on a long flight tomorrow to dig into why.

~Adam

On Thu, Feb 7, 2013 at 3:28 AM, Josiah Kiehl bluepojo@gmail.com wrote:

Are you trying to bootstrap to an environment that doesn’t exist? I’m less
familiar with Chef 11, but I know you will get a puzzling 403 if the
environment does not exist on Chef 10.

On Wed, Feb 6, 2013 at 1:22 PM, Adam Leff adam@leff.co wrote:

Ohai, Chefs!

On a fresh open-source Chef 11 server install on CentOS 5.8, I’m
receiving 403 errors when bootstrapping a new client, at the step when the
bootstrap process attempts to create the client. The issue appears to be
when the client makes a “GET /clients” call.

I have attempted to create a new validator client/key/cert, and an admin
client/key/cert (to be used as a validator) with no luck. The
bootstrapping does indeed install the proper validator certificate and a
valid client.rb.

Server logs:

==> /var/log/chef-server/nginx/access.log <==
192.168.100.3 - - [06/Feb/2013:18:34:59 +0000] "GET /clients HTTP/1.1"
403 “0.010” 54 “-” “Chef Client/11.0.0 (ruby-1.9.3-p286; ohai-6.16.0;
x86_64-linux; +http://opscode.com)” “127.0.0.1:8000” “403” "0.006"
“11.0.0” “algorithm=sha1;version=1.0;” “chef-validator”
“2013-02-06T18:34:56Z” “2jmj7l5rSw0yVb/vlWAYkK/YBwk=” 931

==> /var/log/chef-server/erchef/erchef.log.1 <==
2013-02-06T18:34:59Z erchef@127.0.0.1 INFO
req_id=Uz6MB8/WWFUMIPUdWD3TqQ==; status=403; method=GET; path=/clients;
user=chef-validator; msg={forbidden}; req_time=3; rdbms_time=0;
rdbms_count=1

Client logs:

192.168.100.3 Authorization Error:
192.168.100.3 --------------------
192.168.100.3 Your validation client is not authorized to create the
client for this node (HTTP 403).
192.168.100.3
192.168.100.3 Possible Causes:
192.168.100.3 ----------------
192.168.100.3 * There may already be a client named "chef-client-11"
192.168.100.3 * Your validation client (chef-validator) may have
misconfigured authorization permissions.

192.168.100.3 [2013-02-06T18:34:56+00:00] FATAL: Stacktrace dumped to
/var/chef/cache/chef-stacktrace.out
192.168.100.3 [2013-02-06T18:34:56+00:00] FATAL:
Net::HTTPServerException: 403 “Forbidden”

I have confirmed that no client named “chef-client-11” exists, but I’m
stuck on the authorization permissions that may need to be addressed.

Any help would be GREATLY appreciated - many thanks.

~Adam

stolfi · 2013-02-20 18:30:21 UTC

I seemingly worked my way around this by updating the chef_server_url from http to https in client.rb/knife.rb… When it avoids the redirect, it’s happy.

-s

-----Original Message-----
From: Adam Leff adam@leff.co
To: chef chef@lists.opscode.com
Sent: Wed, Feb 20, 2013 1:24 pm
Subject: [chef] Re: Re: 403 errors when bootstrapping

I wish it was that easy, but thank you for the response.

I narrowed this down to nginx ssl. When I hacked up the nginx.conf to not listen on 443, not rewrite :80 traffic and simply pass it directly to erchef without any SSL, happiness ensued shortly thereafter. This also include any knife operations of creating environments (knife reported successful creation, but “knife environment list” did not agree), uploading cookbooks returned “method not supported” (or something similar), etc.

I’ll hopefully get some time on a long flight tomorrow to dig into why.

~Adam

On Thu, Feb 7, 2013 at 3:28 AM, Josiah Kiehl bluepojo@gmail.com wrote:

Are you trying to bootstrap to an environment that doesn’t exist? I’m less familiar with Chef 11, but I know you will get a puzzling 403 if the environment does not exist on Chef 10.

On Wed, Feb 6, 2013 at 1:22 PM, Adam Leff adam@leff.co wrote:

Ohai, Chefs!

On a fresh open-source Chef 11 server install on CentOS 5.8, I’m receiving 403 errors when bootstrapping a new client, at the step when the bootstrap process attempts to create the client. The issue appears to be when the client makes a “GET /clients” call.

I have attempted to create a new validator client/key/cert, and an admin client/key/cert (to be used as a validator) with no luck. The bootstrapping does indeed install the proper validator certificate and a valid client.rb.

