Client registration 401 if I don't pass in a validation_client_name?


#1

Hi …

I’m testing our chef 11 clients (11.18.6) against our new chef 12 server. I was surprised to find that I needed to provide a value for validation_client_name when bootstrapping a client. Can anyone tell me what I should expect regarding how validation_client_name is handled, and if there are plans to provide a cli arg to pass one in?

Here’s what I mean:

We bootstrap clients in the following manner, and note that because of our in flight move to chef 12 server, we’re starting to use Orgs for the very first time.

/opt/chef/bin/chef-client -E myenv -S https://chef12.merrysamhaim.com/organizations/myorg -N $(uname -n) -l debug -L /var/log/chef/client.log -j /etc/chef/first-boot.json

By default, chef-client knows to use /etc/chef/validation.pem as the validation key file. And chef-client will take a argument to point to a different file if necessary. Our validation key file is in place in the default location, and it represents the private key for the Org name you see in the above chef_server_url: “myorg”. Said another way, the validation.pem is for validation client name “myorg-validator”.

When I run the above command, I thought maybe the client would “know” which Org it was to be associated with by way of “myorg” appearing in the chef_server_url arg. But when this node tried to register with the chef server, it failed witih 401. In the error message, I could see that it was trying to use validation_client_name “chef-validator”. Hmm.

I then looked at the cli options for chef-client to see if there was a way to pass in validation_client_name, but I don’t see one. Next, I created a one-line /etc/chef/client.rb file that contained

validation_client_name “myorg”

Then ran the command again, and this time it registered successfully.

So, it appears I must render out a client.rb specifying the validation_client_name … Unless there’s some other way to do this when bootstrapping a new client.

Thanks!
kallen


#2

bump?


#3

I believe this is correct.

Can anyone tell me what I should expect regarding how validation_client_name is handled, and if there are plans to provide a cli arg to pass one in?

This would be a pretty simple patch, I think, but there are no plans to add it that I know of.