Details
-
Type:
Bug
-
Status:
Open
-
Priority:
Unknown
-
Resolution: Unresolved
-
Affects Version/s: 0.10.8
-
Fix Version/s: None
-
Component/s: Chef Server
-
Labels:
-
Environment:Hide
- /usr/bin/lsb_release -a
LSB Version: :core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 5.7 (Final)
Release: 5.7
Codename: Final
- ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
Show/usr/bin/lsb_release -a LSB Version: :core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch Distributor ID: CentOS Description: CentOS release 5.7 (Final) Release: 5.7 Codename: Final ruby -v ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux] - /usr/bin/lsb_release -a
Description
(all these keys have been invalidated, so these private key pastes are not a security problem but you would need the private key to replicate the problem)
I generated a new chef-validator key-pair, which can be seen in the attached screen shot and have pasted below. I copied the private key part to /etc/chef/validator.pem on the client and run the chef-client. it failed with the following message;
chef-client
[Sun, 08 Jan 2012 20:22:49 -0800] INFO: *** Chef 0.10.8 ***
[Sun, 08 Jan 2012 20:22:50 -0800] INFO: Client key /etc/chef/client.pem is not present - registering
[Sun, 08 Jan 2012 20:22:50 -0800] INFO: HTTP Request Returned 401 Unauthorized: Failed to authenticate. Ensure that your client key is valid.
[Sun, 08 Jan 2012 20:22:50 -0800] FATAL: Stacktrace dumped to /var/cache/chef/chef-stacktrace.out
[Sun, 08 Jan 2012 20:22:50 -0800] FATAL: Net::HTTPServerException: 401 "Unauthorized"
I've pasted the server message in at the bottom. To troubleshoot I generated a public key off the private key cut and pasted from chef-server;
- openssl rsa -in /etc/chef/validation.pem -pubout
writing RSA key
----BEGIN PUBLIC KEY----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7odmF3OsavoSepho4cY9
GPA1nJFSIM7/CdgM1ywiyLtEYCs9QVH5pMIp7Jjcau58waxdyXeBS38/xesF5Vqe
LeAgzsVK9HFkXuSvSho+g5f6tEyY2Sq8rxVqDjq99+2BuVYwZN+p3+cd/V+uV5Fn
oUkXPqC5MToe65hHzPiDdfCTMDTsFZ9QgC1yJ4bc/2qS8thoyeDLtP6TpkShKi06
4GBd1zMtmDfrCqbNGceTyyBjLPtNBXoyBDv8JPzh24axHZ2ceSriaGeONTPtqzsY
9eC/WMs54ihEj7/pJsENSJai4zTstfPwTLnDHYb04XzHPGu1BlZTq6muckUTAy8Y
pwIDAQAB
----END PUBLIC KEY----
These are the ones from the chef-server-webui... you can see that the they copies key is missing the first 32 characters compared to the generated key. Here is a diff http://diffchecker.com/NYAnAmT
----BEGIN RSA PUBLIC KEY----
MIIBCgKCAQEA7odmF3OsavoSepho4cY9GPA1nJFSIM7/CdgM1ywiyLtEYCs9QVH5
pMIp7Jjcau58waxdyXeBS38/xesF5VqeLeAgzsVK9HFkXuSvSho+g5f6tEyY2Sq8
rxVqDjq99+2BuVYwZN+p3+cd/V+uV5FnoUkXPqC5MToe65hHzPiDdfCTMDTsFZ9Q
gC1yJ4bc/2qS8thoyeDLtP6TpkShKi064GBd1zMtmDfrCqbNGceTyyBjLPtNBXoy
BDv8JPzh24axHZ2ceSriaGeONTPtqzsY9eC/WMs54ihEj7/pJsENSJai4zTstfPw
TLnDHYb04XzHPGu1BlZTq6muckUTAy8YpwIDAQAB
----END RSA PUBLIC KEY----
Private Key (Will not show again, Please copy!)
