Re: Newbie needs help creating AWS EC2 Windows instance

Thanks for all the help. Unfortunately, I think I am going to call it a day (or, actually two) and declare defeat much as I don’t want to.

It’s relatively uncomplicated to get knife ec2 to stand up an instance — the devilishly hard thing seems to be able to get it to bootstrap to a Chef server in the same pass. A Google search or two brings up people that don’t even try: they run knife ec2 and then knife windows winrm to bootstrap. I just don’t understand why that should be necessary.

It occurred to me that the most logical response to the “you are using the wrong key” was to create my own AMI and launch it with the key I originally used when launching from AWS’s AMI. Doing this doesn’t produce the OpenSSL padding error. It simply hangs waiting for the password — forever. So, even when I am certain I am using the correct key, it fails. If I use the knife ec2 –x and –P parameters to specify the now known userid and password from my own AMI, I get a different error: “warning: epoll is not supported on this platform.

I am on ChefDK 0.8.0, freshly installed just to try this.

It seems like Windows is always going to be a second-class citizen in Chef. That’s too bad.

This mailing list is very responsive — I really appreciate all the suggestions.

From: Fabien Delpierre
Reply-To: "chef@lists.opscode.commailto:chef@lists.opscode.com"
Date: Friday, September 25, 2015 at 11:11
To: chef
Subject: [chef] Re: RE: Re: RE: Re: Newbie needs help creating AWS EC2 Windows instance

The need for a keypair for Windows Server instances in AWS is an AWS limitation. They wanted a secure way to deliver the password for the local Administrator account. So they devised this scheme where you associate a keypair with the instance, even though, as you pointed out, you will not be using SSH to actually interact with the instance. The password is encrypted with the keypair’s public key, and you provide your private key to decrypt it.
Why Knife needs those elements follows from the above: once the instance is up, Knife attempts to download the password from the AWS API by providing the .pem file. Using that password, it can proceed to actually connect to the instance and provision it with Chef.

On Fri, Sep 25, 2015 at 10:56 AM, Alex Neihaus <architect@air11.commailto:architect@air11.com> wrote:
Thanks again for your help.

I was thinking the same thing – that the wrong key is being used to connect to the instance – so here’s what I tried:
1). Generated a new AWS keypair
2). Placed that key in chef-repo/.chef
3). Ran knife ec2 with that key name in --ssh-key without the .pem extension. That is, --ssh-key=name_of_key_file_without.pem_extension (knife ec2 blows up if you use the full filename with a “cannot be found message" message from AWS.)
4). Logged into the console and successfully decrypted the password with the .pem file specified in the knife ec2 command

Conceptually, I am having a problem understanding what, exactly, is going on that requires an ssh key. I know the doc says it’s needed but I don’t understand why. There’s nothing listening on port 22 in the instance – that’s where

Still no joy getting knife ec2 to bootstrap the running, accessible instance.

Could there be a problem with the version of knife ec2? I am running 12.4.1.

Appreciate the tip about the instance costs – until I get it running, I’ve dialed that back. The AMI is an AWS image with SQL Server, to t2. Instance types are out.

From: Fabien Delpierre [mailto:fabien.delpierre@gmail.commailto:fabien.delpierre@gmail.com]
Sent: Friday, September 25, 2015 10:09
To: chef <chef@lists.opscode.commailto:chef@lists.opscode.com>
Subject: [chef] Re: RE: Re: Newbie needs help creating AWS EC2 Windows instance

Usually that error would occur if you weren’t using the correct private key.
Suggestion: create an instance the exact same way you did (or use one that you still have running), go to the AWS web console, and try to download the admin credentials by using the same .pem file you used in your knife ec2 command. That’ll tell you whether you’re at least using the right one. Unless you knowingly put the .pem file corresponding to your AWS keypair in your /chefrepo/.chef directory, my guess is you’re using the wrong file.
Also, I might suggest that you don’t use m4.xlarge instances for initial testing – Windows instances of that size aren’t cheap and it will add up quickly!

On Fri, Sep 25, 2015 at 9:45 AM, Alex Neihaus <architect@air11.commailto:architect@air11.com> wrote:
Thanks to everyone who has responded. I am almost there.

I have knife ec2 standing up a Windows Server 2008 R2 instance and, apparently, connecting to it via winrm. However, after accessing winrm and during what I think is the attempt to bootstrap the instance to Chef, I receive an OpenSSL “padding check failed” error.

