How to authenticate knife with a fresh Chef 0.9.12 server


#1

Hi,
Starting with a fresh chef server (0.9.12) is it possible to
use/authenticate knife to query the server?
That is I only have the clients chef-validator and chef-webui, and the
keys on the server (via a mount)
With this knife file:
current_dir = File.dirname(FILE)
log_level :debug
log_location $stdout
node_name “chef-validator"
client_key “#{File.dirname(current_dir)}/etc/client.pem"
validation_key “#{File.dirname(current_dir)}/etc/validation.pem"
chef_server_url “http://localhost:4000"
cache_type 'Memory’
cache_options( :path => “#{ENV[‘HOME’]}/.chef/checksums” )
cookbook_path
[”#{current_dir}/…/cookbooks”,”#{current_dir}/…/site-cookbooks”]

I’m getting this error:

$ knife client list -c /tmp/chef/.chef/knife.rb
DEBUG: Using configuration from /tmp/chef/.chef/knife.rb
DEBUG: Signing the request as chef-validator
DEBUG: Sending HTTP Request via GET to localhost:4000/clients
WARN: HTTP Request Returned 401 Unauthorized: Failed to authenticate.
Ensure that your client key is valid.
/home/hedge/.rvm/rubies/ruby-1.9.2-p136/lib/ruby/1.9.1/net/http.rb:2295:in
`error!’: 401 “Unauthorized” (Net::HTTPServerException)

Appreciate any hints or tips.


πόλλ’ οἶδ ἀλώπηξ, ἀλλ’ ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
Archilochus, Greek poet (c. 680 BC – c. 645 BC)
http://wiki.hedgehogshiatus.com


#2

On Tuesday, April 5, 2011 at 6:37 PM, Hedge Hog wrote:
Hi,

Starting with a fresh chef server (0.9.12) is it possible to
use/authenticate knife to query the server?
That is I only have the clients chef-validator and chef-webui, and the
keys on the server (via a mount)
With this knife file:
current_dir = File.dirname(FILE)
log_level :debug
log_location $stdout
node_name “chef-validator"
client_key “#{File.dirname(current_dir)}/etc/client.pem"
validation_key “#{File.dirname(current_dir)}/etc/validation.pem"
chef_server_url “http://localhost:4000"
cache_type 'Memory’
cache_options( :path => “#{ENV[‘HOME’]}/.chef/checksums” )
cookbook_path
[”#{current_dir}/…/cookbooks”,”#{current_dir}/…/site-cookbooks”]

I’m getting this error:

$ knife client list -c /tmp/chef/.chef/knife.rb
DEBUG: Using configuration from /tmp/chef/.chef/knife.rb
DEBUG: Signing the request as chef-validator
DEBUG: Sending HTTP Request via GET to localhost:4000/clients
WARN: HTTP Request Returned 401 Unauthorized: Failed to authenticate.
Ensure that your client key is valid.
/home/hedge/.rvm/rubies/ruby-1.9.2-p136/lib/ruby/1.9.1/net/http.rb:2295:in
`error!’: 401 “Unauthorized” (Net::HTTPServerException)

Appreciate any hints or tips.

The chef-webui user is the only admin that is created when the server first starts, so you want to authenticate as that user. For example, knife COMMAND -u chef-webui -k /etc/chef/webui.pem should work correctly. This is what the knife configure --initial does internally to create a new administrator for you.


Dan DeLeo

πόλλ’ οἶδ ἀλώπηξ, ἀλλ’ ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
Archilochus, Greek poet (c. 680 BC – c. 645 BC)
http://wiki.hedgehogshiatus.com


#3

On Wed, Apr 6, 2011 at 11:45 AM, Daniel DeLeo dan@kallistec.com wrote:

On Tuesday, April 5, 2011 at 6:37 PM, Hedge Hog wrote:

