Chef Server 12 - Problem deploying certificate from encrypted data bag


?Hello all. I’m fairly new to chef, so it’s possible that I’m overlooking something obvious. We have just finished installing and configuring a new chef 12 server version 12.2.1. Initially we were going to upgrade an existing Open Source Chef 11 server, but ran into issues that made upgrade or migration problematic. That’s another story for another time.

We have uploaded the cookbooks from our 11 server to the 12 server and are in the process of testing one of them on a test node. Everything appears to be working as expected except for a problem creating a certificate from an encrypted data bag.

The problem occurs when trying to apply this recipe:

cookbook_file ‘/etc/chef/encrypted_data_bag_secret’ do
owner 'root’
group 'root’
mode 00600

certificate_manage ‘wildcard’ do
cert_path "#{node[‘mumail’][‘sysconf’]}/ssl"
cert_file 'wildcard.pem’
key_file 'wildcard.key’
chain_file 'wildcard-bundle.crt’
action :create
not_if { node[‘virtualization’][‘role’] == ‘guest’ && (node[‘virtualization’][‘system’] == ‘lxc’ || node[‘virtualization’][‘system’] == ‘vbox’) }

On the chef run we get this:

Error executing action `create` on resource 'certificate_manage[wildcard]'

401 "Unauthorized"

Cookbook Trace:
/var/chef/cache/cookbooks/certificate/providers/manage.rb:26:in `block in class_from_file'

Resource Declaration:
# In /var/chef/cache/cookbooks/mu-mail/recipes/certificate.rb

 26: certificate_manage 'wildcard' do
 27:   cert_path "#{node['mumail']['sysconf']}/ssl"
 28:   cert_file 'wildcard.pem'
 29:   key_file 'wildcard.key'
 30:   chain_file 'wildcard-bundle.crt'
 31:   action :create
 32:   not_if { node['virtualization']['role'] == 'guest' && (node['virtualization']['system'] == 'lxc' || node['virtualization']['system'] == 'vbox') }
 33: end

Compiled Resource:
# Declared in /var/chef/cache/cookbooks/mu-mail/recipes/certificate.rb:26:in `from_file'

certificate_manage("wildcard") do
  action [:create]
  retries 0
  retry_delay 2
  default_guard_interpreter :default
  declared_type :certificate_manage
  cookbook_name "mu-mail"
  recipe_name "certificate"
  cert_path "/etc/postfix/ssl"
  cert_file "wildcard.pem"
  key_file "wildcard.key"
  chain_file "wildcard-bundle.crt"
  data_bag_secret "/etc/chef/encrypted_data_bag_secret"
  data_bag "certificates"
  search_id "wildcard"
  not_if { #code block }

Any idea what I’m doing wrong?

Michael McDade
IT Associate Senior
Marshall University Information Technology
Drinko Library 428K, 1 John Marshall Dr., Huntington, WV 25755
Phone: 304.696.6127