Server logs:

==> /var/log/chef-server/nginx/access.log <==
192.168.100.3 - - [06/Feb/2013:18:34:59 +0000] “GET /clients HTTP/1.1” 403 “0.010” 54 “-” “Chef Client/11.0.0 (ruby-1.9.3-p286; ohai-6.16.0; x86_64-linux; +http://opscode.com)” “127.0.0.1:8000” “403” “0.006” “11.0.0” “algorithm=sha1;version=1.0;” “chef-validator” “2013-02-06T18:34:56Z” “2jmj7l5rSw0yVb/vlWAYkK/YBwk=” 931

==> /var/log/chef-server/erchef/erchef.log.1 <==
2013-02-06T18:34:59Z erchef@127.0.0.1 INFO req_id=Uz6MB8/WWFUMIPUdWD3TqQ==; status=403; method=GET; path=/clients; user=chef-validator; msg={forbidden}; req_time=3; rdbms_time=0; rdbms_count=1

Client logs:

192.168.100.3 Authorization Error:
192.168.100.3 --------------------

192.168.100.3 Your validation client is not authorized to create the client for this node (HTTP 403).

192.168.100.3

192.168.100.3 Possible Causes:
192.168.100.3 ----------------

192.168.100.3 * There may already be a client named “chef-client-11”

192.168.100.3 * Your validation client (chef-validator) may have misconfigured authorization permissions.

192.168.100.3 [2013-02-06T18:34:56+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out

192.168.100.3 [2013-02-06T18:34:56+00:00] FATAL: Net::HTTPServerException: 403 “Forbidden”

I have confirmed that no client named “chef-client-11” exists, but I’m stuck on the authorization permissions that may need to be addressed.

Any help would be GREATLY appreciated - many thanks.

~Adam

mandi_walls · 2013-02-20 18:33:13 UTC

List error E_TOOMANY_AOLERS

What is this, the web-ops mailing list?

carry on.
<3

On Wed, Feb 20, 2013 at 1:30 PM, stolfi chrisstolfi@aol.com wrote:

I seemingly worked my way around this by updating the chef_server_url from
http to https in client.rb/knife.rb… When it avoids the redirect, it’s
happy.

-s

-----Original Message-----
From: Adam Leff adam@leff.co
To: chef chef@lists.opscode.com
Sent: Wed, Feb 20, 2013 1:24 pm
Subject: [chef] Re: Re: 403 errors when bootstrapping

I wish it was that easy, but thank you for the response.

I narrowed this down to nginx ssl. When I hacked up the nginx.conf to
not listen on 443, not rewrite :80 traffic and simply pass it directly to
erchef without any SSL, happiness ensued shortly thereafter. This also
include any knife operations of creating environments (knife reported
successful creation, but “knife environment list” did not agree), uploading
cookbooks returned “method not supported” (or something similar), etc.

I’ll hopefully get some time on a long flight tomorrow to dig into why.

~Adam

On Thu, Feb 7, 2013 at 3:28 AM, Josiah Kiehl bluepojo@gmail.com wrote:

Are you trying to bootstrap to an environment that doesn’t exist? I’m
less familiar with Chef 11, but I know you will get a puzzling 403 if the
environment does not exist on Chef 10.

On Wed, Feb 6, 2013 at 1:22 PM, Adam Leff adam@leff.co wrote:

Ohai, Chefs!

On a fresh open-source Chef 11 server install on CentOS 5.8, I’m
receiving 403 errors when bootstrapping a new client, at the step when the
bootstrap process attempts to create the client. The issue appears to be
when the client makes a “GET /clients” call.

I have attempted to create a new validator client/key/cert, and an
admin client/key/cert (to be used as a validator) with no luck. The
bootstrapping does indeed install the proper validator certificate and a
valid client.rb.

Server logs:

==> /var/log/chef-server/nginx/access.log <==
192.168.100.3 - - [06/Feb/2013:18:34:59 +0000] "GET /clients HTTP/1.1"
403 “0.010” 54 “-” “Chef Client/11.0.0 (ruby-1.9.3-p286; ohai-6.16.0;
x86_64-linux; +http://opscode.com)” “127.0.0.1:8000” “403” "0.006"
“11.0.0” “algorithm=sha1;version=1.0;” “chef-validator”
“2013-02-06T18:34:56Z” “2jmj7l5rSw0yVb/vlWAYkK/YBwk=” 931

==> /var/log/chef-server/erchef/erchef.log.1 <==
2013-02-06T18:34:59Z erchef@127.0.0.1 INFO
req_id=Uz6MB8/WWFUMIPUdWD3TqQ==; status=403; method=GET; path=/clients;
user=chef-validator; msg={forbidden}; req_time=3; rdbms_time=0;
rdbms_count=1

Client logs:

192.168.100.3 Authorization Error:
192.168.100.3 --------------------
192.168.100.3 Your validation client is not authorized to create the
client for this node (HTTP 403).
192.168.100.3
192.168.100.3 Possible Causes:
192.168.100.3 ----------------
192.168.100.3 * There may already be a client named "chef-client-11"
192.168.100.3 * Your validation client (chef-validator) may have
misconfigured authorization permissions.

192.168.100.3 [2013-02-06T18:34:56+00:00] FATAL: Stacktrace dumped to
/var/chef/cache/chef-stacktrace.out
192.168.100.3 [2013-02-06T18:34:56+00:00] FATAL:
Net::HTTPServerException: 403 “Forbidden”

I have confirmed that no client named “chef-client-11” exists, but I’m
stuck on the authorization permissions that may need to be addressed.

Any help would be GREATLY appreciated - many thanks.

~Adam