Hi,
Starting with a fresh chef server (0.9.12) is it possible to
use/authenticate knife to query the server?
That is I only have the clients chef-validator and chef-webui, and the
keys on the server (via a mount)
With this knife file:
current__dir = File.dirname(FILE)
log_level :debug
log_location $stdout
node_name “chef-validator"
client_key “#{File.dirname(current_dir)}/etc/client.pem"
validation_key “#{File.dirname(current_dir)}/etc/validation.pem"
chef_server_url “http://localhost:4000"
cache_type 'Memory’
cache_options( :path => “#{ENV[‘HOME’]}/.chef/checksums” )
cookbook_path
[”#{current_dir}/…/cookbooks”,”#{current_dir}/…/site-cookbooks”]

I’m getting this error:

$ knife client list -c /tmp/chef/.chef/knife.rb
DEBUG: Using configuration from /tmp/chef/.chef/knife.rb
DEBUG: Signing the request as chef-validator
DEBUG: Sending HTTP Request via GET to localhost:4000/clients
WARN: HTTP Request Returned 401 Unauthorized: Failed to authenticate.
Ensure that your client key is valid.
/home/hedge/.rvm/rubies/ruby-1.9.2-p136/lib/ruby/1.9.1/net/http.rb:2295:in
`error!’: 401 “Unauthorized” (Net::HTTPServerException)

Appreciate any hints or tips.

The chef-webui user is the only admin that is created when the server first
starts, so you want to authenticate as that user. For example, knife COMMAND
-u chef-webui -k /etc/chef/webui.pem should work correctly. This is what the
knife configure --initial does internally to create a new administrator
for you.

Hmm, this works:
knife client list -c /tmp/chef/.chef/knife.rb

but this

knife client create monkey -f /tmp/chef/monkey.pem -c /tmp/chef/.chef/knife.rb

complains. I’m executing this using Aruba, as most are likely to if
the write feature files, so setting the Environment isn’t possible.
This is a bug right?

I’ve only been able to find this0, which doesn’t seem related.

The work around seems to be:

  1. Run this, using Aruba’s interactive run:
    bash -c ‘EDITOR=vim knife client create monkey -f /tmp/chef/monkey.pem
    -c /tmp/chef/.chef/knife.rb’

  2. Using Aruba, type :q

Now you have created the client and saved the key…

Any other suggestions I’ve missed?


Dan DeLeo


πόλλ’ οἶδ ἀλώπηξ, ἀλλ’ ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
Archilochus, Greek poet (c. 680 BC – c. 645 BC)
http://wiki.hedgehogshiatus.com


πόλλ’ οἶδ ἀλώπηξ, ἀλλ’ ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
Archilochus, Greek poet (c. 680 BC – c. 645 BC)
http://wiki.hedgehogshiatus.com


#4

On Wed, Apr 6, 2011 at 12:03 PM, Hedge Hog hedgehogshiatus@gmail.com wrote:

On Wed, Apr 6, 2011 at 11:45 AM, Daniel DeLeo dan@kallistec.com wrote:

On Tuesday, April 5, 2011 at 6:37 PM, Hedge Hog wrote:

Hi,
Starting with a fresh chef server (0.9.12) is it possible to
use/authenticate knife to query the server?
That is I only have the clients chef-validator and chef-webui, and the
keys on the server (via a mount)
With this knife file:
current__dir = File.dirname(FILE)
log_level :debug
log_location $stdout
node_name “chef-validator"
client_key “#{File.dirname(current_dir)}/etc/client.pem"
validation_key “#{File.dirname(current_dir)}/etc/validation.pem"
chef_server_url “http://localhost:4000"
cache_type 'Memory’
cache_options( :path => “#{ENV[‘HOME’]}/.chef/checksums” )
cookbook_path
[”#{current_dir}/…/cookbooks”,”#{current_dir}/…/site-cookbooks”]

I’m getting this error:

$ knife client list -c /tmp/chef/.chef/knife.rb
DEBUG: Using configuration from /tmp/chef/.chef/knife.rb
DEBUG: Signing the request as chef-validator
DEBUG: Sending HTTP Request via GET to localhost:4000/clients
WARN: HTTP Request Returned 401 Unauthorized: Failed to authenticate.
Ensure that your client key is valid.
/home/hedge/.rvm/rubies/ruby-1.9.2-p136/lib/ruby/1.9.1/net/http.rb:2295:in
`error!’: 401 “Unauthorized” (Net::HTTPServerException)

Appreciate any hints or tips.