If anyone has any clues, I’d appreciate your help. Here’s the error and the knife ec2 command I am using (with the sensitive parts removed):

Waiting for EC2 to create the instance…
Subnet ID: subnet-
Tenancy: default
Private IP Address:
Waiting for winrm access to become available…done
Waiting for Windows Admin password to be available…
ERROR: OpenSSL::PKey::RSAError: padding check failed

knife ec2 server create --flavor m4.xlarge --associate-public-ip --bootstrap-protocol winrm -N WinServerTestNodeCanBeDeleted --region us-east-1 --availability-zone us-east-1d --security-group-ids sg-NNNNN -T name=WinServerTestNodeCanBeDeleted -I ami-YYYYY --user-data /path-to-user-text/usertext.txt -A -K --ssh-key --subnet subnet-XXXXXXX --identity-file /pathtochefrepo/.chef/.pem -VV

Alex

Yeah, sorry, I can't be much help with Knife EC2 and Windows. I know both
well, just separately from one another, as I've never had to implement Chef
in Windows (I'm thankful for it). I would test what you're doing myself but
I don't have access to an AWS environment. Maybe someone else will chime
in. You can also try IRC (irc.freenode.net Chef Infra (archive)).

On Fri, Sep 25, 2015 at 3:04 PM, Alex Neihaus architect@air11.com wrote:

Thanks for all the help. Unfortunately, I think I am going to call it a
day (or, actually two) and declare defeat much as I don’t want to.

It’s relatively uncomplicated to get knife ec2 to stand up an instance —
the devilishly hard thing seems to be able to get it to bootstrap to a Chef
server in the same pass. A Google search or two brings up people that don’t
even try: they run knife ec2 and then knife windows winrm to bootstrap. I
just don’t understand why that should be necessary.

It occurred to me that the most logical response to the “you are using the
wrong key” was to create my own AMI and launch it with the key I originally
used when launching from AWS’s AMI. Doing this doesn’t produce the OpenSSL
padding error. It simply hangs waiting for the password — forever. So, even
when I am certain I am using the correct key, it fails. If I use the knife
ec2 –x and –P parameters to specify the now known userid and password from
my own AMI, I get a different error: “warning: epoll is not supported on
this platform.

I am on ChefDK 0.8.0, freshly installed just to try this.

It seems like Windows is always going to be a second-class citizen in
Chef. That’s too bad.

This mailing list is very responsive — I really appreciate all the
suggestions.

From: Fabien Delpierre
Reply-To: "chef@lists.opscode.com"
Date: Friday, September 25, 2015 at 11:11
To: chef
Subject: [chef] Re: RE: Re: RE: Re: Newbie needs help creating AWS EC2
Windows instance

The need for a keypair for Windows Server instances in AWS is an AWS
limitation. They wanted a secure way to deliver the password for the local
Administrator account. So they devised this scheme where you associate a
keypair with the instance, even though, as you pointed out, you will not be
using SSH to actually interact with the instance. The password is encrypted
with the keypair's public key, and you provide your private key to decrypt
it.
Why Knife needs those elements follows from the above: once the instance
is up, Knife attempts to download the password from the AWS API by
providing the .pem file. Using that password, it can proceed to actually
connect to the instance and provision it with Chef.

On Fri, Sep 25, 2015 at 10:56 AM, Alex Neihaus architect@air11.com
wrote:

Thanks again for your help.

I was thinking the same thing -- that the wrong key is being used to
connect to the instance -- so here’s what I tried:
1). Generated a new AWS keypair
2). Placed that key in chef-repo/.chef
3). Ran knife ec2 with that key name in --ssh-key without the .pem
extension. That is, --ssh-key=name_of_key_file_without.pem_extension
(knife ec2 blows up if you use the full filename with a “cannot be found
message" message from AWS.)
4). Logged into the console and successfully decrypted the password with
the .pem file specified in the knife ec2 command

Conceptually, I am having a problem understanding what, exactly, is going
on that requires an ssh key. I know the doc says it's needed but I don't
understand why. There's nothing listening on port 22 in the instance --
that's where

Still no joy getting knife ec2 to bootstrap the running, accessible
instance.

Could there be a problem with the version of knife ec2? I am running
12.4.1.

Appreciate the tip about the instance costs -- until I get it running,
I've dialed that back. The AMI is an AWS image with SQL Server, to t2.
Instance types are out.

