Question about new client registration for VM


#1

Hi!

I’m trying to register a Virtual Machine as new node. As we know -
chef-client sends up the validation.pem to download a new client.pem
file and register itself as a new node…

An error occurs at the point where the client is expecting to receive
its new client.pem file from the server:

“/var/lib/gems/1.8/gems/chef-0.9.12/bin/…/lib/chef/rest.rb:80:in
`register’: The response from the server did not include a private
key! (Chef::Exceptions::CannotWritePrivateKey)”

Full log:

Could this be because the chef server thinks the node is already
registered (because the host node shares the same IP address as the
Virtual Machine)?

Regards

dreamcat4
dreamcat4@gmail.com


#2

On Thu, Nov 11, 2010 at 12:14 PM, Dreamcat4 dreamcat4@gmail.com wrote:

Hi!

I’m trying to register a Virtual Machine as new node. As we know -
chef-client sends up the validation.pem to download a new client.pem
file and register itself as a new node…

An error occurs at the point where the client is expecting to receive
its new client.pem file from the server:

“/var/lib/gems/1.8/gems/chef-0.9.12/bin/…/lib/chef/rest.rb:80:in
`register’: The response from the server did not include a private
key! (Chef::Exceptions::CannotWritePrivateKey)”

Full log:
https://gist.github.com/669039

Could this be because the chef server thinks the node is already
registered (because the host node shares the same IP address as the
Virtual Machine)?

Another thing…

In the mean time (as a work-around) I can create new VM nodes manually
with “knife create client && knife create node”.

Then copy over the client.pem file into the Virtual Machine. However
creating a node in that manner seems not to be ideal. All the Ohai
attributes are missing. They are never uploaded / synced to the
chef-server. Only the original attributes get updated (the run_list,
node_name).

However I think thats an entirely different issue to the original
problem. They’re missing probably just as only existing json
attributes are being synced / updated. For my manually created nodes -
by default do not start life with the ohai attributes. So no FQDN,
uptime, ohai_time or anything else… :frowning:

Anyway. It would be great to better understand the initial problem
regarding downloading the client.pem. I.e - Whats happening during the
client validation / handshake. However its proving rather tough-going
for me with all that encryption / security stuff going on in there! -
Any help appreciated :slight_smile:

Regards

dreamcat4
dreamcat4@gmail.com


#3

Perhaps this happens:

chef-server-api/app/controllers/clients.rb:

POST /clients

def create
params[:name] ||= params[:inflated_object].name

begin
  Chef::ApiClient.cdb_load(params[:name])
rescue Chef::Exceptions::CouchDBNotFound
  exists = false
end
raise Conflict, "Client already exists" if exists

Although not 100% sure, i’m guessing that params[:name] comes from
node_name in chef-client’s POST request:

#
# === Returns
# rest<Chef::REST>:: returns Chef::REST connection object
def register
  if File.exists?(Chef::Config[:client_key])
    Chef::Log.debug("Client key #{Chef::Config[:client_key]} is

present - skipping registration")
else
Chef::Log.info(“Client key #{Chef::Config[:client_key]} is not
present - registering”)
Chef::REST.new(Chef::Config[:client_url],
Chef::Config[:validation_client_name],
Chef::Config[:validation_key]).register(node_name,
Chef::Config[:client_key])
end
# We now have the client key, and should use it from now on.
self.rest = Chef::REST.new(Chef::Config[:chef_server_url],
node_name, Chef::Config[:client_key])
end

So… it would seem that perhaps my initial assumption about the ip
address was unfounded. Node_name might not be getting set correctly,
or is an empty string “”, etc, some other problem. Some of extra
logging won’t hurt, should help to figure it out.

On Thu, Nov 11, 2010 at 12:16 PM, Dreamcat4 dreamcat4@gmail.com wrote:

On Thu, Nov 11, 2010 at 12:14 PM, Dreamcat4 dreamcat4@gmail.com wrote:

Hi!

I’m trying to register a Virtual Machine as new node. As we know -
chef-client sends up the validation.pem to download a new client.pem
file and register itself as a new node…

An error occurs at the point where the client is expecting to receive
its new client.pem file from the server:

“/var/lib/gems/1.8/gems/chef-0.9.12/bin/…/lib/chef/rest.rb:80:in
`register’: The response from the server did not include a private
key! (Chef::Exceptions::CannotWritePrivateKey)”

Full log:
https://gist.github.com/669039

Could this be because the chef server thinks the node is already
registered (because the host node shares the same IP address as the
Virtual Machine)?

Another thing…

In the mean time (as a work-around) I can create new VM nodes manually
with “knife create client && knife create node”.

Then copy over the client.pem file into the Virtual Machine. However
creating a node in that manner seems not to be ideal. All the Ohai
attributes are missing. They are never uploaded / synced to the
chef-server. Only the original attributes get updated (the run_list,
node_name).

However I think thats an entirely different issue to the original
problem. They’re missing probably just as only existing json
attributes are being synced / updated. For my manually created nodes -
by default do not start life with the ohai attributes. So no FQDN,
uptime, ohai_time or anything else… :frowning:

Anyway. It would be great to better understand the initial problem
regarding downloading the client.pem. I.e - Whats happening during the
client validation / handshake. However its proving rather tough-going
for me with all that encryption / security stuff going on in there! -
Any help appreciated :slight_smile:

Regards

dreamcat4
dreamcat4@gmail.com


#4

On Thu, Nov 11, 2010 at 12:14 PM, Dreamcat4 dreamcat4@gmail.com wrote:

Hi!