The chef-webui user is the only admin that is created when the server first
starts, so you want to authenticate as that user. For example, knife COMMAND
-u chef-webui -k /etc/chef/webui.pem should work correctly. This is what the
knife configure --initial does internally to create a new administrator
for you.

Hmm, this works:
knife client list -c /tmp/chef/.chef/knife.rb

but this

knife client create monkey -f /tmp/chef/monkey.pem -c /tmp/chef/.chef/knife.rb

complains.

Sorry, forgot the error message:

edit_data': Please set EDITOR environment variable (RuntimeError) from /home/hedge/.rvm/gems/ruby-1.9.2-p136@bbb_vm_monitor/gems/chef-0.9.12/lib/chef/knife/client_create.rb:53:inrun’

I’m executing this using Aruba, as most are likely to if
the write feature files, so setting the Environment isn’t possible.
This is a bug right?

I’ve only been able to find this0, which doesn’t seem related.

The work around seems to be:

  1. Run this, using Aruba’s interactive run:
    bash -c ‘EDITOR=vim knife client create monkey -f /tmp/chef/monkey.pem
    -c /tmp/chef/.chef/knife.rb’

  2. Using Aruba, type :q

Now you have created the client and saved the key…

Any other suggestions I’ve missed?


Dan DeLeo


πόλλ’ οἶδ ἀλώπηξ, ἀλλ’ ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
Archilochus, Greek poet (c. 680 BC – c. 645 BC)
http://wiki.hedgehogshiatus.com


πόλλ’ οἶδ ἀλώπηξ, ἀλλ’ ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
Archilochus, Greek poet (c. 680 BC – c. 645 BC)
http://wiki.hedgehogshiatus.com


πόλλ’ οἶδ ἀλώπηξ, ἀλλ’ ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
Archilochus, Greek poet (c. 680 BC – c. 645 BC)
http://wiki.hedgehogshiatus.com


#5

On Tuesday, April 5, 2011 at 7:24 PM, Hedge Hog wrote:
On Wed, Apr 6, 2011 at 12:03 PM, Hedge Hog hedgehogshiatus@gmail.com wrote:

On Wed, Apr 6, 2011 at 11:45 AM, Daniel DeLeo dan@kallistec.com wrote:

On Tuesday, April 5, 2011 at 6:37 PM, Hedge Hog wrote:

Hi,
Starting with a fresh chef server (0.9.12) is it possible to
use/authenticate knife to query the server?
That is I only have the clients chef-validator and chef-webui, and the
keys on the server (via a mount)
With this knife file:
current__dir = File.dirname(FILE)
log_level :debug
log_location $stdout
node_name “chef-validator"
client_key “#{File.dirname(current_dir)}/etc/client.pem"
validation_key “#{File.dirname(current_dir)}/etc/validation.pem"
chef_server_url “http://localhost:4000"
cache_type 'Memory’
cache_options( :path => “#{ENV[‘HOME’]}/.chef/checksums” )
cookbook_path
[”#{current_dir}/…/cookbooks”,”#{current_dir}/…/site-cookbooks”]

I’m getting this error:

$ knife client list -c /tmp/chef/.chef/knife.rb
DEBUG: Using configuration from /tmp/chef/.chef/knife.rb
DEBUG: Signing the request as chef-validator
DEBUG: Sending HTTP Request via GET to localhost:4000/clients
WARN: HTTP Request Returned 401 Unauthorized: Failed to authenticate.
Ensure that your client key is valid.
/home/hedge/.rvm/rubies/ruby-1.9.2-p136/lib/ruby/1.9.1/net/http.rb:2295:in
`error!’: 401 “Unauthorized” (Net::HTTPServerException)

Appreciate any hints or tips.

The chef-webui user is the only admin that is created when the server first
starts, so you want to authenticate as that user. For example, knife COMMAND
-u chef-webui -k /etc/chef/webui.pem should work correctly. This is what the
knife configure --initial does internally to create a new administrator
for you.

