Problems retaining the chef-validator public RSA key


#1

hiya,

i’m having problems retaining the chef-validator public RSA key
across chef server builds. i want to retain this key, along with its
counterpart validation.pem which all my clients have registered
themselves with.

i’m building a server which can take the place of my primary chef
server in the event the primary dies. if the primary dies, i would
load the latest configs and couchdb dump onto the new one. but after
i load the couchdb dump, the resulting chef-validator public RSA key
on the new server does not match what i know to be the correct one.
(as seen with “knife client show chef-validator”).

i show my steps below. am i doing something wrong?

also, i’ll note that i’ve repeated these steps below multiple times.
usually the resulting chef-validator key is wrong, but sometimes after
it bakes, the key is right. so i’m seeing inconsistent behavior.

dump couchdb on primary chef server:
/usr/bin/couchdb-dump http://127.0.0.1:5984/chef | gzip -9c > $BACKUPDIR/chef_couchdb.$STAMP.gz

new, pristine chef server installed with opscode debs:

/etc/init.d/chef-server stop

this removes /var/lib/couchdb/1.0.1/chef.couch:
curl -XDELETE http://127.0.0.1:5984/chef

at this point, if i try to load the couchdb dump, it won’t load, throwing
errors like “Error: (‘not_found’, ‘no_db_file’)”. i guess it needs
some kind of baseline /var/lib/couchdb/1.0.1/chef.couch. to provide
that, i start chef-server again. a new /var/lib/couchdb/1.0.1/chef.couch
is created, and with that, new RSA keypairs generated, which i ultimately
want to replace with my current established set from the priamry
chef-server.

/etc/init.d/chef-server start
/etc/init.d/chef-server stop

now there’s have /var/lib/couchdb/1.0.1/chef.couch. but this also
provided a new chef-validator RSA keypair, which i don’t want. but
maybe the couchdb-load will overwrite it? let’s see…

couchdb-load --input=chef_couchdb.latest http://127.0.0.1:5984/chef --ignore-errors 1>couchdb-load.stdout 2>couchdb-load.stderr

copy into place the pems from the primary chef server:

cp /etc/chef/webui.pem.backup /etc/chef/webui.pem
cp /etc/chef/validation.pem.backup /etc/chef/validation.pem

fire it up:

/etc/init.d/chef-server start

knife client show chef-validator
… usually the key is wrong, sometimes right

tia,
kallen


#2

On 22 February 2012 13:04, kallen@groknaut.net wrote:

hiya,

i’m having problems retaining the chef-validator public RSA key
across chef server builds. i want to retain this key, along with its
counterpart validation.pem which all my clients have registered
themselves with.

i’m building a server which can take the place of my primary chef
server in the event the primary dies. if the primary dies, i would
load the latest configs and couchdb dump onto the new one. but after
i load the couchdb dump, the resulting chef-validator public RSA key
on the new server does not match what i know to be the correct one.
(as seen with “knife client show chef-validator”).

i show my steps below. am i doing something wrong?

also, i’ll note that i’ve repeated these steps below multiple times.
usually the resulting chef-validator key is wrong, but sometimes after
it bakes, the key is right. so i’m seeing inconsistent behavior.

dump couchdb on primary chef server:
/usr/bin/couchdb-dump http://127.0.0.1:5984/chef | gzip -9c > $BACKUPDIR/chef_couchdb.$STAMP.gz

new, pristine chef server installed with opscode debs:

/etc/init.d/chef-server stop

this removes /var/lib/couchdb/1.0.1/chef.couch:
curl -XDELETE http://127.0.0.1:5984/chef

at this point, if i try to load the couchdb dump, it won’t load, throwing
errors like “Error: (‘not_found’, ‘no_db_file’)”. i guess it needs
some kind of baseline /var/lib/couchdb/1.0.1/chef.couch. to provide

the problem is here where you start the Chef Server

Instead of doing that, do a

curl -XPUT http://127.0.0.1:5984/chef/

Then load the couchdb dump. This will prevent the chef server from
initializing an empty database with a new validator and webui client

HTH

–AJ

that, i start chef-server again. a new /var/lib/couchdb/1.0.1/chef.couch
is created, and with that, new RSA keypairs generated, which i ultimately
want to replace with my current established set from the priamry
chef-server.

