Client Validation Errors - Argh!


#1

I swear that every time I install a new chef server it’s like getting a
root canal. I spend hours mucking around with validation keys, and somehow
get it to work in the end, but I don’t know how.

Running chef-client is returning:

Authentication Error:

Failed to authenticate to the chef server (http 401).

Server Response:

Failed to authenticate as ‘chef-validator’. Ensure that your node_name and
client key are correct.

I copied the validation key generated from running this on the server to
the client:

chef-server-ctl org-create slice “Slice Technologies” --association_user
doug --filename validator

My client.rb contains:

client.rb:
ssl_verify_mode :verify_peer
log_level :info
log_location STDOUT
chef_server_url '
https://chef-003.dev.slicetest.com:443/organizations/slice
validation_client_name 'chef-validator’
validation_key "/etc/chef/chef-validator.pem"
client_key ‘/etc/chef/client.pem’

The file layout is:

root@sessioncache-012:/etc/chef# ls -l
total 24
lrwxrwxrwx 1 root root 66 Jan 23 19:56 chef-validator.pem ->
/etc/chef/validation_keys/validator-chef-003.dev.slicetest.com.pem
-rw-r–r-- 1 root root 326 Jan 23 20:10 client.rb
drwxr-xr-x 2 root root 4096 Jan 23 19:48 keys
-rw-r–r-- 1 root root 368 Jan 23 20:00 knife-opstool.rb
lrwxrwxrwx 1 root root 53 Jan 23 19:56 opstool.pem ->
/etc/chef/keys/opstool-chef-003.dev.slicetest.com.pem
drwxr-xr-x 2 root root 4096 Jan 23 19:48 trusted_certs
drwxr-xr-x 2 root root 4096 Jan 23 20:06 validation_keys

/etc/chef
/etc/chef/keys
/etc/chef/keys/opstool-chef01.prod.slicetest.com.pem
/etc/chef/keys/opstool-chef-003.dev.slicetest.com.pem
/etc/chef/opstool.pem
/etc/chef/chef-validator.pem
/etc/chef/knife-opstool.rb
/etc/chef/client.rb
/etc/chef/trusted_certs
/etc/chef/trusted_certs/chef01.prod.slicetest.com.crt
/etc/chef/trusted_certs/chef-003.dev.slicetest.com.crt
/etc/chef/validation_keys
/etc/chef/validation_keys/validator-chef01.prod.slicetest.com.pem
/etc/chef/validation_keys/validator-chef-003.dev.slicetest.com.pem

I have eyeballed the validation key and it matches what the server
generated. The trusted cert I obtained from running knife ssl on a
different client.

Help. :frowning:

Doug.


#2

Also,

root@sessioncache-012:/etc/chef/trusted_certs# knife ssl check -c
/etc/chef/knife-opstool.rb
Connecting to host chef-003.dev.slicetest.com:443
Successfully verified certificates from `chef-003.dev.slicetest.com

Doug

On Fri, Jan 23, 2015 at 12:16 PM, Douglas Garstang doug.garstang@gmail.com
wrote:

I swear that every time I install a new chef server it’s like getting a
root canal. I spend hours mucking around with validation keys, and somehow
get it to work in the end, but I don’t know how.

Running chef-client is returning:

Authentication Error:

Failed to authenticate to the chef server (http 401).

Server Response:

Failed to authenticate as ‘chef-validator’. Ensure that your node_name and
client key are correct.

I copied the validation key generated from running this on the server to
the client:

chef-server-ctl org-create slice “Slice Technologies” --association_user
doug --filename validator

My client.rb contains:

client.rb:
ssl_verify_mode :verify_peer
log_level :info
log_location STDOUT
chef_server_url '
https://chef-003.dev.slicetest.com:443/organizations/slice
validation_client_name 'chef-validator’
validation_key "/etc/chef/chef-validator.pem"
client_key ‘/etc/chef/client.pem’

The file layout is:

root@sessioncache-012:/etc/chef# ls -l
total 24
lrwxrwxrwx 1 root root 66 Jan 23 19:56 chef-validator.pem ->
/etc/chef/validation_keys/validator-chef-003.dev.slicetest.com.pem
-rw-r–r-- 1 root root 326 Jan 23 20:10 client.rb
drwxr-xr-x 2 root root 4096 Jan 23 19:48 keys
-rw-r–r-- 1 root root 368 Jan 23 20:00 knife-opstool.rb
lrwxrwxrwx 1 root root 53 Jan 23 19:56 opstool.pem ->
/etc/chef/keys/opstool-chef-003.dev.slicetest.com.pem
drwxr-xr-x 2 root root 4096 Jan 23 19:48 trusted_certs
drwxr-xr-x 2 root root 4096 Jan 23 20:06 validation_keys

