RE: Re: location of client.pem when using knife bootstrap


Thank you for the explanation.

-----Original Message-----
From: Daniel Condomitti []
Sent: Fri 10/19/2012 7:51 PM
Subject: [chef] Re: location of client.pem when using knife bootstrap

client.pem gets generated the first time the client connects to the server. The node you’re running knife bootstrap on needs to have a copy of your organization’s validator (private key) on disk and defined correctly in knife.rb. When it connects to the node, it’ll install chef (and anything else in your bootstrap template) and then use the validator private key to obtain a client.pem.


When a node runs chef-client for the first time, it generally does not yet have an API client identity, and so cannot make authenticated requests to the server. This is where the validation client-named “chef-validator” by default comes in. When the chef-client runs, it checks if it has a client key. If the client key does not exist, it then attempts to “borrow” the validation client’s identity to register itself with the server. In order to do that, the validation client’s private key needs to be copied to the host and placed in /etc/chef/validation.pem. Once the client machine has registered itself with the chef server, it no longer uses the validation client for anything. It is recommended that you delete the validation client’s private key from the host after the host has registered.

Look at the bootstrap file you’re using if you’re interested in how it works:

On Friday, October 19, 2012 at 4:24 PM, wrote:

When using the knife bootstrap command, does the client.pem file get copied to
/etc/chef on the chef client node? Is there a way to copy it there so the
client can properly connect to the server?