/etc/init.d/chef-server start
/etc/init.d/chef-server stop

now there’s have /var/lib/couchdb/1.0.1/chef.couch. but this also
provided a new chef-validator RSA keypair, which i don’t want. but
maybe the couchdb-load will overwrite it? let’s see…

couchdb-load --input=chef_couchdb.latest http://127.0.0.1:5984/chef --ignore-errors 1>couchdb-load.stdout 2>couchdb-load.stderr

copy into place the pems from the primary chef server:

cp /etc/chef/webui.pem.backup /etc/chef/webui.pem
cp /etc/chef/validation.pem.backup /etc/chef/validation.pem

fire it up:

/etc/init.d/chef-server start

knife client show chef-validator
… usually the key is wrong, sometimes right

tia,
kallen


#3

::happy rawr!:: that works. thanks!!

On Wed, 22 Feb 2012, AJ Christensen wrote:

On 22 February 2012 13:04, kallen@groknaut.net wrote:

hiya,

i’m having problems retaining the chef-validator public RSA key
across chef server builds. i want to retain this key, along with its
counterpart validation.pem which all my clients have registered
themselves with.

i’m building a server which can take the place of my primary chef
server in the event the primary dies. if the primary dies, i would
load the latest configs and couchdb dump onto the new one. but after
i load the couchdb dump, the resulting chef-validator public RSA key
on the new server does not match what i know to be the correct one.
(as seen with “knife client show chef-validator”).

i show my steps below. am i doing something wrong?

also, i’ll note that i’ve repeated these steps below multiple times.
usually the resulting chef-validator key is wrong, but sometimes after
it bakes, the key is right. so i’m seeing inconsistent behavior.

dump couchdb on primary chef server:
/usr/bin/couchdb-dump http://127.0.0.1:5984/chef | gzip -9c > $BACKUPDIR/chef_couchdb.$STAMP.gz

new, pristine chef server installed with opscode debs:

/etc/init.d/chef-server stop

this removes /var/lib/couchdb/1.0.1/chef.couch:
curl -XDELETE http://127.0.0.1:5984/chef

at this point, if i try to load the couchdb dump, it won’t load, throwing
errors like “Error: (‘not_found’, ‘no_db_file’)”. i guess it needs
some kind of baseline /var/lib/couchdb/1.0.1/chef.couch. to provide

the problem is here where you start the Chef Server

Instead of doing that, do a

curl -XPUT http://127.0.0.1:5984/chef/

Then load the couchdb dump. This will prevent the chef server from
initializing an empty database with a new validator and webui client

HTH

–AJ

that, i start chef-server again. a new /var/lib/couchdb/1.0.1/chef.couch
is created, and with that, new RSA keypairs generated, which i ultimately
want to replace with my current established set from the priamry
chef-server.

/etc/init.d/chef-server start
/etc/init.d/chef-server stop

now there’s have /var/lib/couchdb/1.0.1/chef.couch. but this also
provided a new chef-validator RSA keypair, which i don’t want. but
maybe the couchdb-load will overwrite it? let’s see…

couchdb-load --input=chef_couchdb.latest http://127.0.0.1:5984/chef --ignore-errors 1>couchdb-load.stdout 2>couchdb-load.stderr

copy into place the pems from the primary chef server:

cp /etc/chef/webui.pem.backup /etc/chef/webui.pem
cp /etc/chef/validation.pem.backup /etc/chef/validation.pem

fire it up:

/etc/init.d/chef-server start

knife client show chef-validator
… usually the key is wrong, sometimes right

tia,
kallen


#4

it would be great if you get this process working well to have it
documented on the wiki!

Cheers,

AJ

On 22 February 2012 13:48, kallen@groknaut.net wrote:

::happy rawr!:: that works. thanks!!

On Wed, 22 Feb 2012, AJ Christensen wrote:

On 22 February 2012 13:04, kallen@groknaut.net wrote:

hiya,

i’m having problems retaining the chef-validator public RSA key
across chef server builds. i want to retain this key, along with its
counterpart validation.pem which all my clients have registered
themselves with.

i’m building a server which can take the place of my primary chef
server in the event the primary dies. if the primary dies, i would
load the latest configs and couchdb dump onto the new one. but after
i load the couchdb dump, the resulting chef-validator public RSA key
on the new server does not match what i know to be the correct one.
(as seen with “knife client show chef-validator”).

i show my steps below. am i doing something wrong?