Please copy and save as the client's validation key (e.g. client.pem)
----BEGIN RSA PRIVATE KEY----
MIIEpQIBAAKCAQEA7odmF3OsavoSepho4cY9GPA1nJFSIM7/CdgM1ywiyLtEYCs9
QVH5pMIp7Jjcau58waxdyXeBS38/xesF5VqeLeAgzsVK9HFkXuSvSho+g5f6tEyY
2Sq8rxVqDjq99+2BuVYwZN+p3+cd/V+uV5FnoUkXPqC5MToe65hHzPiDdfCTMDTs
FZ9QgC1yJ4bc/2qS8thoyeDLtP6TpkShKi064GBd1zMtmDfrCqbNGceTyyBjLPtN
BXoyBDv8JPzh24axHZ2ceSriaGeONTPtqzsY9eC/WMs54ihEj7/pJsENSJai4zTs
tfPwTLnDHYb04XzHPGu1BlZTq6muckUTAy8YpwIDAQABAoIBAQCm0GhUlGALfJI5
zKbk5qfJ7gwAUB04tqrkLoVkYgh9i4HZI8Q2D2dgky2QuqLD4b+8DpiUkhAJRZfL
CX9ZFBO1j55CHPY7l6WTO6lfUJVRoJMDTuJCVkIYzAgcpXY/kol7nUxA76602MQ/
c4/Qy+7GfABWmz6Ir9X5+8iTD2WYr2n3fLTq5dLm1SCMIgp5DekfummDJpq13WQZ
5owF/N4ReLm0k7CZaLcGNY2VKYjPHreDsLf+QTsi7fhC7lru0/0CWMg+U+Zn7cqP
/Dw/wBEdSGuY4iLACq3dynqlqMO/8pzdFyFcNUQWwLZ+RPCiMUxMYxGww5qfGrY6
izVjBDHBAoGBAPy086D4PU6GnSotQaTjg0B6M2Adp9mQ4S0Mfl5gV/CLv7EJZmjH
2Z8tAe9guGh3PWAHe8cru/hu7yawRbC8jx3nOwn+Jd2R/ATjzjusj6ALEdM7Dfzz
R2j0WX8whvjtsWr8eFpWAxh4T6ZnDDd6+hqj4Dw8ClA8YHwISCz7TdyhAoGBAPGj
JgL4GeIiRUEyBBPnPc0nMaiWgWEcbylU7frSaFKW8gP95mNz3uwbxhnYxHgQKlAs
e/pTNabczhefS8RNpq5lKiwR43wtoBOPagRkYUI0kT4MUF+Ixen293vIzDjB4PO8
0rXNOorCz2R/aN3m1P2QojoJwfc7ZoCNvPqBhehHAoGAK2v4VNdyyVRuGvotxmRl
gCW/QCu4VLUFTBVSfWr2kVmh9YyU8Tot1aEJLRWkeibK//4pMZ79LIH7S92MDANK
YCwERAJMhVb5Q+nU3QIYp7pfNLl3/NfclFcwLZ+sAYfuLWD2WSdgXssFfKVGPx49
bWhtNkxmxUSqm4VcyYXg6iECgYEAu8jReo869j0x2ve2qY0Uv0FNWzoTs9d4IAPL
qhgoUL7Tt/xyNinPPWhcLKwEC1Zsu7/GXYSa9mE0nLEEHbtG5NLj0jnYsyF1/J2A
g4dK+juGAFVrhMLzI97097LV2un5GxJMIlMqwrmgmPZXFdQVBDWJjVcV8T+tagw8
p+VOnnMCgYEA9bTbsvWpL4VxlqGaV6sixma+1r4lTpFubu1AUqh7OpYgaEAHEbn2
GbZbScY5LhFrwmTaNsZeLsSymmLxE9SfGYnc8DPZ58CCDzmN/1Z8TBs5fAh6Engv
9sNhnFY4JkFn4n4gIOjv0XVz2hul1YE+Jp4ayDFbwvL8wIKEF/iINP8=
----END RSA PRIVATE KEY----
==> server.log <==
merb : chef-server (api) : worker (port 4000) ~ Started request handling: Sun Jan 08 20:24:23 -0800 2012
merb : chef-server (api) : worker (port 4000) ~ Params: {"name"=>"i-0000679b.novalocal", "action"=>"create", "admin"=>false, "controller"=>"clients"}
merb : chef-server (api) : worker (port 4000) ~ Failed to authenticate. Ensure that your client key is valid. - (Merb::ControllerExceptions::Unauthorized)
/usr/lib64/ruby/gems/1.8/gems/chef-server-api-0.10.8/app/controllers/application.rb:56:in `authenticate_every'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:352:in `send'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:352:in `_call_filters'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:344:in `each'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:344:in `_call_filters'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:286:in `_dispatch'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:284:in `catch'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:284:in `_dispatch'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/merb_controller.rb:285:in `_dispatch'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/merb_controller.rb:262:in `_call'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/merb_controller.rb:252:in `call'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/dispatch/dispatcher.rb:91:in `dispatch_action'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/dispatch/dispatcher.rb:69:in `handle'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/dispatch/dispatcher.rb:29:in `handle'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/rack/application.rb:17:in `call'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/rack/middleware/static.rb:28:in `call'
/usr/lib64/ruby/gems/1.8/gems/rack-1.4.0/lib/rack/content_length.rb:14:in `call'
/usr/lib64/ruby/gems/1.8/gems/thin-1.3.1/lib/thin/connection.rb:80:in `pre_process'
/usr/lib64/ruby/gems/1.8/gems/thin-1.3.1/lib/thin/connection.rb:78:in `catch'
/usr/lib64/ruby/gems/1.8/gems/thin-1.3.1/lib/thin/connection.rb:78:in `pre_process'
/usr/lib64/ruby/gems/1.8/gems/thin-1.3.1/lib/thin/connection.rb:53:in `process'
/usr/lib64/ruby/gems/1.8/gems/thin-1.3.1/lib/thin/connection.rb:38:in `receive_data'
/usr/lib64/ruby/gems/1.8/gems/eventmachine-0.12.10/lib/eventmachine.rb:256:in `run_machine'
/usr/lib64/ruby/gems/1.8/gems/eventmachine-0.12.10/lib/eventmachine.rb:256:in `run'
/usr/lib64/ruby/gems/1.8/gems/thin-1.3.1/lib/thin/backends/base.rb:61:in `start'
/usr/lib64/ruby/gems/1.8/gems/thin-1.3.1/lib/thin/server.rb:159:in `start'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/rack/adapter/thin.rb:30:in `start_server'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/rack/adapter/abstract.rb:305:in `start_at_port'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/rack/adapter/abstract.rb:138:in `start'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/server.rb:174:in `bootup'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/server.rb:159:in `daemonize'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/server.rb:143:in `fork'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/server.rb:143:in `daemonize'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/server.rb:35:in `start'
/usr/lib64/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core.rb:165:in `start'
/usr/lib64/ruby/gems/1.8/gems/chef-server-api-0.10.8/bin/chef-server:84
/usr/bin/chef-server:19:in `load'
/usr/bin/chef-server:19
merb : chef-server (api) : worker (port 4000) ~ Params: {"name"=>"i-0000679b.novalocal", "action"=>"create", "admin"=>false, "controller"=>"clients"}
merb : chef-server (api) : worker (port 4000) ~ {:action_time=>0.000506, :after_filters_time=>1.5e-05, :before_filters_time=>4.1e-05, :dispatch_time=>0.008439}
merb : chef-server (api) : worker (port 4000) ~
ok.
So I didn't notice the header differences;
---
BEGIN RSA PUBLIC KEY------
BEGIN PUBLIC KEY---There must be some other reason that my clients stopped authenticating.