Chef bootstrap custom template


Hello guys,

I am looking for documentation on custom bootstrap templates for a while now.
In an environment where the machines have no internet access, I have a chef server where i can store a rpm and an msi chef client. I have to build a script to bootstrap 2 CentOS machines and 2 Windows 2k12 machines, which are on a csv list.

The thing I don’t get is how to build up the bootstrap template for the CentOS machines, telling them to get the chef-client rpm from chef-server (in which I’ve created a VS on nginx rpovided with chef).

All I could find is a chef-full.erb which gets the from
One other thing I found was:

And this is exactly what i need, but I couldn’t make it work.

The templates looks like this:

bash -c '
<%= "export https_proxy=\"#{knife_config[:bootstrap_proxy]}\"" if knife_config[:bootstrap_proxy] -%>

distro=`uname -s`

if test "x$distro" = "xSunOS"; then
  if test -d "/usr/sfw/bin"; then
    export PATH

exists() {
  if command -v $1 &>/dev/null
    return 0
    return 1

# Fill in appropriately
yum install -y http://chef01:8081/kit/packages/centos/chef-12.16.42-1.el6.x86_64.rpm

mkdir -p /etc/chef

cat > /etc/chef/validation.pem <<'EOP'
<%= validation_key %>
chmod 0600 /etc/chef/validation.pem

<% if encrypted_data_bag_secret -%>
cat > /etc/chef/encrypted_data_bag_secret <<'EOP'
<%= encrypted_data_bag_secret %>
chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>

<%# Generate Ohai Hints -%>
<% unless @chef_config[:knife][:hints].nil? || @chef_config[:knife][:hints].empty? -%>
mkdir -p /etc/chef/ohai/hints

<% @chef_config[:knife][:hints].each do |name, hash| -%>
cat > /etc/chef/ohai/hints/<%= name %>.json <<'EOP'
<%= hash.to_json %>
<% end -%>
<% end -%>

cat > /etc/chef/client.rb <<'EOP'
<%= config_content %>

cat > /etc/chef/first-boot.json <<'EOP'
<%= first_boot.to_json %>

echo "Starting first Chef Client run..."

<%= start_chef %>'

And the output I get is this:

PS C:\project> .\scripts\script.ps1 -user admin -pass pass123
Creating new client for centos01
Creating new node for centos01
Connecting to centos01
centos01 knife sudo password:
centos01 Loaded plugins: fastestmirror
centos01 Setting up Install Process
chef-12.16.42-1.el6.x86_64.rpm                           |  35 MB     00:00
centos01 Examining /var/tmp/yum-root-QQjRa7/chef-12.16.42-1.el6.x86_64.rpm: chef-12.16.42-1.el6.x86_64
centos01 /var/tmp/yum-root-QQjRa7/chef-12.16.42-1.el6.x86_64.rpm: does not update installed package.
centos01 Error: Nothing to do
centos01 Starting first Chef Client run...
centos01 Starting Chef Client, version 12.16.42
centos01 Creating a new client identity for centos01 using the validator key.
centos01 ================================================================================
centos01 Chef encountered an error attempting to create the client "centos01"
centos01 ================================================================================
centos01 Platform:
centos01 ---------
centos01 x86_64-linux
centos01 Running handlers:
centos01 [2016-11-28T23:53:04+02:00] ERROR: Running exception handlers
centos01 Running handlers complete
centos01 [2016-11-28T23:53:04+02:00] ERROR: Exception handlers complete
centos01 Chef Client failed. 0 resources updated in 03 seconds
centos01 [2016-11-28T23:53:04+02:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
centos01 [2016-11-28T23:53:04+02:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
centos01 [2016-11-28T23:53:04+02:00] ERROR: The file /etc/chef/validation.pem or :raw_key option does not contain a correctly formatted private key.
centos01 The key file should begin with '-----BEGIN RSA PRIVATE KEY-----' and end with '-----END RSA PRIVATE KEY-----'
centos01 [2016-11-28T23:53:04+02:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

What I get in the /etc/chef/validation.pem is this:

[root@centos01 ~]# cat /etc/chef/validation.pem

Could anyone enlighten me on this topic, please?

Thank you,


This probably means that the “validation_key” directive in your knife
config is incorrect (assuming you are using the validator bootstrap



Hello. Thank you for your answer.

I thought that I don’t have to do anything on the node that needs to be bootstrapped. I thought that all I have to do is to use the bootstrap template which will tell the node where to get the chef-client rpm from and to tell chef-server which node needs to be bootstrapped and chef-server will take it from there.

Now from what you’re saying I understand that I would need to copy the user.pem file which was generated on the chef-server when I’ve created the user and the organization and to copy it on the node that needs to be bootstrapped in a folder that needs to be created by hand /etc/chef, under the name of validation.pem? Isn’t that is supposed to be created by the following code in the bootstrap template:

cat > /etc/chef/validation.pem <<'EOP'
<%= validation_key %>
chmod 0600 /etc/chef/validation.pem 

I was wondering where does the <%= validation_key %> comes from as I cannot see it defined anywhere.

Thank you again,


Verify you have validation_key in your knife config (typically
~/.chef/knife.rb or the rb file you use the -c option with bootstrap)
Search validation_key on