Chef node cannot load data bag item because public key encryption issues

Question

I have a new VM I just built. It has been bootstrapped with the same cookbooks as all the other nodes. They can load this data bag just fine. The new VM cannot.

Stacktrace error ::

/usr/bin/chef-client:57:in `load'
/usr/bin/chef-client:57:in `<main>'
>>>> Caused by ChefVault::Exceptions::SecretDecryption:     DATABAG_NAME/ITEM is not encrypted with your public key.  Contact an administrator of the vault item to encrypt for you!
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-vault-2.9.1/lib/chef-vault/item.rb:152:in `secret'
/opt/chef/embedded/lib/ruby/gems/2.3.0/gems/chef-vault-2.9.1/lib/chef-vault/item.rb:74:in `load_keys'

Code snippet causing the issue ::

databag_contents = ChefVault::Item.load(node['DATABAG_NAME']['ITEM']['databag'], node['DATABAG_NAME']['ITEM']['databag_item'])

From the Chef server I have already updated the vault knife vault update DATABAG_NAME ITEM -S "name:new_node_name_here"

I think this is fundamentally a vault error, but the fact that I've already ran the single command which the docs say should encrypt the data bag with the public key ... I don't know what else can be done.

thanks.

(actual info has been removed and replaced with "DATABAG_NAME" and "ITEM")

EDIT ::

Some additional things I've tried are in the chat. I also did a knife vault update DATABAG_NAME ITEM -S "name:new_vm_name_here" --verbose --verbose to get the keys from the output there. I took those keys and one by one used knife data bag edit DATABAG ITEM_keys to add the key manually. None of them worked.

Check in `DATABAG_ITEM_keys` to see what encrypted copies have been generated. — coderanger, Apr 04 '17 at 19:48
Are you talking about in the data bag itself? With a `knife data bag show DATABAG_NAME`? I see the second entry with the `_keys` but there is nothing after it. Is that a problem? Someone else generated this but it's possible it has been tampered with — Carl_Friedrich_Gauss, Apr 04 '17 at 20:34
So chef-vault makes a second data bag with the `_keys` suffix, with items of the same name as the original. That contains the metadata and asym encrypted keys for chef-vault. — coderanger, Apr 04 '17 at 21:21
You can look at it manually to see what the state of things is. — coderanger, Apr 04 '17 at 21:21
@coderanger when I attempt `knife vault show DATABAG_NAME_keys` it just says it cannot be found. — Carl_Friedrich_Gauss, Apr 04 '17 at 21:23
@coderanger I figured out the command ... `knife data bag show DATABAG DATA_BAG_ITEM_keys` ... I do NOT see the node's key in there. I re-registered the client and placed the new key on the node; I have tried `knife vault refresh` and that didn't help. Is there any way to manually generate that shared secret and then edit the _keys to force it in there? — Carl_Friedrich_Gauss, Apr 04 '17 at 21:46

score 0 · Answer 1 · answered Apr 07 '17 at 16:03

0

The command to update the vault needed to be :

knife vault update DATABAG_NAME ITEM -S "name:new_node_name_here" -M client

answered Apr 07 '17 at 16:03

Carl_Friedrich_Gauss

173
3
15

Chef node cannot load data bag item because public key encryption issues

1 Answers1