Cannot authenticate knife commands on chef-server 0.8.6 on EC2


#1

I’m trying to setup a chef server and I followed these instructions on
a fresh EC2 ubuntu system
http://gist.github.com/242523

and i cannot get any knife commands to authenticate. For example
sudo /var/lib/gems/1.8/bin/knife data bag show BAG -u chef-webui -k
/etc/chef/webui.pem

yields this error
/usr/lib/ruby/1.8/net/http.rb:2097:in `error!’: 401 “Unauthorized”
(Net::HTTPServerException)

and in the chef server log
DEBUG: Authentication failed: Failed to authenticate user request.
Most likely missing a necessary header: padding check failed,
/var/lib/gems/1.8/gems/mixlib-authentication-1.1.0/lib/mixlib/authentication/signatureverification.rb:106:in
`public_decrypt’

My /etc/chef/server.rb has
validation_client_name "validator"
validation_key "/etc/chef/validation.key"
client_key "/etc/chef/client.pem"
web_ui_client_name "chef-webui"
web_ui_key “/etc/chef/webui.pem”

I did check that /etc/chef/webui.pem contains webui.key + webui.crt.
What i don’t know is where chef-server loads the public key.

I did read
http://blog.ibd.com/scalable-deployment/creating-an-amazon-ami-for-chef-0-8/
but i don’t see anything in there that’s radically different than what
I’ve done. I’ve tried this on two different fresh systems and same
problem persists

Any help would be greatly appreciated.


#2

The padding check failed makes me think the issue is a version
mismatch of Mixlib::Authentication - can you confirm that the client
and your chef server are at the same revision?

Adam

On Tue, Mar 9, 2010 at 12:54 PM, Douglas Hubler douglas@hubler.us wrote:

I’m trying to setup a chef server and I followed these instructions on
a fresh EC2 ubuntu system
http://gist.github.com/242523

and i cannot get any knife commands to authenticate. For example
sudo /var/lib/gems/1.8/bin/knife data bag show BAG -u chef-webui -k
/etc/chef/webui.pem

yields this error
/usr/lib/ruby/1.8/net/http.rb:2097:in `error!’: 401 “Unauthorized”
(Net::HTTPServerException)

and in the chef server log
DEBUG: Authentication failed: Failed to authenticate user request.
Most likely missing a necessary header: padding check failed,
/var/lib/gems/1.8/gems/mixlib-authentication-1.1.0/lib/mixlib/authentication/signatureverification.rb:106:in
`public_decrypt’

My /etc/chef/server.rb has
validation_client_name "validator"
validation_key "/etc/chef/validation.key"
client_key "/etc/chef/client.pem"
web_ui_client_name "chef-webui"
web_ui_key “/etc/chef/webui.pem”

I did check that /etc/chef/webui.pem contains webui.key + webui.crt.
What i don’t know is where chef-server loads the public key.

I did read
http://blog.ibd.com/scalable-deployment/creating-an-amazon-ami-for-chef-0-8/
but i don’t see anything in there that’s radically different than what
I’ve done. I’ve tried this on two different fresh systems and same
problem persists

Any help would be greatly appreciated.


Opscode, Inc.
Adam Jacob, CTO
T: (206) 508-7449 E: adam@opscode.com


#3

On Tue, Mar 9, 2010 at 5:00 PM, Adam Jacob adam@opscode.com wrote:

The padding check failed makes me think the issue is a version
mismatch of Mixlib::Authentication - can you confirm that the client
and your chef server are at the same revision?
Adam

I used
git clone git://github.com/opscode/chef.git
so I get server and client from same place. Is there a version string
I should be looking at?

I get the same exact error when i try to use validation key or any old
key. Where is this public key kept? Is there a way to verify it is a
valid pair with webui.key? Is there a way to reset a new key pair for
webui client access?


#4

On Wed, Mar 10, 2010 at 5:49 AM, Douglas Hubler douglas@hubler.us wrote:

On Tue, Mar 9, 2010 at 5:00 PM, Adam Jacob adam@opscode.com wrote:

The padding check failed makes me think the issue is a version
mismatch of Mixlib::Authentication - can you confirm that the client
and your chef server are at the same revision?
Adam

I used
git clone git://github.com/opscode/chef.git
so I get server and client from same place. Is there a version string
I should be looking at?

He means the mixlib-authentication gem. Run ‘gem list’ and see what
version is installed on the chef client and the chef server. You may
also need to cleanup old versions if you have multiple versions
installed (see ‘gem cleanup’).

Bryan