Node chef first run unauthorized


#1

Hi,
I have installed chef-server v12.2.0.
When I run chef-client for the first time on a new node to bootstrap it I
get following output:

Creating a new client identity for node01.something using the validator
key.[2015-09-16T12:01:15+02:00] INFO: Client key /etc/chef/client.pem is
not present - registering[2015-09-16T12:01:15+02:00] INFO: HTTP Request
Returned 401 Unauthorized:
error================================================================================Chef
encountered an error attempting to create the client
"node01.something"================================================================================Authentication
Error:---------------------Failed to authenticate to the chef server (http
401).Server Response:----------------Invalid signature for user or client
’ORG-validator’Relevant Config
Settings:-------------------------chef_server_url
"https://chef.something/organizations/ORG
https://chef.something/organizations/ORG"validation_client_name
"ORG-validator"validation_key "/etc/chef/validation.pem"If these
settings are correct, your validation_key may be invalid.

validation client name is the name I got from when I created organization
ORG.
validation key is the from ORG-validator.

the client.rb looks like this:

log_level :infolog_location STDOUTssl_verify_mode
:verify_nonechef_server_url “https://chef.something/organizations/ORG
https://chef.something/organizations/ORG"validation_client_name
"ORG-validator"file_backup_path “/var/lib/chef/backup"file_cache_path
”/var/cache/chef"pid_file
”/var/run/chef/client.pid"Mixlib::Log::Formatter.show_time = true

So how do I verify that my validator key is correct or incorrect?
How do I know if something else is broken?

openssl rsa -in ORG-validator.pem -pubout
does not match:
knife client key show ORG-validator default


#2

Hi,

Did you already tried reset the validator key ? If not could you please do
that copy the new key to the location mentioned in the knife.rb ?

Vishnu.
On Sep 16, 2015 3:56 PM, “Elias Abacioglu” elias.rabi@gmail.com wrote:

Hi,
I have installed chef-server v12.2.0.
When I run chef-client for the first time on a new node to bootstrap it I
get following output:

Creating a new client identity for node01.something using the validator
key.[2015-09-16T12:01:15+02:00] INFO: Client key /etc/chef/client.pem is
not present - registering[2015-09-16T12:01:15+02:00] INFO: HTTP Request
Returned 401 Unauthorized:
error================================================================================Chef
encountered an error attempting to create the client
"node01.something"================================================================================Authentication
Error:---------------------Failed to authenticate to the chef server (http
401).Server Response:----------------Invalid signature for user or client
’ORG-validator’Relevant Config
Settings:-------------------------chef_server_url
"https://chef.something/organizations/ORG
https://chef.something/organizations/ORG"validation_client_name
"ORG-validator"validation_key "/etc/chef/validation.pem"If these
settings are correct, your validation_key may be invalid.

validation client name is the name I got from when I created organization
ORG.
validation key is the from ORG-validator.

the client.rb looks like this:

log_level :infolog_location STDOUTssl_verify_mode
:verify_nonechef_server_url “https://chef.something/organizations/ORG
https://chef.something/organizations/ORG"validation_client_name
"ORG-validator"file_backup_path “/var/lib/chef/backup"file_cache_path
”/var/cache/chef"pid_file
”/var/run/chef/client.pid"Mixlib::Log::Formatter.show_time = true

So how do I verify that my validator key is correct or incorrect?
How do I know if something else is broken?

openssl rsa -in ORG-validator.pem -pubout
does not match:
knife client key show ORG-validator default


#3

It worked, thanks for the suggestion.
It is kind of strange that the documented method below didn’t work
when setting up the chef server:

chef-server-ctl org-create short_name “full_organization_name”

–association_user user_name --filename ORGANIZATION-validator.pem

I’ll write it off as a glitch in the matrix.

2015-09-16 12:28 GMT+02:00 vishnu g.vishnuvardhansharma@gmail.com:

Hi,

Did you already tried reset the validator key ? If not could you please do
that copy the new key to the location mentioned in the knife.rb ?