I’m trying to register a Virtual Machine as new node. As we know -
chef-client sends up the validation.pem to download a new client.pem
file and register itself as a new node…

An error occurs at the point where the client is expecting to receive
its new client.pem file from the server:

“/var/lib/gems/1.8/gems/chef-0.9.12/bin/…/lib/chef/rest.rb:80:in
`register’: The response from the server did not include a private
key! (Chef::Exceptions::CannotWritePrivateKey)”

Full log:
https://gist.github.com/669039

Well…
It turns out this message was the outcome after opscode servers had
returned back to chef-client a 301 redirect error.

janitors-Mac-mini:vagrant-node id$ curl --data-ascii “” --post301
api.opscode.com:80/organizations/dreamcat4/clients

301 Moved Permanently

301 Moved Permanently


nginx/0.8.33

Initially it was difficult to find any reason for this. But just
looked in the client.rb file…

It says:
chef_server_url “http://api.opscode.com/organizations/dreamcat4

But it should have been:
chef_server_url “https://api.opscode.com/organizations/dreamcat4

So that was the reason for getting back a 301 redirect from nginx. Phew!

Very pleased to say new node registration is all working fine now.

Regards

dreamcat4
dreamcat4@gmail.com


#5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

I have submitted a pull request with a minor documentation fix to Vagrant for this issue. Others have run into it as well.

Thanks!

On Nov 14, 2010, at 8:25 AM, Dreamcat4 wrote:

On Thu, Nov 11, 2010 at 12:14 PM, Dreamcat4 dreamcat4@gmail.com wrote:

Hi!

I’m trying to register a Virtual Machine as new node. As we know -
chef-client sends up the validation.pem to download a new client.pem
file and register itself as a new node…

An error occurs at the point where the client is expecting to receive
its new client.pem file from the server:

“/var/lib/gems/1.8/gems/chef-0.9.12/bin/…/lib/chef/rest.rb:80:in
`register’: The response from the server did not include a private
key! (Chef::Exceptions::CannotWritePrivateKey)”

Full log:
https://gist.github.com/669039

Well…
It turns out this message was the outcome after opscode servers had
returned back to chef-client a 301 redirect error.

janitors-Mac-mini:vagrant-node id$ curl --data-ascii “” --post301
api.opscode.com:80/organizations/dreamcat4/clients

301 Moved Permanently

301 Moved Permanently


nginx/0.8.33

Initially it was difficult to find any reason for this. But just
looked in the client.rb file…

It says:
chef_server_url “http://api.opscode.com/organizations/dreamcat4

But it should have been:
chef_server_url “https://api.opscode.com/organizations/dreamcat4

So that was the reason for getting back a 301 redirect from nginx. Phew!

Very pleased to say new node registration is all working fine now.

Regards

dreamcat4
dreamcat4@gmail.com


Opscode, Inc
Joshua Timberman, Technical Evangelist
IRC, Skype, Twitter, Github: jtimberman

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iEYEARECAAYFAkzgGAIACgkQO97WSdVpzT2jzgCeMPoK850O8Ti932E4yYd6HrPq
G8UAn034oYAur4MC1D8eW1XcUQIUXZmc
=8+0y
-----END PGP SIGNATURE-----


#6

On Sun, Nov 14, 2010 at 5:10 PM, Joshua Timberman joshua@opscode.com wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

I have submitted a pull request with a minor documentation fix to Vagrant for this issue. Others have run into it as well.

Thanks JT!

Thanks!

On Nov 14, 2010, at 8:25 AM, Dreamcat4 wrote:

On Thu, Nov 11, 2010 at 12:14 PM, Dreamcat4 dreamcat4@gmail.com wrote:

Hi!

I’m trying to register a Virtual Machine as new node. As we know -
chef-client sends up the validation.pem to download a new client.pem
file and register itself as a new node…

An error occurs at the point where the client is expecting to receive
its new client.pem file from the server:

“/var/lib/gems/1.8/gems/chef-0.9.12/bin/…/lib/chef/rest.rb:80:in
`register’: The response from the server did not include a private
key! (Chef::Exceptions::CannotWritePrivateKey)”

Full log:
https://gist.github.com/669039

Well…
It turns out this message was the outcome after opscode servers had
returned back to chef-client a 301 redirect error.

janitors-Mac-mini:vagrant-node id$ curl --data-ascii “” --post301
api.opscode.com:80/organizations/dreamcat4/clients

301 Moved Permanently

301 Moved Permanently


nginx/0.8.33

Initially it was difficult to find any reason for this. But just
looked in the client.rb file…

It says:
chef_server_url “http://api.opscode.com/organizations/dreamcat4

But it should have been:
chef_server_url “https://api.opscode.com/organizations/dreamcat4

So that was the reason for getting back a 301 redirect from nginx. Phew!

Very pleased to say new node registration is all working fine now.

Regards

dreamcat4
dreamcat4@gmail.com


Opscode, Inc
Joshua Timberman, Technical Evangelist
IRC, Skype, Twitter, Github: jtimberman

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iEYEARECAAYFAkzgGAIACgkQO97WSdVpzT2jzgCeMPoK850O8Ti932E4yYd6HrPq
G8UAn034oYAur4MC1D8eW1XcUQIUXZmc
=8+0y
-----END PGP SIGNATURE-----