From: Fabien Delpierre [mailto:fabien.delpierre@gmail.com]
Sent: Friday, September 25, 2015 10:09
To: chef chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Newbie needs help creating AWS EC2 Windows
instance

Usually that error would occur if you weren't using the correct private
key.
Suggestion: create an instance the exact same way you did (or use one
that you still have running), go to the AWS web console, and try to
download the admin credentials by using the same .pem file you used in your
knife ec2 command. That'll tell you whether you're at least using the right
one. Unless you knowingly put the .pem file corresponding to your AWS
keypair in your /chefrepo/.chef directory, my guess is you're using the
wrong file.
Also, I might suggest that you don't use m4.xlarge instances for initial
testing -- Windows instances of that size aren't cheap and it will add up
quickly!

On Fri, Sep 25, 2015 at 9:45 AM, Alex Neihaus architect@air11.com
wrote:
Thanks to everyone who has responded. I am almost there.

I have knife ec2 standing up a Windows Server 2008 R2 instance and,
apparently, connecting to it via winrm. However, after accessing winrm and
during what I think is the attempt to bootstrap the instance to Chef, I
receive an OpenSSL “padding check failed” error.

If anyone has any clues, I’d appreciate your help. Here's the error and
the knife ec2 command I am using (with the sensitive parts removed):

Waiting for EC2 to create the instance......
Subnet ID: subnet-
Tenancy: default
Private IP Address:
Waiting for winrm access to become available.....done
Waiting for Windows Admin password to be available............
ERROR: OpenSSL::PKey::RSAError: padding check failed

knife ec2 server create --flavor m4.xlarge --associate-public-ip
--bootstrap-protocol winrm -N WinServerTestNodeCanBeDeleted --region
us-east-1 --availability-zone us-east-1d --security-group-ids sg-NNNNN -T
name=WinServerTestNodeCanBeDeleted -I ami-YYYYY --user-data
/path-to-user-text/usertext.txt -A -K --ssh-key --subnet subnet-XXXXXXX --identity-file
/pathtochefrepo/.chef/.pem -VV

Alex

Hi Alex,
we’d like to get this sorted. I believe one of the the problems is that knife ec2 server create doesn’t pass the correct user data to get winrm stood up. So you’re trying to connect and hanging. The solution here is https://github.com/chef/knife-ec2/pull/188 , which we need to get merged and released.
Windows definitely isn’t a second class citizen here; there are some rough edges but those will get fixed, and people pointing them out just helps us to get them fixed faster! :slight_smile:
Cheers,
-Thom

Thom May

On 25 September 2015 at 12:05:33, Alex Neihaus (architect@air11.com) wrote:

Thanks for all the help. Unfortunately, I think I am going to call it a day (or, actually two) and declare defeat much as I don’t want to.

It’s relatively uncomplicated to get knife ec2 to stand up an instance — the devilishly hard thing seems to be able to get it to bootstrap to a Chef server in the same pass. A Google search or two brings up people that don’t even try: they run knife ec2 and then knife windows winrm to bootstrap. I just don’t understand why that should be necessary.

It occurred to me that the most logical response to the “you are using the wrong key” was to create my own AMI and launch it with the key I originally used when launching from AWS’s AMI. Doing this doesn’t produce the OpenSSL padding error. It simply hangs waiting for the password — forever. So, even when I am certain I am using the correct key, it fails. If I use the knife ec2 –x and –P parameters to specify the now known userid and password from my own AMI, I get a different error: “warning: epoll is not supported on this platform.

I am on ChefDK 0.8.0, freshly installed just to try this.

It seems like Windows is always going to be a second-class citizen in Chef. That’s too bad.

This mailing list is very responsive — I really appreciate all the suggestions.

From: Fabien Delpierre
Reply-To: "chef@lists.opscode.com"
Date: Friday, September 25, 2015 at 11:11
To: chef
Subject: [chef] Re: RE: Re: RE: Re: Newbie needs help creating AWS EC2 Windows instance

The need for a keypair for Windows Server instances in AWS is an AWS limitation. They wanted a secure way to deliver the password for the local Administrator account. So they devised this scheme where you associate a keypair with the instance, even though, as you pointed out, you will not be using SSH to actually interact with the instance. The password is encrypted with the keypair’s public key, and you provide your private key to decrypt it.
Why Knife needs those elements follows from the above: once the instance is up, Knife attempts to download the password from the AWS API by providing the .pem file. Using that password, it can proceed to actually connect to the instance and provision it with Chef.

On Fri, Sep 25, 2015 at 10:56 AM, Alex Neihaus architect@air11.com wrote:
Thanks again for your help.

