Install Chef Server and Chef Client in Centos 6

There are three configuration scenarios for the Chef server:

Standalone (everything on a single machine)
High availability (machines configured for front-end and back-end, allowing for failover on the back-end and load-balancing on the front-end, as required)
Tiered (machines configured for front-end and back-end, with a single back-end and load-balancing on the front-end, as required)


  • An x86_64 compatible system architecture; Red Hat Enterprise Linux and CentOS may require updates prior to installation
  • A resolvable hostname that is specified using a FQDN or an IP address
  • A connection to NTP to prevent clock drift
  • A local mail transfer agent that allows the Chef server to send email notifications
  • Using cron and the /etc/cron.d directory for periodic maintenance tasks
  • Disabling the Apache Qpid daemon on CentOS and Red Hat systems
  • A local user account under which services will run
  • A local user account for PostgreSQL
  • A group account under which services will run


Install Chef Server and Chef Client in Centos 6

We have tested chef server and chef client with centos 6 as well.

Chef server :
chef client :

Before proceed chef server installation, you should verify and do the following steps.

  • Disable selinux
  • Set FQDN name before running reconfigure. ( )

vi /etc/hosts

Download chef server

I have used 11.1.6-1 version of chef server.

Login your chef server

#chef-server-ctl reconfigure

It will take few minutes to complete this process.

Run these commands on your Chef server to install the management console.
#chef-server-ctl install chef-manage
#chef-server-ctl reconfigure
#chef-manage-ctl reconfigure

Run these commands to install the reporting feature.

#chef-server-ctl install opscode-reporting
#chef-server-ctl reconfigure
#opscode-reporting-ctl reconfigure

Once installation completed.
Installation Path

Enable Chef Server Knife Access ports in your Firewall.

TCP Port 4000
Chef Server WebUI
TCP Port 80
TCP Port 443
TCP Port 9462
Run Test Suite

#chef-server-ctl test

Open Chef Server WebUI
The default login information should be over on the right side of the screen:

username: admin
password : [email protected]

Set new admin password
Thats all..

Login your chef client server.

Install chef client

check the chefclient installation various steps


Once installation completed, verify your version.

# chef-client -v
Chef: 12.2.1

Now we will start working to communicate with our chef server. To communicate with chef server follow the below steps.

Create a directory named chef inside the /etc directory.

#mkdir /etc/chef

We need to copy the chef-validator.pem file from our chef server. You can find this file in /etc/chef directory of the server. Issue the below command to copy it to our client machine.

#scp [email protected]:/etc/chef/chef-validator.pem /etc/chef/

Now we need a client.rb file in the client machine in which we have to mention about our chef server.

#vi /etc/chef/client.rb

Append the below code to the file

log_level :info
log_location STDOUT
chef_server_url ''
validation_key "/etc/chef/chef-validator.pem"
validation_client_name 'chef-validator'

or you can configure knife settings using knife command

#knife configure

example :

# cat /root/.chef/knife.rb
log_level :info
log_location STDOUT
node_name 'admin'
client_key '/root/.chef/admin.pem'
validation_client_name 'chef-validator'
validation_key '/etc/chef-server/chef-validator.pem'
chef_server_url ''
syntax_check_cache_path '/root/.chef/syntax_check_cache'

client_key : I have copied admin.pem file from chef server ( /etc/chef-server/admin.pem) to chef client /root/.chef/admin.pem
validation_key : I have copied /etc/chef/chef-validator.pem from chef server to /etc/chef-server/chef-validator.pem

Finally we need to register the client with the chef server. Issue the below command to register the client in chef server.


You are done!!

#knife client list

check your chef server node list

Errors :

[2015-04-01T08:17:12-04:00] INFO: Forking chef instance to converge…
Starting Chef Client, version 12.2.1
[2015-04-01T08:17:12-04:00] INFO: *** Chef 12.2.1 ***
[2015-04-01T08:17:12-04:00] INFO: Chef-client pid: 29241
Creating a new client identity for using the validator key.
[2015-04-01T08:17:13-04:00] INFO: Client key /etc/chef/client.pem is not present – registering
[2015-04-01T08:17:13-04:00] ERROR: SSL Validation failure connecting to host: – SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Chef encountered an error attempting to create the client “”

[2015-04-01T08:17:13-04:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 0 resources updated in 1.226835116 seconds
[2015-04-01T08:17:13-04:00] ERROR: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
[2015-04-01T08:17:13-04:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

If the server you are connecting to uses a self-signed certificate, you must
configure chef to trust that server’s certificate.

By default, the certificate is stored in the following location on the host
where your chef-server runs:


Copy that file to your trusted_certs_dir (currently: /root/.chef/trusted_certs/)
using SSH/SCP or some other secure method, then re-run this command to confirm
that the server’s certificate is now trusted.

#knife ssl fetch

WARNING: Certificates from will be fetched and placed in your trusted_cert
directory ( /root/.chef/trusted_certs/).

Knife has no means to verify these are the correct certificates. You should
verify the authenticity of these certificates after downloading.

Adding certificate for in /var/opt/chef-server/nginx/ca/
The certificate should be verified that what was downloaded is in fact the same as the certificate on the Chef Server. For example, I compared SHA256 checksums:

#ssh [email protected] sha256sum /root/.chef/trusted_certs/chef_example_com.crt
#sha256sum /root/.chef/trusted_certs/chef_example_com.crt

Now check knife client list again.

# knife client list