i’m having problems retaining the chef-validator public RSA key
across chef server builds. i want to retain this key, along with its
counterpart validation.pem which all my clients have registered
i’m building a server which can take the place of my primary chef
server in the event the primary dies. if the primary dies, i would
load the latest configs and couchdb dump onto the new one. but after
i load the couchdb dump, the resulting chef-validator public RSA key
on the new server does not match what i know to be the correct one.
(as seen with “knife client show chef-validator”).
i show my steps below. am i doing something wrong?
also, i’ll note that i’ve repeated these steps below multiple times.
usually the resulting chef-validator key is wrong, but sometimes after
it bakes, the key is right. so i’m seeing inconsistent behavior.
dump couchdb on primary chef server:
/usr/bin/couchdb-dump http://127.0.0.1:5984/chef | gzip -9c > $BACKUPDIR/chef_couchdb.$STAMP.gz
new, pristine chef server installed with opscode debs:
this removes /var/lib/couchdb/1.0.1/chef.couch:
curl -XDELETE http://127.0.0.1:5984/chef
at this point, if i try to load the couchdb dump, it won’t load, throwing
errors like “Error: (‘not_found’, ‘no_db_file’)”. i guess it needs
some kind of baseline /var/lib/couchdb/1.0.1/chef.couch. to provide
that, i start chef-server again. a new /var/lib/couchdb/1.0.1/chef.couch
is created, and with that, new RSA keypairs generated, which i ultimately
want to replace with my current established set from the priamry
now there’s have /var/lib/couchdb/1.0.1/chef.couch. but this also
provided a new chef-validator RSA keypair, which i don’t want. but
maybe the couchdb-load will overwrite it? let’s see…
couchdb-load --input=chef_couchdb.latest http://127.0.0.1:5984/chef --ignore-errors 1>couchdb-load.stdout 2>couchdb-load.stderr
copy into place the pems from the primary chef server:
cp /etc/chef/webui.pem.backup /etc/chef/webui.pem
cp /etc/chef/validation.pem.backup /etc/chef/validation.pem
fire it up:
knife client show chef-validator
… usually the key is wrong, sometimes right