Knife EC2 Server Create Error: Authentication failed

Sometimes with all of the rush and trying to keep track of a 1000 moving parts you might get stumped by a fairly simple issue. Here are a few things to check if you get hung up with an “Authentication failedĀ for user” error when running a “Knife ec2 server create” command.

Waiting for sshd access to become availabledone
Connecting to
Failed to authenticate ec2-user - trying password auth
Enter your password:
ERROR: Net::SSH::AuthenticationFailed: Authentication failed for user ec2-user@

Do you have your .pem file downloaded and installed with the correct permissions on your workstation you are running the command from?

It should be in the EC2-USER’s .ssh dir -> /home/ec2-user/.ssh

Make sure its chmodded 400

Make sure you have the knife.rb file set correctly to reference the .pem file for you…otherwise you will have a lot of typing for your command.

knife[:identity_file] = "/home/ec2-user/.ssh/aws-seth.pem"

Make sure you are using the correct user. Unless you have specifically changed something in your configurations by default you will be connecting as the “ec2-user”. So make sure thats what is trying to connect in your error output.

Hopefully these tips will help you narrow down the issue. You have to think about whats really happening and from where with Chef some sometimes these simple issues can really drive you nuts.


Setting up a Chef workstation with ChefDK

*This is assuming you are running on CentOS or some other RHEL platform

Download the Chef-DK package…
Go to:
Install the package…

sudo rpm -Uvh ChefDK.....rpm

Once its installed check it and make sure the install was successful…

sudo chef verify


Set System Ruby


which ruby

You might see something like this: ~/.rvm/rubies/ruby-2.1.1/bin/ruby
If you want to use the version of ruby that came with ChefDK do the following…assuming you are using BASH…

echo 'eval "$(chef shell-init bash)"' >> ~/.bash_profile


source ~/.bash_profile


which ruby

Install Git if you dont already have it…

sudo yum git install


Setting up the chef-repo

You can do this two ways….download the starter kit from your Chef server OR manually. In this case we will do this manually because I already happen to have a hosted Chef account and am also using my keys on other instances and dont want to have to set them all up again. So…go to your home directory and do:

git clone git://

Then go to ~/chef-repo/ and do:

mkdir .chef

Three files will need to be placed in this directory:
– knife.rb
– ORGANIZATION-validator.pem
– USER.pem

In order to not upload your .chef directory which will house your certs do this:

echo '.chef' >> ~/chef-repo/.gitignore

Now you need to get the 3 files that go into your .chef directory.
Log onto your Chef server. For me this is located at:

Once logged in click ADMINISTRATION at the top then the name of your organization.

Knife.rb – Click “Generate Knife Config” and download the file. Place it in your .chef directory
ORGANIZATION-validator.pem – can be downloaded by clicking “Reset Validation Key” in the Administration page.
USER.pem – can be downloaded by clicking Users on the left hand side and then choosing your username, and finally clicking “Reset Key


Add Ruby to your Path


echo 'export PATH="/opt/chefdk/embedded/bin:$PATH"' >> ~/.configuration_file && source ~/.configuration_file

Now lets verify that we are all set…

cd ~/chef-repo


knife client list

You should see a list of your clients which will only be the one you are on for right now.

That’s it. Let me know if you have questions or run into issues or see mistakes.

Chef Error: Knife configure

When doing your initial “knife configure -i” command while setting up a chef workstation, if you encounter this error:

ERROR: Errno::EHOSTUNREACH: No route to host - connect(2)

Make sure you check your firewall settings.

On CentOS you can do:

sudo iptables -S

This will show you what is enabled currently. If you don not have port 443 open you will run into issues. To open it you can do this:

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Make sure you save your changes…

sudo service iptables save

…and restart the firewall…

sudo service iptables restart

Chef Error while bootstrapping

Ive run into this error a few times while getting my VMs setup and Chef installed on them: Starting Chef Client, version 11.6.0 Creating a new client identity for target3 using the validator key. ================================================================================ Chef encountered an error attempting to create the client "target3" ================================================================================ Authorization Error: Your validation client is not authorized to create the client for this node (HTTP 403). Possible Causes: * There may already be a client named "target3" * Your validation client (sethlearningchef-validator) may have misconfigured authorization permissions. [2013-11-18T14:07:52-05:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out Chef Client failed. 0 resources updated [2013-11-18T14:07:52-05:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Im not sure what causes it but here is the fix that works for me:

On management station:

knife client delete NODENAME
knife node delete NODENAME

On affected node:

sudo rm /etc/chef/client.pem
sudo chef-client

Then on your managment server so your bootstrap command again:

sudo knife bootstrap --sudo -p USERNAME -N "NODENAME"