Skip to main content

Authorization error with API user knife initialization `knife configure -i`

Notice these errors. First error shows the API user of knife (root) failed to authenticate:

# knife client list
WARN: HTTP Request Returned 401 Unauthorized: Failed to authenticate!
/usr/lib/ruby/1.8/net/http.rb:2101:in `error!': 401 "Unauthorized" (Net::HTTPServerException)
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:217:in `api_request'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:268:in `retriable_rest_request'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:198:in `api_request'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:101:in `get_rest'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/api_client.rb:185:in `list'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/knife/client_list.rb:35:in `run'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/application/knife.rb:115:in `run'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/bin/knife:25
from /usr/bin/knife:19:in `load'
from /usr/bin/knife:19

so I tried to re-initialize API user (root). And encountered another authentication failure (this time with webui client user (see chef-server log that follows).

# knife configure -i
Overwrite /root/.chef/knife.rb? (Y/N) Y
Please enter the chef server URL: [http://localhost:4000]
Please enter a clientname for the new client: [root]
Please enter the existing admin clientname: [chef-webui]
Please enter the location of the existing admin client's private key: [/etc/chef/webui.pem]
Please enter the validation clientname: [chef-validator]
Please enter the location of the validation key: [/etc/chef/validation.pem]
Please enter the path to a chef repository (or leave blank):
WARN: Creating initial API user...
FATAL: Failed to read the private key /etc/chef/webui.pem: #, /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest/auth_credentials.rb:59:in `read'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest/auth_credentials.rb:59:in `load_signing_key'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest/auth_credentials.rb:33:in `initialize'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:41:in `new'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:41:in `initialize'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/api_client.rb:232:in `new'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/api_client.rb:232:in `save'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/knife/client_create.rb:55:in `run'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/knife/configure.rb:86:in `run'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/application/knife.rb:115:in `run'/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/bin/knife:25/usr/bin/knife:19:in `load'/usr/bin/knife:19
/usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest/auth_credentials.rb:62:in `load_signing_key': I cannot read /etc/chef/webui.pem, which you told me to use to sign requests! (Chef::Exceptions::PrivateKeyMissing)
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest/auth_credentials.rb:33:in `initialize'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:41:in `new'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/rest.rb:41:in `initialize'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/api_client.rb:232:in `new'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/api_client.rb:232:in `save'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/knife/client_create.rb:55:in `run'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/knife/configure.rb:86:in `run'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/lib/chef/application/knife.rb:115:in `run'
from /usr/lib/ruby/gems/1.8/gems/chef-0.9.6/bin/knife:25
from /usr/bin/knife:19:in `load'
from /usr/bin/knife:19

This is the chef-server log that gives hint it is webui that is failing to authenticate:

2010-09-13_15:13:48.61008 INFO: Authenticating client chef-webui
2010-09-13_15:13:48.63105 merb : worker (port 4000) ~ Started request handling: Mon Sep 13 08:13:48 -0700 2010
2010-09-13_15:13:48.63110 merb : worker (port 4000) ~ Params: {"name"=>"root", "action"=>"create", "admin"=>true, "controller"=>"clients"}
2010-09-13_15:13:48.63112 merb : worker (port 4000) ~ Failed to authenticate! - (Merb::ControllerExceptions::Unauthorized)
2010-09-13_15:13:48.63165 /usr/lib/ruby/gems/1.8/gems/chef-server-api-0.9.6/app/controllers/application.rb:50:in `authenticate_every'
2010-09-13_15:13:48.63166 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:352:in `send'
2010-09-13_15:13:48.63167 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:352:in `_call_filters'
2010-09-13_15:13:48.63169 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:344:in `each'
2010-09-13_15:13:48.63170 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:344:in `_call_filters'
2010-09-13_15:13:48.63171 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:286:in `_dispatch'
2010-09-13_15:13:48.63172 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:284:in `catch'
2010-09-13_15:13:48.63175 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/abstract_controller.rb:284:in `_dispatch'
2010-09-13_15:13:48.63176 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/merb_controller.rb:285:in `_dispatch'
2010-09-13_15:13:48.63177 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/merb_controller.rb:262:in `_call'
2010-09-13_15:13:48.63178 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/controller/merb_controller.rb:252:in `call'
2010-09-13_15:13:48.63179 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/dispatch/dispatcher.rb:91:in `dispatch_action'
2010-09-13_15:13:48.63180 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/dispatch/dispatcher.rb:69:in `handle'
2010-09-13_15:13:48.63181 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/dispatch/dispatcher.rb:29:in `handle'
2010-09-13_15:13:48.63183 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/rack/application.rb:17:in `call'
2010-09-13_15:13:48.63184 /usr/lib/ruby/gems/1.8/gems/rack-1.0.0/lib/rack/content_length.rb:13:in `call'
2010-09-13_15:13:48.63185 /usr/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/connection.rb:76:in `pre_process'
2010-09-13_15:13:48.63186 /usr/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/connection.rb:74:in `catch'
2010-09-13_15:13:48.63188 /usr/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/connection.rb:74:in `pre_process'
2010-09-13_15:13:48.64712 /usr/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/connection.rb:57:in `process'
2010-09-13_15:13:48.64713 /usr/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/connection.rb:42:in `receive_data'
2010-09-13_15:13:48.64715 /usr/lib/ruby/gems/1.8/gems/eventmachine-0.12.8/lib/eventmachine.rb:242:in `run_machine'
2010-09-13_15:13:48.64716 /usr/lib/ruby/gems/1.8/gems/eventmachine-0.12.8/lib/eventmachine.rb:242:in `run'
2010-09-13_15:13:48.64717 /usr/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/backends/base.rb:57:in `start'
2010-09-13_15:13:48.64718 /usr/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/server.rb:156:in `start'
2010-09-13_15:13:48.64719 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/rack/adapter/thin.rb:30:in `start_server'
2010-09-13_15:13:48.64720 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/rack/adapter/abstract.rb:305:in `start_at_port'
2010-09-13_15:13:48.64721 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/rack/adapter/abstract.rb:138:in `start'
2010-09-13_15:13:48.64727 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/server.rb:174:in `bootup'
2010-09-13_15:13:48.64729 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core/server.rb:42:in `start'
2010-09-13_15:13:48.64732 /usr/lib/ruby/gems/1.8/gems/merb-core-1.1.3/lib/merb-core.rb:165:in `start'
2010-09-13_15:13:48.64733 /usr/lib/ruby/gems/1.8/gems/chef-server-api-0.9.6/bin/chef-server:75
2010-09-13_15:13:48.64734 /usr/bin/chef-server:19:in `load'
2010-09-13_15:13:48.64735 /usr/bin/chef-server:19
2010-09-13_15:13:48.64736 merb : worker (port 4000) ~ Params: {"name"=>"root", "action"=>"create", "admin"=>true, "controller"=>"clients"}
2010-09-13_15:13:48.64738 merb : worker (port 4000) ~ {:dispatch_time=>0.041183, :action_time=>0.008142, :after_filters_time=>3.2e-05, :before_filters_time=>0.002237}
2010-09-13_15:13:48.64739 merb : worker (port 4000) ~
2010-09-13_15:13:48.64740