Hmm, this works:
knife client list -c /tmp/chef/.chef/knife.rb

but this

knife client create monkey -f /tmp/chef/monkey.pem -c /tmp/chef/.chef/knife.rb

complains.

Sorry, forgot the error message:

edit_data': Please set EDITOR environment variable (RuntimeError) from /home/hedge/.rvm/gems/ruby-1.9.2-p136@bbb_vm_monitor/gems/chef-0.9.12/lib/chef/knife/client_create.rb:53:inrun’

Use --no-editor (-n for short) to turn off editing. Or you could do something crazy like set editor to a program that edits the file. But -n will suffice for most uses :wink:


Dan DeLeo
I’m executing this using Aruba, as most are likely to if

the write feature files, so setting the Environment isn’t possible.
This is a bug right?

I’ve only been able to find this0, which doesn’t seem related.

The work around seems to be:

  1. Run this, using Aruba’s interactive run:
    bash -c ‘EDITOR=vim knife client create monkey -f /tmp/chef/monkey.pem
    -c /tmp/chef/.chef/knife.rb’

  2. Using Aruba, type :q

Now you have created the client and saved the key…

Any other suggestions I’ve missed?


Dan DeLeo


πόλλ’ οἶδ ἀλώπηξ, ἀλλ’ ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
Archilochus, Greek poet (c. 680 BC – c. 645 BC)
http://wiki.hedgehogshiatus.com


πόλλ’ οἶδ ἀλώπηξ, ἀλλ’ ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
Archilochus, Greek poet (c. 680 BC – c. 645 BC)
http://wiki.hedgehogshiatus.com


πόλλ’ οἶδ ἀλώπηξ, ἀλλ’ ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
Archilochus, Greek poet (c. 680 BC – c. 645 BC)
http://wiki.hedgehogshiatus.com


#6

On Wed, Apr 6, 2011 at 12:28 PM, Daniel DeLeo dan@kallistec.com wrote:

On Tuesday, April 5, 2011 at 7:24 PM, Hedge Hog wrote:

On Wed, Apr 6, 2011 at 12:03 PM, Hedge Hog hedgehogshiatus@gmail.com
wrote:

On Wed, Apr 6, 2011 at 11:45 AM, Daniel DeLeo dan@kallistec.com wrote:

On Tuesday, April 5, 2011 at 6:37 PM, Hedge Hog wrote:

Hi,
Starting with a fresh chef server (0.9.12) is it possible to
use/authenticate knife to query the server?
That is I only have the clients chef-validator and chef-webui, and the
keys on the server (via a mount)
With this knife file:
current__dir = File.dirname(FILE)
log_level :debug
log_location $stdout
node_name “chef-validator"
client_key “#{File.dirname(current_dir)}/etc/client.pem"
validation_key “#{File.dirname(current_dir)}/etc/validation.pem"
chef_server_url “http://localhost:4000"
cache_type 'Memory’
cache_options( :path => “#{ENV[‘HOME’]}/.chef/checksums” )
cookbook_path
[”#{current_dir}/…/cookbooks”,”#{current_dir}/…/site-cookbooks”]

I’m getting this error:

$ knife client list -c /tmp/chef/.chef/knife.rb
DEBUG: Using configuration from /tmp/chef/.chef/knife.rb
DEBUG: Signing the request as chef-validator
DEBUG: Sending HTTP Request via GET to localhost:4000/clients
WARN: HTTP Request Returned 401 Unauthorized: Failed to authenticate.
Ensure that your client key is valid.
/home/hedge/.rvm/rubies/ruby-1.9.2-p136/lib/ruby/1.9.1/net/http.rb:2295:in
`error!’: 401 “Unauthorized” (Net::HTTPServerException)

Appreciate any hints or tips.

The chef-webui user is the only admin that is created when the server first
starts, so you want to authenticate as that user. For example, knife COMMAND
-u chef-webui -k /etc/chef/webui.pem should work correctly. This is what the
knife configure --initial does internally to create a new administrator
for you.

Hmm, this works:
knife client list -c /tmp/chef/.chef/knife.rb

but this

knife client create monkey -f /tmp/chef/monkey.pem -c
/tmp/chef/.chef/knife.rb

complains.

