Chef-validator authentication fails after Chef server upgrade. How to fix this?

ringods · August 30, 2012, 12:25pm

Hello,

This morning, I upgraded (via gems) the Chef installation on my Chef server
and all the managed nodes. This was a completely functioning setup where I
was using vagrant to test my cookbooks before taking them into production.

After the upgrade, all clients connected without any problems except for
one thing: any access via chef-validator fails with “401 Unauthorized:
Failed to authenticate”! I can create clients in the web UI, but the
auto-registration via chef-validator doesn’t work.

After a few such failures, I regenerated the key pair of chef-validator and
saved the private key part in validation.pem. Doesn’t resolve the problem.

Then I noticed the chef-validator client was not an admin user, so I edited
the user and made it admin. Still no luck.

Anyone an idea how to fix this?

Ringo

Bryan_McLellan · August 30, 2012, 2:04pm

On Thu, Aug 30, 2012 at 8:25 AM, Ringo De Smet ringo.desmet@gmail.com wrote:

After a few such failures, I regenerated the key pair of chef-validator and
saved the private key part in validation.pem. Doesn't resolve the problem.

Can you set log_level to debug on the API server and look for a
relevant message there?

Then I noticed the chef-validator client was not an admin user, so I edited
the user and made it admin. Still no luck.

This doesn't matter, and generally the validation client should not be
an admin because then if someone got a hold of the validation key
which is commonly left around on nodes, they could cause a lot of
havoc.

The validation client gets special permissions that are hardcoded. See here:

https://github.com/opscode/chef/blob/master/chef-server-api/app/controllers/application.rb#L72

Bryan

ringods · August 30, 2012, 2:42pm

Bryan,

On 30 August 2012 16:04, Bryan McLellan btm@loftninjas.org wrote:

On Thu, Aug 30, 2012 at 8:25 AM, Ringo De Smet ringo.desmet@gmail.com
wrote:

After a few such failures, I regenerated the key pair of chef-validator
and
saved the private key part in validation.pem. Doesn't resolve the
problem.

Can you set log_level to debug on the API server and look for a
relevant message there?

Here is the relevant output from the server.log at debug level:

gist.github.com

https://gist.github.com/ringods/3529848

server.log

merb : chef-server (api) : worker (port 4000) ~ Started request handling: Thu Aug 30 16:38:43 +0200 2012
merb : chef-server (api) : worker (port 4000) ~ Routed to: {"admin"=>false, "action"=>"create", "controller"=>"clients", "name"=>"builder"}
merb : chef-server (api) : worker (port 4000) ~ Params: {"admin"=>false, "action"=>"create", "controller"=>"clients", "name"=>"builder"}
merb : chef-server (api) : worker (port 4000) ~ Failed to authenticate. Ensure that your client key is valid. - (Merb::ControllerExceptions::Unauthorized)
/usr/lib/ruby/gems/1.8/gems/chef-server-api-10.12.0/app/controllers/application.rb:56:in `authenticate_every'
/usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:352:in `send'
/usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:352:in `_call_filters'
/usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:344:in `each'
/usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:344:in `_call_filters'
/usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:286:in `_dispatch'

This file has been truncated. show original

Ringo

Bryan_McLellan · August 30, 2012, 3:25pm

On Thu, Aug 30, 2012 at 10:42 AM, Ringo De Smet ringo.desmet@gmail.com wrote:

Here is the relevant output from the server.log at debug level:
chef-validator: 401 Unauthorized problem · GitHub

What's builder? Is that the node_name of the client you're trying to
create? Have you tried a different node_name?

This is what shows up in the logs for a new client I just build on a
fresh apt install.

merb : chef-server (api) : worker (port 4000) ~ Params:
{"admin"=>false, "name"=>"domU-12-31-39-0E-AD-32.compute-1.internal",
"controller"=>"clients", "action"=>"create"}

Bryan

ringods · August 30, 2012, 8:21pm

On Thursday, 30 August 2012, Bryan McLellan wrote:

On Thu, Aug 30, 2012 at 10:42 AM, Ringo De Smet <ringo.desmet@gmail.com<javascript:;>>
wrote:

Here is the relevant output from the server.log at debug level:
chef-validator: 401 Unauthorized problem · GitHub

What's builder? Is that the node_name of the client you're trying to
create? Have you tried a different node_name?

Yes, builder is the node name. I used that name multiple times before
without any problems In my Vagrant setup before the Chef Server upgrade. I
can also create that client in the web UI manually.

Any other suggestions?

Ringo

Bryan_McLellan · August 30, 2012, 10:16pm

On Thu, Aug 30, 2012 at 4:21 PM, Ringo De Smet ringo.desmet@gmail.com wrote:

Yes, builder is the node name. I used that name multiple times before
without any problems In my Vagrant setup before the Chef Server upgrade. I
can also create that client in the web UI manually.

I suggested trying a different node_name to see if perhaps there was
some kind of issue with broken objects.

Any other suggestions?

Do you see chef-validator in knife client list?

knife client delete chef-validator # is the client gone now?
/etc/init.d/chef-server restart
knife client list # Does chef-validator come back?

modify your knife.rb to use a node_name of 'chef-validator' and point
it at that key and see if you can list clients using it?

Check your server.rb validation_key setting and the timestamp on
/etc/chef/validation.pem to make sure the key is being saved where you
expect it to be?

Bryan

ringods · August 31, 2012, 6:17am

Bryan,

On 31 August 2012 00:16, Bryan McLellan btm@loftninjas.org wrote:

Do you see chef-validator in knife client list?

knife client delete chef-validator # is the client gone now?
/etc/init.d/chef-server restart
knife client list # Does chef-validator come back?

The process of recreating the chef-validator client seems to have resolved
the problem!

Thank you very much!

Ringo

Topic		Replies	Views
Help to recovery chef-validator user with old keys Chef Infra (archive)	3	269	November 12, 2013
Problems retaining the chef-validator public RSA key Chef Infra (archive)	5	327	February 22, 2012
Upload chef cookbook to the Public Supermarket Chef Infra Server	5	549	October 31, 2023
Problems specifying validation.pem for restored chef server Chef Infra (archive)	2	300	February 8, 2012
Client privileges Chef Infra (archive)	6	301	June 29, 2011

Chef-validator authentication fails after Chef server upgrade. How to fix this?

Related Topics