I was thinking the same thing – that the wrong key is being used to connect to the instance – so here’s what I tried:
1). Generated a new AWS keypair
2). Placed that key in chef-repo/.chef
3). Ran knife ec2 with that key name in --ssh-key without the .pem extension. That is, --ssh-key=name_of_key_file_without.pem_extension (knife ec2 blows up if you use the full filename with a “cannot be found message" message from AWS.)
4). Logged into the console and successfully decrypted the password with the .pem file specified in the knife ec2 command

Conceptually, I am having a problem understanding what, exactly, is going on that requires an ssh key. I know the doc says it’s needed but I don’t understand why. There’s nothing listening on port 22 in the instance – that’s where

Still no joy getting knife ec2 to bootstrap the running, accessible instance.

Could there be a problem with the version of knife ec2? I am running 12.4.1.

Appreciate the tip about the instance costs – until I get it running, I’ve dialed that back. The AMI is an AWS image with SQL Server, to t2. Instance types are out.

From: Fabien Delpierre [mailto:fabien.delpierre@gmail.com]
Sent: Friday, September 25, 2015 10:09
To: chef chef@lists.opscode.com
Subject: [chef] Re: RE: Re: Newbie needs help creating AWS EC2 Windows instance

Usually that error would occur if you weren’t using the correct private key.
Suggestion: create an instance the exact same way you did (or use one that you still have running), go to the AWS web console, and try to download the admin credentials by using the same .pem file you used in your knife ec2 command. That’ll tell you whether you’re at least using the right one. Unless you knowingly put the .pem file corresponding to your AWS keypair in your /chefrepo/.chef directory, my guess is you’re using the wrong file.
Also, I might suggest that you don’t use m4.xlarge instances for initial testing – Windows instances of that size aren’t cheap and it will add up quickly!

On Fri, Sep 25, 2015 at 9:45 AM, Alex Neihaus architect@air11.com wrote:
Thanks to everyone who has responded. I am almost there.

I have knife ec2 standing up a Windows Server 2008 R2 instance and, apparently, connecting to it via winrm. However, after accessing winrm and during what I think is the attempt to bootstrap the instance to Chef, I receive an OpenSSL “padding check failed” error.

If anyone has any clues, I’d appreciate your help. Here’s the error and the knife ec2 command I am using (with the sensitive parts removed):

Waiting for EC2 to create the instance…
Subnet ID: subnet-
Tenancy: default
Private IP Address:
Waiting for winrm access to become available…done
Waiting for Windows Admin password to be available…
ERROR: OpenSSL::PKey::RSAError: padding check failed

knife ec2 server create --flavor m4.xlarge --associate-public-ip --bootstrap-protocol winrm -N WinServerTestNodeCanBeDeleted --region us-east-1 --availability-zone us-east-1d --security-group-ids sg-NNNNN -T name=WinServerTestNodeCanBeDeleted -I ami-YYYYY --user-data /path-to-user-text/usertext.txt -A -K --ssh-key --subnet subnet-XXXXXXX --identity-file /pathtochefrepo/.chef/.pem -VV

Alex

Hi, Thom.

Thank you very much for this response. It’s great to hear that this is being worked on and a solution is close.

Best,
Alex

From: Thom May [mailto:thom@chef.io]
Sent: Monday, September 28, 2015 17:57
To: chef@lists.opscode.com; Alex Neihaus architect@air11.com
Subject: Re: [chef] Re: Newbie needs help creating AWS EC2 Windows instance

Hi Alex,
we’d like to get this sorted. I believe one of the the problems is that knife ec2 server create doesn’t pass the correct user data to get winrm stood up. So you’re trying to connect and hanging. The solution here is https://github.com/chef/knife-ec2/pull/188 , which we need to get merged and released.
Windows definitely isn’t a second class citizen here; there are some rough edges but those will get fixed, and people pointing them out just helps us to get them fixed faster! :slight_smile:
Cheers,
-Thom

Thom May

On 25 September 2015 at 12:05:33, Alex Neihaus (architect@air11.commailto:architect@air11.com) wrote:
Thanks for all the help. Unfortunately, I think I am going to call it a day (or, actually two) and declare defeat much as I don’t want to.

It’s relatively uncomplicated to get knife ec2 to stand up an instance — the devilishly hard thing seems to be able to get it to bootstrap to a Chef server in the same pass. A Google search or two brings up people that don’t even try: they run knife ec2 and then knife windows winrm to bootstrap. I just don’t understand why that should be necessary.

It occurred to me that the most logical response to the “you are using the wrong key” was to create my own AMI and launch it with the key I originally used when launching from AWS’s AMI. Doing this doesn’t produce the OpenSSL padding error. It simply hangs waiting for the password — forever. So, even when I am certain I am using the correct key, it fails. If I use the knife ec2 –x and –P parameters to specify the now known userid and password from my own AMI, I get a different error: “warning: epoll is not supported on this platform.

