Knife EC2 Server Create Error: Authentication failed

Sometimes with all of the rush and trying to keep track of a 1000 moving parts you might get stumped by a fairly simple issue. Here are a few things to check if you get hung up with an “Authentication failedĀ for user” error when running a “Knife ec2 server create” command.

Waiting for sshd access to become availabledone
Connecting to 52.5.159.42
Failed to authenticate ec2-user - trying password auth
Enter your password:
ERROR: Net::SSH::AuthenticationFailed: Authentication failed for user ec2-user@52.5.159.42@52.5.159.42

Do you have your .pem file downloaded and installed with the correct permissions on your workstation you are running the command from?

It should be in the EC2-USER’s .ssh dir -> /home/ec2-user/.ssh

Make sure its chmodded 400

Make sure you have the knife.rb file set correctly to reference the .pem file for you…otherwise you will have a lot of typing for your command.

knife[:identity_file] = "/home/ec2-user/.ssh/aws-seth.pem"

Make sure you are using the correct user. Unless you have specifically changed something in your configurations by default you will be connecting as the “ec2-user”. So make sure thats what is trying to connect in your error output.

Hopefully these tips will help you narrow down the issue. You have to think about whats really happening and from where with Chef some sometimes these simple issues can really drive you nuts.

Setting up a Chef workstation with ChefDK

*This is assuming you are running on CentOS or some other RHEL platform

Download the Chef-DK package…
Go to: http://downloads.getchef.com/chef-dk/
Install the package…

sudo rpm -Uvh ChefDK.....rpm

Once its installed check it and make sure the install was successful…
Do:

sudo chef verify

 


Set System Ruby

Do:

which ruby

You might see something like this: ~/.rvm/rubies/ruby-2.1.1/bin/ruby
If you want to use the version of ruby that came with ChefDK do the following…assuming you are using BASH…
Do:

echo 'eval "$(chef shell-init bash)"' >> ~/.bash_profile

Do:

source ~/.bash_profile

Do:

which ruby

Install Git if you dont already have it…

sudo yum git install

 


Setting up the chef-repo

You can do this two ways….download the starter kit from your Chef server OR manually. In this case we will do this manually because I already happen to have a hosted Chef account and am also using my keys on other instances and dont want to have to set them all up again. So…go to your home directory and do:

git clone git://github.com/opscode/chef-repo.git

Then go to ~/chef-repo/ and do:

mkdir .chef

Three files will need to be placed in this directory:
– knife.rb
– ORGANIZATION-validator.pem
– USER.pem

In order to not upload your .chef directory which will house your certs do this:

echo '.chef' >> ~/chef-repo/.gitignore

Now you need to get the 3 files that go into your .chef directory.
Log onto your Chef server. For me this is located at: https://manage.opscode.com

Once logged in click ADMINISTRATION at the top then the name of your organization.

Knife.rb – Click “Generate Knife Config” and download the file. Place it in your .chef directory
ORGANIZATION-validator.pem – can be downloaded by clicking “Reset Validation Key” in the Administration page.
USER.pem – can be downloaded by clicking Users on the left hand side and then choosing your username, and finally clicking “Reset Key

 



Add Ruby to your Path

DO:

echo 'export PATH="/opt/chefdk/embedded/bin:$PATH"' >> ~/.configuration_file && source ~/.configuration_file

Now lets verify that we are all set…
DO:

cd ~/chef-repo

DO:

knife client list

You should see a list of your clients which will only be the one you are on for right now.

That’s it. Let me know if you have questions or run into issues or see mistakes.

Chef Error: Knife configure

When doing your initial “knife configure -i” command while setting up a chef workstation, if you encounter this error:

ERROR: Errno::EHOSTUNREACH: No route to host - connect(2)

Make sure you check your firewall settings.

On CentOS you can do:

sudo iptables -S

This will show you what is enabled currently. If you don not have port 443 open you will run into issues. To open it you can do this:

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Make sure you save your changes…

sudo service iptables save

…and restart the firewall…

sudo service iptables restart

Chef Error while bootstrapping

Ive run into this error a few times while getting my VMs setup and Chef installed on them:

192.168.1.153 Starting Chef Client, version 11.6.0
192.168.1.153 Creating a new client identity for target3 using the validator key.
192.168.1.153 ================================================================================
192.168.1.153 Chef encountered an error attempting to create the client "target3"
192.168.1.153 ================================================================================
192.168.1.153 Authorization Error:
192.168.1.153 Your validation client is not authorized to create the client for this node (HTTP 403).
192.168.1.153 Possible Causes:
192.168.1.153 * There may already be a client named "target3"
192.168.1.153 * Your validation client (sethlearningchef-validator) may have misconfigured authorization permissions.
192.168.1.153 [2013-11-18T14:07:52-05:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
192.168.1.153 Chef Client failed. 0 resources updated
192.168.1.153 [2013-11-18T14:07:52-05:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Im not sure what causes it but here is the fix that works for me:

On management station:

knife client delete NODENAME
knife node delete NODENAME

On affected node:

sudo rm /etc/chef/client.pem
sudo chef-client

Then on your managment server so your bootstrap command again:

sudo knife bootstrap 192.168.1.153 --sudo -p USERNAME -N "NODENAME"