Delete root and webui clients and delete corresponding keys (/root/.chef/root.pem and /etc/chef/webui.pem). Restart chef-server and you should get a new set of keys. Initialize a new API user (root):

# knife configure -i
Overwrite /root/.chef/knife.rb? (Y/N) Y
Please enter the chef server URL: [http://localhost:4000]
Please enter a clientname for the new client: [root]
Please enter the existing admin clientname: [chef-webui]
Please enter the location of the existing admin client's private key: [/etc/chef/webui.pem]
Please enter the validation clientname: [chef-validator]
Please enter the location of the validation key: [/etc/chef/validation.pem]
Please enter the path to a chef repository (or leave blank):
WARN: Creating initial API user...
INFO: Created (or updated) client[root]
WARN: Configuration file written to /root/.chef/knife.rb

Test API with knife

# knife client list

should give you a list of clients.


Comments

Post a Comment

Popular posts from this blog

Zenoss: monitor free VMWare ESXi version

We confirmed that the free ESXi version does not allow SNMP gets, only traps. The original script was taken from here: http://communities.vmware.com/docs/DOC-7170 Modified script: http://mirakulo.com/pub/esxi/check_esx_wbmem.py We added Fan and power supply, hinted from this page: http://www.stephenjc.com/2009/01/whatsup-vmware-esxi-monitor-these.html Use this guide to add the Data source: http://www.zenoss.com/community/docs/howtos/create-modify-nagios-templates Added as template under: /Devices /Server /VMWare /ESXi /Templates /esxi-monitor /check_esx_wbmem Name: check_esx_wbmem Source Type: Command Enable true Use SSH false Component: blank Event class: /VMWare/ESXi Severity: Error Cycle time: 60 Parser: auto Command template: /usr/local/zenoss/python/bin/python /opt/zenoss/libexec/check_esx_wbmem.py https://${dev/manageIp}:5989 root passwd To bind this template to ESXi nodes, go to the device: Example: /Devices /Server /VMWare /ESXi /esxi-01.prod.corp.org then to its temp...
6 comments
Read more

ld: unrecognized option '--hash-style=both'

gcc -Wl,-Map=contiki.map,-export-dynamic testv6.co obj_linux-native/socketdev_listener.o \ contiki-linux-native.a -o testv6.linux-native /usr/local/bin/ld: unrecognized option '--hash-style=both' /usr/local/bin/ld: use the --help option for usage information collect2: ld returned 1 exit status If you look closely, the error is something related to the local gcc not using the host's linker (ld). $ which gcc /usr/bin/gcc $ which ld /usr/local/bin/ld For some reason, I messed my compiler path. To synchronized gcc to use the host's dynamic linker (i.e. /usr/bin/ld ), set the environment variable COMPILER_PATH to /usr/bin . $ export COMPILER_PATH=/usr/bin $ echo $COMPILER_PATH /usr/bin $ gcc -print-prog-name=ld /usr/bin/ld
9 comments
Read more

Resetting admin password in IBM System p5 510 Express ASMI

These are the steps in resetting the admin password: 0. Re-route stored static in your body via an ESD wrist strap to a metallic element. 1. Look for the 2 toggle switches and service processor batt. The batt should be in front of the Power Supply 1 and Power Supply 2 (codes: E1 and E2, see Rear Location Codes on the cover plate). The "very tiny" toggle switches should be in the area of P1-C14 slot. I forgot the exact sequence but it should be a combination of the ff. step (2): 2. Remove the battery, toggle the switches to the opposite direction. Allows some time for the caps to discharge. 3. Move back the toggle switches and put back the batt in its place. 4. Assign your PC to Class C subnet (i.e. masked 255.255.255.0 ): IPaddr: 192.168.2.x for HMC1 or IPaddr: 192.168.3.x for HMC2 5. Ping HMC1 or HMC2. Access the web interface using the default address: http://192.168.2.147 (for HMC1) or http://192.168.3.147 (for HMC2) Note: Sometimes you have to force the https protocol: ...
1 comment
Read more