I am on ChefDK 0.8.0, freshly installed just to try this.

It seems like Windows is always going to be a second-class citizen in Chef. That’s too bad.

This mailing list is very responsive — I really appreciate all the suggestions.

From: Fabien Delpierre
Reply-To: "chef@lists.opscode.commailto:chef@lists.opscode.com"
Date: Friday, September 25, 2015 at 11:11
To: chef
Subject: [chef] Re: RE: Re: RE: Re: Newbie needs help creating AWS EC2 Windows instance

The need for a keypair for Windows Server instances in AWS is an AWS limitation. They wanted a secure way to deliver the password for the local Administrator account. So they devised this scheme where you associate a keypair with the instance, even though, as you pointed out, you will not be using SSH to actually interact with the instance. The password is encrypted with the keypair’s public key, and you provide your private key to decrypt it.
Why Knife needs those elements follows from the above: once the instance is up, Knife attempts to download the password from the AWS API by providing the .pem file. Using that password, it can proceed to actually connect to the instance and provision it with Chef.

On Fri, Sep 25, 2015 at 10:56 AM, Alex Neihaus <architect@air11.commailto:architect@air11.com> wrote:
Thanks again for your help.

I was thinking the same thing – that the wrong key is being used to connect to the instance – so here’s what I tried:
1). Generated a new AWS keypair
2). Placed that key in chef-repo/.chef
3). Ran knife ec2 with that key name in --ssh-key without the .pem extension. That is, --ssh-key=name_of_key_file_without.pem_extension (knife ec2 blows up if you use the full filename with a “cannot be found message" message from AWS.)
4). Logged into the console and successfully decrypted the password with the .pem file specified in the knife ec2 command

Conceptually, I am having a problem understanding what, exactly, is going on that requires an ssh key. I know the doc says it’s needed but I don’t understand why. There’s nothing listening on port 22 in the instance – that’s where

Still no joy getting knife ec2 to bootstrap the running, accessible instance.

Could there be a problem with the version of knife ec2? I am running 12.4.1.

Appreciate the tip about the instance costs – until I get it running, I’ve dialed that back. The AMI is an AWS image with SQL Server, to t2. Instance types are out.

From: Fabien Delpierre [mailto:fabien.delpierre@gmail.commailto:fabien.delpierre@gmail.com]
Sent: Friday, September 25, 2015 10:09
To: chef <chef@lists.opscode.commailto:chef@lists.opscode.com>
Subject: [chef] Re: RE: Re: Newbie needs help creating AWS EC2 Windows instance

Usually that error would occur if you weren’t using the correct private key.
Suggestion: create an instance the exact same way you did (or use one that you still have running), go to the AWS web console, and try to download the admin credentials by using the same .pem file you used in your knife ec2 command. That’ll tell you whether you’re at least using the right one. Unless you knowingly put the .pem file corresponding to your AWS keypair in your /chefrepo/.chef directory, my guess is you’re using the wrong file.
Also, I might suggest that you don’t use m4.xlarge instances for initial testing – Windows instances of that size aren’t cheap and it will add up quickly!

On Fri, Sep 25, 2015 at 9:45 AM, Alex Neihaus <architect@air11.commailto:architect@air11.com> wrote:
Thanks to everyone who has responded. I am almost there.

I have knife ec2 standing up a Windows Server 2008 R2 instance and, apparently, connecting to it via winrm. However, after accessing winrm and during what I think is the attempt to bootstrap the instance to Chef, I receive an OpenSSL “padding check failed” error.

If anyone has any clues, I’d appreciate your help. Here’s the error and the knife ec2 command I am using (with the sensitive parts removed):

Waiting for EC2 to create the instance…
Subnet ID: subnet-
Tenancy: default
Private IP Address:
Waiting for winrm access to become available…done
Waiting for Windows Admin password to be available…
ERROR: OpenSSL::PKey::RSAError: padding check failed

knife ec2 server create --flavor m4.xlarge --associate-public-ip --bootstrap-protocol winrm -N WinServerTestNodeCanBeDeleted --region us-east-1 --availability-zone us-east-1d --security-group-ids sg-NNNNN -T name=WinServerTestNodeCanBeDeleted -I ami-YYYYY --user-data /path-to-user-text/usertext.txt -A -K --ssh-key --subnet subnet-XXXXXXX --identity-file /pathtochefrepo/.chef/.pem -VV

Alex