Problems specifying validation.pem for restored chef server


#1

hi

is there anything special i need to do to get my new chef server to use
the validation.pem and webui.pem i “tell” it to use? here’s what i’m doing:

/etc/init.d/chef-server stop

curl -XDELETE http://127.0.0.1:5984/chef

{“ok”:true}

cp /tmp/validation.pem.from-backup /etc/chef/validation.pem

cp /tmp/webui.pem.from-backup /etc/chef/webui.pem

/etc/init.d/chef-server start

but… it creates new keys anyway:

[Tue, 07 Feb 2012 22:19:25 +0000] INFO: Creating validation key…
[Tue, 07 Feb 2012 22:19:25 +0000] INFO: Creating new key pair for chef-webui

what to do?

my goal is to be able to bring up a chef server from backups in case of
emergency.

kallen


#2

On 8 February 2012 11:27, kallen@groknaut.net wrote:

hi

is there anything special i need to do to get my new chef server to use
the validation.pem and webui.pem i “tell” it to use? here’s what i’m doing:

/etc/init.d/chef-server stop

curl -XDELETE http://127.0.0.1:5984/chef

{“ok”:true}

cp /tmp/validation.pem.from-backup /etc/chef/validation.pem

cp /tmp/webui.pem.from-backup /etc/chef/webui.pem

/etc/init.d/chef-server start

but… it creates new keys anyway:

[Tue, 07 Feb 2012 22:19:25 +0000] INFO: Creating validation key…
[Tue, 07 Feb 2012 22:19:25 +0000] INFO: Creating new key pair for chef-webui

what to do?

my goal is to be able to bring up a chef server from backups in case of
emergency.

Yo,

Like I mentioned in IRC, if you want to bring your chef-server back
from a backup, you’ll need to have backups of the Chef couchdb
database. Chef stores the public keys in the database as part of the
Authentication system.

Restoring the database before starting the chef-server processes
should cause it to not recreate the webui or validation clients,
allowing you to reuse your old private keys.

It’s been years since I’ve tried to do this, but I’m sure others have
performed the task recently.

–AJ

kallen


#3

On Wed, 08 Feb 2012, AJ Christensen wrote:

On 8 February 2012 11:27, kallen@groknaut.net wrote:

is there anything special i need to do to get my new chef server to use
the validation.pem and webui.pem i “tell” it to use? here’s what i’m doing:

/etc/init.d/chef-server stop

curl -XDELETE http://127.0.0.1:5984/chef

{“ok”:true}

cp /tmp/validation.pem.from-backup /etc/chef/validation.pem

cp /tmp/webui.pem.from-backup /etc/chef/webui.pem

/etc/init.d/chef-server start

but… it creates new keys anyway:

[Tue, 07 Feb 2012 22:19:25 +0000] INFO: Creating validation key…
[Tue, 07 Feb 2012 22:19:25 +0000] INFO: Creating new key pair for chef-webui

what to do?

my goal is to be able to bring up a chef server from backups in case of
emergency.

Yo,

Like I mentioned in IRC, if you want to bring your chef-server back
from a backup, you’ll need to have backups of the Chef couchdb
database. Chef stores the public keys in the database as part of the
Authentication system.

Restoring the database before starting the chef-server processes
should cause it to not recreate the webui or validation clients,
allowing you to reuse your old private keys.

It’s been years since I’ve tried to do this, but I’m sure others have
performed the task recently.

ah. restoring the couchdb from backup is the part i missed. i got it
to work, but i have questions:

  • i was not able to couchdb-load immediately after deleting the fresh
    chef couchdb. i had to start chef-server to cause a fresh one to be
    created. what to do?

  • i wasn’t able to couchdb-load without using --ignore-errors. is that
    expected? safe?

here’s what i did:

btw, my couchdb dumps are created like so:
couchdb-dump http://127.0.0.1:5984/chef | gzip -9c > BACKUPDIR/chef.(date +%F).couchdb.gz

on brand new chef server:

/etc/init.d/chef-server stop

curl -XDELETE http://127.0.0.1:5984/chef

{“ok”:true}

couchdb-load --input=/tmp/chef.2012-02-07.couchdb http://127.0.0.1:5984/chef

Loading document '000657bb-31cb-4d01-bce5-b8da60c7c0fd’
Traceback (most recent call last):
[snip]
couchdb.http.ResourceNotFound: (‘not_found’, ‘no_db_file’)

i guess that’s because there’s no /var/lib/couchdb/1.0.1/chef.couch file.
how do i make one without firing up the chef-server?

i fire it up again, knowing it’ll create validation and webui keys:

/etc/init.d/chef-server start

now we have /var/lib/couchdb/1.0.1/chef.couch

/etc/init.d/chef-server stop

couchdb-load --input=/tmp/chef.2012-02-07.couchdb http://127.0.0.1:5984/chef

[snip]Loading document '9ffe08eb-9497-45a7-8a67-7fc2650ed92e’
Loading document '_design/checksums’
Traceback (most recent call last):
File “/usr/bin/couchdb-load”, line 9, in
load_entry_point(‘CouchDB==0.8’, ‘console_scripts’, ‘couchdb-load’)()
File “/usr/lib/pymodules/python2.7/couchdb/tools/load.py”, line 87, in main
password=options.password, ignore_errors=options.ignore_errors)
File “/usr/lib/pymodules/python2.7/couchdb/tools/load.py”, line 50, in load_db
db[docid] = doc
File “/usr/lib/pymodules/python2.7/couchdb/client.py”, line 333, in setitem
status, headers, data = self.resource.put_json(id, body=content)
File “/usr/lib/pymodules/python2.7/couchdb/http.py”, line 405, in put_json
status, headers, data = self.put(*a, **k)
File “/usr/lib/pymodules/python2.7/couchdb/http.py”, line 384, in put
return self._request(‘PUT’, path, body=body, headers=headers, **params)
File “/usr/lib/pymodules/python2.7/couchdb/http.py”, line 419, in _request
credentials=self.credentials)
File “/usr/lib/pymodules/python2.7/couchdb/http.py”, line 306, in request
raise ResourceConflict(error)
couchdb.http.ResourceConflict: (‘conflict’, ‘Document update conflict.’)

couchdb-load --input=/tmp/chef.2012-02-07.couchdb http://127.0.0.1:5984/chef --ignore-errors

… loads successfully

cp /tmp/validation.pem.backup /etc/chef/validation.pem

cp /tmp/webui.pem.backup /etc/chef/webui.pem

/etc/init.d/chef-server start

chef server log gives no indication new keys were generated. yay \o/
using the contents of my ~/.chef from the original chef server:

kallen@cheftain03:~$ knife client list
… lovely output

JFWs. yay.