also, i’ll note that i’ve repeated these steps below multiple times.
usually the resulting chef-validator key is wrong, but sometimes after
it bakes, the key is right. so i’m seeing inconsistent behavior.

dump couchdb on primary chef server:
/usr/bin/couchdb-dump http://127.0.0.1:5984/chef | gzip -9c > $BACKUPDIR/chef_couchdb.$STAMP.gz

new, pristine chef server installed with opscode debs:

/etc/init.d/chef-server stop

this removes /var/lib/couchdb/1.0.1/chef.couch:
curl -XDELETE http://127.0.0.1:5984/chef

at this point, if i try to load the couchdb dump, it won’t load, throwing
errors like “Error: (‘not_found’, ‘no_db_file’)”. i guess it needs
some kind of baseline /var/lib/couchdb/1.0.1/chef.couch. to provide

the problem is here where you start the Chef Server

Instead of doing that, do a

curl -XPUT http://127.0.0.1:5984/chef/

Then load the couchdb dump. This will prevent the chef server from
initializing an empty database with a new validator and webui client

HTH

–AJ

that, i start chef-server again. a new /var/lib/couchdb/1.0.1/chef.couch
is created, and with that, new RSA keypairs generated, which i ultimately
want to replace with my current established set from the priamry
chef-server.

/etc/init.d/chef-server start
/etc/init.d/chef-server stop

now there’s have /var/lib/couchdb/1.0.1/chef.couch. but this also
provided a new chef-validator RSA keypair, which i don’t want. but
maybe the couchdb-load will overwrite it? let’s see…

couchdb-load --input=chef_couchdb.latest http://127.0.0.1:5984/chef --ignore-errors 1>couchdb-load.stdout 2>couchdb-load.stderr

copy into place the pems from the primary chef server:

cp /etc/chef/webui.pem.backup /etc/chef/webui.pem
cp /etc/chef/validation.pem.backup /etc/chef/validation.pem

fire it up:

/etc/init.d/chef-server start

knife client show chef-validator
… usually the key is wrong, sometimes right

tia,
kallen


#5

On Wed, 22 Feb 2012, AJ Christensen wrote:

it would be great if you get this process working well to have it
documented on the wiki!

are there any “how to contribute” rules for contributing to the wiki?
and, is there a way i can create scratch space in the wiki for creating
a draft of the document when i get to it? i like making drafts, asking
for feedback.

On 22 February 2012 13:48, kallen@groknaut.net wrote:

::happy rawr!:: that works. thanks!!

On Wed, 22 Feb 2012, AJ Christensen wrote:

On 22 February 2012 13:04, kallen@groknaut.net wrote:

hiya,

i’m having problems retaining the chef-validator public RSA key
across chef server builds. i want to retain this key, along with its
counterpart validation.pem which all my clients have registered
themselves with.

i’m building a server which can take the place of my primary chef
server in the event the primary dies. if the primary dies, i would
load the latest configs and couchdb dump onto the new one. but after
i load the couchdb dump, the resulting chef-validator public RSA key
on the new server does not match what i know to be the correct one.
(as seen with “knife client show chef-validator”).

i show my steps below. am i doing something wrong?

also, i’ll note that i’ve repeated these steps below multiple times.
usually the resulting chef-validator key is wrong, but sometimes after
it bakes, the key is right. so i’m seeing inconsistent behavior.

dump couchdb on primary chef server:
/usr/bin/couchdb-dump http://127.0.0.1:5984/chef | gzip -9c > $BACKUPDIR/chef_couchdb.$STAMP.gz

new, pristine chef server installed with opscode debs:

/etc/init.d/chef-server stop

this removes /var/lib/couchdb/1.0.1/chef.couch:
curl -XDELETE http://127.0.0.1:5984/chef

at this point, if i try to load the couchdb dump, it won’t load, throwing
errors like “Error: (‘not_found’, ‘no_db_file’)”. i guess it needs
some kind of baseline /var/lib/couchdb/1.0.1/chef.couch. to provide

the problem is here where you start the Chef Server

Instead of doing that, do a

curl -XPUT http://127.0.0.1:5984/chef/

Then load the couchdb dump. This will prevent the chef server from
initializing an empty database with a new validator and webui client

HTH

–AJ

that, i start chef-server again. a new /var/lib/couchdb/1.0.1/chef.couch
is created, and with that, new RSA keypairs generated, which i ultimately
want to replace with my current established set from the priamry
chef-server.