Sorry, forgot the error message:

edit_data': Please set EDITOR environment variable (RuntimeError) from /home/hedge/.rvm/gems/ruby-1.9.2-p136@bbb_vm_monitor/gems/chef-0.9.12/lib/chef/knife/client_create.rb:53:inrun’

Use --no-editor (-n for short) to turn off editing. Or you could do
something crazy like set editor to a program that edits the file. But -n
will suffice for most uses :wink:

Great thanks.


Dan DeLeo

I’m executing this using Aruba, as most are likely to if
the write feature files, so setting the Environment isn’t possible.
This is a bug right?

I’ve only been able to find this0, which doesn’t seem related.

The work around seems to be:

  1. Run this, using Aruba’s interactive run:
    bash -c ‘EDITOR=vim knife client create monkey -f /tmp/chef/monkey.pem
    -c /tmp/chef/.chef/knife.rb’

  2. Using Aruba, type :q

Now you have created the client and saved the key…

Any other suggestions I’ve missed?


Dan DeLeo


πόλλ’ οἶδ ἀλώπηξ, ἀλλ’ ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
Archilochus, Greek poet (c. 680 BC – c. 645 BC)
http://wiki.hedgehogshiatus.com


πόλλ’ οἶδ ἀλώπηξ, ἀλλ’ ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
Archilochus, Greek poet (c. 680 BC – c. 645 BC)
http://wiki.hedgehogshiatus.com


πόλλ’ οἶδ ἀλώπηξ, ἀλλ’ ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
Archilochus, Greek poet (c. 680 BC – c. 645 BC)
http://wiki.hedgehogshiatus.com


πόλλ’ οἶδ ἀλώπηξ, ἀλλ’ ἐχῖνος ἓν μέγα
[The fox knows many things, but the hedgehog knows one big thing.]
Archilochus, Greek poet (c. 680 BC – c. 645 BC)
http://wiki.hedgehogshiatus.com


#7

On 6 April 2011 03:28, Daniel DeLeo dan@kallistec.com wrote:

Use --no-editor (-n for short) to turn off editing. Or you could do
something crazy like set editor to a program that edits the file. But -n
will suffice for most uses :wink:

Is -n a recent(ish) improvement? I’d been using the horrible cludge of
"-e /bin/true" in some scripts, which always felt dirty …

Jonathan

Jonathan Matthews
London, UK
http://www.jpluscplusm.com/contact.html


#8

On Wednesday, April 6, 2011 at 3:00 AM, Jonathan Matthews wrote:
On 6 April 2011 03:28, Daniel DeLeo dan@kallistec.com wrote:

Use --no-editor (-n for short) to turn off editing. Or you could do
something crazy like set editor to a program that edits the file. But -n
will suffice for most uses :wink:

Is -n a recent(ish) improvement? I’d been using the horrible cludge of
"-e /bin/true" in some scripts, which always felt dirty …

Been there forever as far as I can tell:

Thats 0.8.2, Feb 2010


Dan DeLeo


#9

‘–no-editor’ is included in the Chef Wiki as an available subcommand -
http://wiki.opscode.com/display/chef/Knife#Knife-ContextualHelp

Thanks,

Tom Thomas | Opscode, Inc.
tom@opscode.com | © 206.234.1193 | www.opscode.com

On Wed, Apr 6, 2011 at 8:00 AM, Daniel DeLeo dan@kallistec.com wrote:

On Wednesday, April 6, 2011 at 3:00 AM, Jonathan Matthews wrote:

On 6 April 2011 03:28, Daniel DeLeo dan@kallistec.com wrote:

Use --no-editor (-n for short) to turn off editing. Or you could do
something crazy like set editor to a program that edits the file. But -n
will suffice for most uses :wink:

Is -n a recent(ish) improvement? I’d been using the horrible cludge of
"-e /bin/true" in some scripts, which always felt dirty …

Been there forever as far as I can tell:

https://github.com/opscode/chef/blob/0.8.2/chef/lib/chef/application/knife.rb#L60-64

Thats 0.8.2, Feb 2010


Dan DeLeo