Vishnu.
On Sep 16, 2015 3:56 PM, “Elias Abacioglu” elias.rabi@gmail.com wrote:

Hi,
I have installed chef-server v12.2.0.
When I run chef-client for the first time on a new node to bootstrap it I
get following output:

Creating a new client identity for node01.something using the validator
key.[2015-09-16T12:01:15+02:00] INFO: Client key /etc/chef/client.pem is
not present - registering[2015-09-16T12:01:15+02:00] INFO: HTTP Request
Returned 401 Unauthorized:
error================================================================================Chef
encountered an error attempting to create the client
"node01.something"================================================================================Authentication
Error:---------------------Failed to authenticate to the chef server (http
401).Server Response:----------------Invalid signature for user or client
’ORG-validator’Relevant Config
Settings:-------------------------chef_server_url
"https://chef.something/organizations/ORG
https://chef.something/organizations/ORG"validation_client_name
"ORG-validator"validation_key "/etc/chef/validation.pem"If these
settings are correct, your validation_key may be invalid.

validation client name is the name I got from when I created organization
ORG.
validation key is the from ORG-validator.

the client.rb looks like this:

log_level :infolog_location STDOUTssl_verify_mode
:verify_nonechef_server_url “https://chef.something/organizations/ORG
https://chef.something/organizations/ORG"validation_client_name
"ORG-validator"file_backup_path “/var/lib/chef/backup"file_cache_path
”/var/cache/chef"pid_file
”/var/run/chef/client.pid"Mixlib::Log::Formatter.show_time = true

So how do I verify that my validator key is correct or incorrect?
How do I know if something else is broken?

openssl rsa -in ORG-validator.pem -pubout
does not match:
knife client key show ORG-validator default


#4

Hi,

I have a similar issue and tried even creating a new organization and validator file but no luck. Can someone please help as to what else could be the issue. Knife is working fine and its only while trying to connect a client/node we are facing this issue.


#5

Can you paste here the error log.


#6

One key thing I noticed is the org-validator.pem which is on server and the one I have on node has varied MD5 checksum. I am using the following command to find that:
openssl rsa -noout -modulus -in org-validator.pem | openssl md5
Although I am copying the same .pem file from server but when I check the checksum on client it shows a different one.
The logs anyways are:
PS H:.chef> chef-client -c .\client.rb
Starting Chef Client, version 12.16.42
[2017-06-19T19:13:07+10:00] INFO: *** Chef 12.16.42 ***
[2017-06-19T19:13:07+10:00] INFO: Platform: i386-mingw32
[2017-06-19T19:13:07+10:00] INFO: Chef-client pid: 118952
[2017-06-19T19:16:24+10:00] INFO: HTTP Request Returned 401 Unauthorized: error

================================================================================
Chef encountered an error attempting to load the node data for “chefpilottest”

Authentication Error:

Failed to authenticate to the chef server (http 401).

Server Response:

Failed to authenticate as ‘chefpilottest’. Ensure that your node_name and client key are correct.

Relevant Config Settings:

chef_server_url "https://chefpilot.srv.westpac.com.au/organizations/testgroup"
node_name "chefpilottest"
client_key “H:/.chef/chefpilottest.pem”

If these settings are correct, your client_key may be invalid, or
you may have a chef user with the same client name as this node.

Platform:

i386-mingw32

Running handlers:
[2017-06-19T19:16:24+10:00] ERROR: Running exception handlers
Running handlers complete
[2017-06-19T19:16:24+10:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 03 minutes 22 seconds
[2017-06-19T19:16:24+10:00] FATAL: Stacktrace dumped to C:/chef/cache/chef-stacktrace.out
[2017-06-19T19:16:24+10:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2017-06-19T19:16:24+10:00] FATAL: Net::HTTPServerException: 401 “Unauthorized”


#7

Did u copied correct pem file? Also try to ping chef server url from the node. If it is not pinging add entry in /etc/hosts with chef server ip and hostname.


#8

Yes the pem file is the correct one. I am able to run workstation using knife on the same machine but not able to register as client.


#9

Did you install chef-server and workstation on the same machine?


#10

Nope. My chef server is a Linux machine. I am rather trying to use a windows box both as client and workstation.