/etc/init.d/chef-server start
/etc/init.d/chef-server stop

now there’s have /var/lib/couchdb/1.0.1/chef.couch. but this also
provided a new chef-validator RSA keypair, which i don’t want. but
maybe the couchdb-load will overwrite it? let’s see…

couchdb-load --input=chef_couchdb.latest http://127.0.0.1:5984/chef --ignore-errors 1>couchdb-load.stdout 2>couchdb-load.stderr

copy into place the pems from the primary chef server:

cp /etc/chef/webui.pem.backup /etc/chef/webui.pem
cp /etc/chef/validation.pem.backup /etc/chef/validation.pem

fire it up:

/etc/init.d/chef-server start

knife client show chef-validator
… usually the key is wrong, sometimes right

tia,
kallen


#6

Yo,

On 22 February 2012 13:53, kallen@groknaut.net wrote:

On Wed, 22 Feb 2012, AJ Christensen wrote:

it would be great if you get this process working well to have it
documented on the wiki!

are there any “how to contribute” rules for contributing to the wiki?
and, is there a way i can create scratch space in the wiki for creating
a draft of the document when i get to it? i like making drafts, asking
for feedback.

Not that I’m aware of, it’s a wiki, so go to town! If you edit shit
and people don’t like it, I’m sure they’ll tell you.

You can create a personal space, like mine:
http://wiki.opscode.com/display/~aj/Home

Just push your name at the top right hand corner, ‘create personal
space’. Have fun!

p.s. confluence-mode for emacs is great

–AJ

On 22 February 2012 13:48, kallen@groknaut.net wrote:

::happy rawr!:: that works. thanks!!

On Wed, 22 Feb 2012, AJ Christensen wrote:

On 22 February 2012 13:04, kallen@groknaut.net wrote:

hiya,

i’m having problems retaining the chef-validator public RSA key
across chef server builds. i want to retain this key, along with its
counterpart validation.pem which all my clients have registered
themselves with.

i’m building a server which can take the place of my primary chef
server in the event the primary dies. if the primary dies, i would
load the latest configs and couchdb dump onto the new one. but after
i load the couchdb dump, the resulting chef-validator public RSA key
on the new server does not match what i know to be the correct one.
(as seen with “knife client show chef-validator”).

i show my steps below. am i doing something wrong?

also, i’ll note that i’ve repeated these steps below multiple times.
usually the resulting chef-validator key is wrong, but sometimes after
it bakes, the key is right. so i’m seeing inconsistent behavior.

dump couchdb on primary chef server:
/usr/bin/couchdb-dump http://127.0.0.1:5984/chef | gzip -9c > $BACKUPDIR/chef_couchdb.$STAMP.gz

new, pristine chef server installed with opscode debs:

/etc/init.d/chef-server stop

this removes /var/lib/couchdb/1.0.1/chef.couch:
curl -XDELETE http://127.0.0.1:5984/chef

at this point, if i try to load the couchdb dump, it won’t load, throwing
errors like “Error: (‘not_found’, ‘no_db_file’)”. i guess it needs
some kind of baseline /var/lib/couchdb/1.0.1/chef.couch. to provide

the problem is here where you start the Chef Server

Instead of doing that, do a

curl -XPUT http://127.0.0.1:5984/chef/

Then load the couchdb dump. This will prevent the chef server from
initializing an empty database with a new validator and webui client

HTH

–AJ

that, i start chef-server again. a new /var/lib/couchdb/1.0.1/chef.couch
is created, and with that, new RSA keypairs generated, which i ultimately
want to replace with my current established set from the priamry
chef-server.

/etc/init.d/chef-server start
/etc/init.d/chef-server stop

now there’s have /var/lib/couchdb/1.0.1/chef.couch. but this also
provided a new chef-validator RSA keypair, which i don’t want. but
maybe the couchdb-load will overwrite it? let’s see…

couchdb-load --input=chef_couchdb.latest http://127.0.0.1:5984/chef --ignore-errors 1>couchdb-load.stdout 2>couchdb-load.stderr

copy into place the pems from the primary chef server:

cp /etc/chef/webui.pem.backup /etc/chef/webui.pem
cp /etc/chef/validation.pem.backup /etc/chef/validation.pem

fire it up:

/etc/init.d/chef-server start

knife client show chef-validator
… usually the key is wrong, sometimes right

tia,
kallen