/etc/chef
/etc/chef/keys
/etc/chef/keys/opstool-chef01.prod.slicetest.com.pem
/etc/chef/keys/opstool-chef-003.dev.slicetest.com.pem
/etc/chef/opstool.pem
/etc/chef/chef-validator.pem
/etc/chef/knife-opstool.rb
/etc/chef/client.rb
/etc/chef/trusted_certs
/etc/chef/trusted_certs/chef01.prod.slicetest.com.crt
/etc/chef/trusted_certs/chef-003.dev.slicetest.com.crt
/etc/chef/validation_keys
/etc/chef/validation_keys/validator-chef01.prod.slicetest.com.pem
/etc/chef/validation_keys/validator-chef-003.dev.slicetest.com.pem

I have eyeballed the validation key and it matches what the server
generated. The trusted cert I obtained from running knife ssl on a
different client.

Help. :frowning:

Doug.


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


#3

Apparently, the validation key is supposed to be called $org-validator.
Sigh.

On Fri, Jan 23, 2015 at 12:18 PM, Douglas Garstang doug.garstang@gmail.com
wrote:

Also,

root@sessioncache-012:/etc/chef/trusted_certs# knife ssl check -c
/etc/chef/knife-opstool.rb
Connecting to host chef-003.dev.slicetest.com:443
Successfully verified certificates from `chef-003.dev.slicetest.com

Doug

On Fri, Jan 23, 2015 at 12:16 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:

I swear that every time I install a new chef server it’s like getting a
root canal. I spend hours mucking around with validation keys, and somehow
get it to work in the end, but I don’t know how.

Running chef-client is returning:

Authentication Error:

Failed to authenticate to the chef server (http 401).

Server Response:

Failed to authenticate as ‘chef-validator’. Ensure that your node_name
and client key are correct.

I copied the validation key generated from running this on the server to
the client:

chef-server-ctl org-create slice “Slice Technologies” --association_user
doug --filename validator

My client.rb contains:

client.rb:
ssl_verify_mode :verify_peer
log_level :info
log_location STDOUT
chef_server_url '
https://chef-003.dev.slicetest.com:443/organizations/slice
validation_client_name 'chef-validator’
validation_key "/etc/chef/chef-validator.pem"
client_key ‘/etc/chef/client.pem’

The file layout is:

root@sessioncache-012:/etc/chef# ls -l
total 24
lrwxrwxrwx 1 root root 66 Jan 23 19:56 chef-validator.pem ->
/etc/chef/validation_keys/validator-chef-003.dev.slicetest.com.pem
-rw-r–r-- 1 root root 326 Jan 23 20:10 client.rb
drwxr-xr-x 2 root root 4096 Jan 23 19:48 keys
-rw-r–r-- 1 root root 368 Jan 23 20:00 knife-opstool.rb
lrwxrwxrwx 1 root root 53 Jan 23 19:56 opstool.pem ->
/etc/chef/keys/opstool-chef-003.dev.slicetest.com.pem
drwxr-xr-x 2 root root 4096 Jan 23 19:48 trusted_certs
drwxr-xr-x 2 root root 4096 Jan 23 20:06 validation_keys

/etc/chef
/etc/chef/keys
/etc/chef/keys/opstool-chef01.prod.slicetest.com.pem
/etc/chef/keys/opstool-chef-003.dev.slicetest.com.pem
/etc/chef/opstool.pem
/etc/chef/chef-validator.pem
/etc/chef/knife-opstool.rb
/etc/chef/client.rb
/etc/chef/trusted_certs
/etc/chef/trusted_certs/chef01.prod.slicetest.com.crt
/etc/chef/trusted_certs/chef-003.dev.slicetest.com.crt
/etc/chef/validation_keys
/etc/chef/validation_keys/validator-chef01.prod.slicetest.com.pem
/etc/chef/validation_keys/validator-chef-003.dev.slicetest.com.pem

I have eyeballed the validation key and it matches what the server
generated. The trusted cert I obtained from running knife ssl on a
different client.

Help. :frowning:

Doug.


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627


Regards,

Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627