I swear that every time I install a new chef server it’s like getting a
root canal. I spend hours mucking around with validation keys, and somehow
get it to work in the end, but I don’t know how.
Running chef-client is returning:
Authentication Error:
Failed to authenticate to the chef server (http 401).
Server Response:
Failed to authenticate as ‘chef-validator’. Ensure that your node_name and
client key are correct.
I copied the validation key generated from running this on the server to
the client:
chef-server-ctl org-create slice “Slice Technologies” --association_user
doug --filename validator
My client.rb contains:
client.rb:
ssl_verify_mode :verify_peer
log_level :info
log_location STDOUT
chef_server_url '
https://chef-003.dev.slicetest.com:443/organizations/slice’
validation_client_name 'chef-validator’
validation_key "/etc/chef/chef-validator.pem"
client_key ‘/etc/chef/client.pem’
The file layout is:
root@sessioncache-012:/etc/chef# ls -l
total 24
lrwxrwxrwx 1 root root 66 Jan 23 19:56 chef-validator.pem ->
/etc/chef/validation_keys/validator-chef-003.dev.slicetest.com.pem
-rw-r–r-- 1 root root 326 Jan 23 20:10 client.rb
drwxr-xr-x 2 root root 4096 Jan 23 19:48 keys
-rw-r–r-- 1 root root 368 Jan 23 20:00 knife-opstool.rb
lrwxrwxrwx 1 root root 53 Jan 23 19:56 opstool.pem ->
/etc/chef/keys/opstool-chef-003.dev.slicetest.com.pem
drwxr-xr-x 2 root root 4096 Jan 23 19:48 trusted_certs
drwxr-xr-x 2 root root 4096 Jan 23 20:06 validation_keys
/etc/chef
/etc/chef/keys
/etc/chef/keys/opstool-chef01.prod.slicetest.com.pem
/etc/chef/keys/opstool-chef-003.dev.slicetest.com.pem
/etc/chef/opstool.pem
/etc/chef/chef-validator.pem
/etc/chef/knife-opstool.rb
/etc/chef/client.rb
/etc/chef/trusted_certs
/etc/chef/trusted_certs/chef01.prod.slicetest.com.crt
/etc/chef/trusted_certs/chef-003.dev.slicetest.com.crt
/etc/chef/validation_keys
/etc/chef/validation_keys/validator-chef01.prod.slicetest.com.pem
/etc/chef/validation_keys/validator-chef-003.dev.slicetest.com.pem
I have eyeballed the validation key and it matches what the server
generated. The trusted cert I obtained from running knife ssl on a
different client.
Help. 
Doug.
Also,
root@sessioncache-012:/etc/chef/trusted_certs# knife ssl check -c
/etc/chef/knife-opstool.rb
Connecting to host chef-003.dev.slicetest.com:443
Successfully verified certificates from `chef-003.dev.slicetest.com'
Doug
On Fri, Jan 23, 2015 at 12:16 PM, Douglas Garstang doug.garstang@gmail.com
wrote:
I swear that every time I install a new chef server it's like getting a
root canal. I spend hours mucking around with validation keys, and somehow
get it to work in the end, but I don't know how.
Running chef-client is returning:
Authentication Error:
Failed to authenticate to the chef server (http 401).
Server Response:
Failed to authenticate as 'chef-validator'. Ensure that your node_name and
client key are correct.
I copied the validation key generated from running this on the server to
the client:
chef-server-ctl org-create slice "Slice Technologies" --association_user
doug --filename validator
My client.rb contains:
client.rb:
ssl_verify_mode :verify_peer
log_level :info
log_location STDOUT
chef_server_url '
https://chef-003.dev.slicetest.com:443/organizations/slice'
validation_client_name 'chef-validator'
validation_key "/etc/chef/chef-validator.pem"
client_key '/etc/chef/client.pem'
The file layout is:
root@sessioncache-012:/etc/chef# ls -l
total 24
lrwxrwxrwx 1 root root 66 Jan 23 19:56 chef-validator.pem ->
/etc/chef/validation_keys/validator-chef-003.dev.slicetest.com.pem
-rw-r--r-- 1 root root 326 Jan 23 20:10 client.rb
drwxr-xr-x 2 root root 4096 Jan 23 19:48 keys
-rw-r--r-- 1 root root 368 Jan 23 20:00 knife-opstool.rb
lrwxrwxrwx 1 root root 53 Jan 23 19:56 opstool.pem ->
/etc/chef/keys/opstool-chef-003.dev.slicetest.com.pem
drwxr-xr-x 2 root root 4096 Jan 23 19:48 trusted_certs
drwxr-xr-x 2 root root 4096 Jan 23 20:06 validation_keys
/etc/chef
/etc/chef/keys
/etc/chef/keys/opstool-chef01.prod.slicetest.com.pem
/etc/chef/keys/opstool-chef-003.dev.slicetest.com.pem
/etc/chef/opstool.pem
/etc/chef/chef-validator.pem
/etc/chef/knife-opstool.rb
/etc/chef/client.rb
/etc/chef/trusted_certs
/etc/chef/trusted_certs/chef01.prod.slicetest.com.crt
/etc/chef/trusted_certs/chef-003.dev.slicetest.com.crt
/etc/chef/validation_keys
/etc/chef/validation_keys/validator-chef01.prod.slicetest.com.pem
/etc/chef/validation_keys/validator-chef-003.dev.slicetest.com.pem
I have eyeballed the validation key and it matches what the server
generated. The trusted cert I obtained from running knife ssl on a
different client.
