Chef Private Key Could Not Be Loaded from /user.pem

Question

I just finished the install chef-server tutorial at Chef's website, using an ec2 instance for my chef-server (t2.medium Ubuntu 16.04 AMI), and my laptop for my workstation, which also runs Ubuntu 16.04.

It appears that I succeeded in setting up a chef-workstation and chef-server. However, my 'user.pem' key is not being located. This is bazaar because my pem keys were successfully pulled from my chef-server to my chef-workstation using 'scp'. I can see them in my chef-repo directory on my workstation.

Might anyone be kind enough to help figure out why my pem key is not being located?

From my chef-workstation at:

~/chef-repo/

I run:

knife ssl fetch

I get:

WARNING: Certificates from ec2-XX-XX-XXX-XXX.us-west-1.compute.amazonaws.com will be fetched and placed in your trusted_cert
directory (/home/user/chef-repo/.chef/trusted_certs).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for ec2-XX-XX-XXX-XXX_us-west-1_compute_amazonaws_com in /home/user/chef-repo/.chef/trusted_certs/ec2-XX-XX-XXX-XXX_us-west-1_compute_amazonaws_com.crt

So now I have a:

 '/chef-repo/.chef/trusted_certs/ec2-52-53-255-252_us-west-1_compute_amazonaws_com.crt' 

file as expected.

Next I run:

knife ssl check

I get:

Connecting to host ec2-XX-XX-XXX-XXX.us-west-1.compute.amazonaws.com:443
Successfully verified certificates from `ec2-XX-XX-XXX-XXX.us-west-1.compute.amazonaws.com'

But when I run:

knife client list

I get:

WARN: Failed to read the private key /user.pem: #<Errno::ENOENT: No such file or directory @ rb_sysopen - /user.pem>

Your private key could not be loaded from /user.pem
Check your configuration file and ensure that your private key is readable

My 'knife.rb.' settings are:

log_level                :info
log_location             STDOUT
node_name                "user"
client_key               "#{current_dir}/user.pem"
validation_client_name   "myorg_shortname-validator"
validation_key           "#{current_dir}/myorg_shortname-validator.pem"
chef_server_url          "https://ec2-XX-XX-XXX-XXX.us-west-1.compute.amazonaws.com/organizations/myorg_shortname"
syntax_check_cache_path  "#{ENV['HOME']}/.chef/syntaxcache"
cookbook_path            ["#{current_dir}/../cookbooks"]

On my chef-server, my /etc/hosts, and /etc/hostname settings are both:

ip-XXX-XX-XX-XX.us-west-1.compute.internal

Strangely enough, I had to set 'chef_server_url' in 'knife.rb' to:

ec2-XX-XX-XXX-XXX_us-west-1_compute_amazonaws_com

as opposed to:

ip-XXX-XX-XX-XX.us-west-1.compute.internal

or else it wouldn't fetch my keys

What I am missing?

Answer 1

I hope I did not waste anyone's time. I found the problem at the top of my 'knife.rb' settings. This is what happens when I spend too much time on something, and really need to just take a break.

I was missing the directory path at the top of 'knife.rb':

current_dir = File.dirname(__FILE__)

So my 'knife.rb' now looks like this:

current_dir = File.dirname(__FILE__)
log_level                :info
log_location             STDOUT
node_name                'user'
client_key               "#{current_dir}/user.pem"
validation_client_name   'digitalocean-validator'
validation_key           "#{current_dir}/myorg-validator.pem"
chef_server_url          'https://ec2-XX-XX-XXX-XXX.us-west-1.compute.amazonaws.com/organizations/myorg'
cache_type               'BasicFile'
cache_options( :path => "#{ENV['HOME']}/.chef/checksums" )
cookbook_path            ["#{current_dir}/../cookbooks"]

Hopefully I can at least help someone who may have experienced this. Take care.

Answer 2

Why doesn't chef read the privat key from my users.pem?

WARN: Failed to read the private key /root/chef-repo/.chef/xxxx.pem : #<Errno::ENOENT: No such file or directory @ rb_sysopen - /root/chef-repo/.chef/xxxx.pem >
ERROR: Your private key could not be loaded from /root/chef-repo/.chef/admin.pem
Check your configuration file and ensure that your private key is readable

I have cross-checked /etc/hosts and /etc/hostname, the IP address of the server in knife.rb. And I wrote the first line in knife.rb file.