Help. 
Doug.
--
Regards,
Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627
Apparently, the validation key is supposed to be called $org-validator.
Sigh.
On Fri, Jan 23, 2015 at 12:18 PM, Douglas Garstang doug.garstang@gmail.com
wrote:
Also,
root@sessioncache-012:/etc/chef/trusted_certs# knife ssl check -c
/etc/chef/knife-opstool.rb
Connecting to host chef-003.dev.slicetest.com:443
Successfully verified certificates from `chef-003.dev.slicetest.com'
Doug
On Fri, Jan 23, 2015 at 12:16 PM, Douglas Garstang <
doug.garstang@gmail.com> wrote:
I swear that every time I install a new chef server it's like getting a
root canal. I spend hours mucking around with validation keys, and somehow
get it to work in the end, but I don't know how.
Running chef-client is returning:
Authentication Error:
Failed to authenticate to the chef server (http 401).
Server Response:
Failed to authenticate as 'chef-validator'. Ensure that your node_name
and client key are correct.
I copied the validation key generated from running this on the server to
the client:
chef-server-ctl org-create slice "Slice Technologies" --association_user
doug --filename validator
My client.rb contains:
client.rb:
ssl_verify_mode :verify_peer
log_level :info
log_location STDOUT
chef_server_url '
https://chef-003.dev.slicetest.com:443/organizations/slice'
validation_client_name 'chef-validator'
validation_key "/etc/chef/chef-validator.pem"
client_key '/etc/chef/client.pem'
The file layout is:
root@sessioncache-012:/etc/chef# ls -l
total 24
lrwxrwxrwx 1 root root 66 Jan 23 19:56 chef-validator.pem ->
/etc/chef/validation_keys/validator-chef-003.dev.slicetest.com.pem
-rw-r--r-- 1 root root 326 Jan 23 20:10 client.rb
drwxr-xr-x 2 root root 4096 Jan 23 19:48 keys
-rw-r--r-- 1 root root 368 Jan 23 20:00 knife-opstool.rb
lrwxrwxrwx 1 root root 53 Jan 23 19:56 opstool.pem ->
/etc/chef/keys/opstool-chef-003.dev.slicetest.com.pem
drwxr-xr-x 2 root root 4096 Jan 23 19:48 trusted_certs
drwxr-xr-x 2 root root 4096 Jan 23 20:06 validation_keys
/etc/chef
/etc/chef/keys
/etc/chef/keys/opstool-chef01.prod.slicetest.com.pem
/etc/chef/keys/opstool-chef-003.dev.slicetest.com.pem
/etc/chef/opstool.pem
/etc/chef/chef-validator.pem
/etc/chef/knife-opstool.rb
/etc/chef/client.rb
/etc/chef/trusted_certs
/etc/chef/trusted_certs/chef01.prod.slicetest.com.crt
/etc/chef/trusted_certs/chef-003.dev.slicetest.com.crt
/etc/chef/validation_keys
/etc/chef/validation_keys/validator-chef01.prod.slicetest.com.pem
/etc/chef/validation_keys/validator-chef-003.dev.slicetest.com.pem
I have eyeballed the validation key and it matches what the server
generated. The trusted cert I obtained from running knife ssl on a
different client.
Help.
Doug.
--
Regards,
Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627
--
Regards,
Douglas Garstang
http://www.linkedin.com/in/garstang
Email: doug.garstang@gmail.com
Cell: +1-805-340-5627