chef-client fails with ERROR: The used Encrypted Data Bags version requires an OpenSSL version with “aes-256-gcm” algorithm support

TL;DR:

Your path is probably wrong for the root user that is running chef-client. We had a long screwed up path that eventually included the right path, but had an old ChefDK preceeding it. Basically, you’re using a broken chef-client (too  new, too old, broken encryption, whatever)

Works:

PATH=/usr/bin:/bin:/etc:.:/usr/local/bin:/usr/sbin:/opt/OV/bin/OpC:/home/rundeck/:/opt/middleware/Tools

Does not: 

PATH=/usr/local/rvm/gems/ruby-2.3.1/bin:/usr/local/rvm/gems/ruby-2.3.1@global/bin:/usr/local/rvm/rubies/ruby-2.3.1/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/root:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/rvm/bin:/root/bin

Fix:

export PATH=/usr/bin:/bin:/etc:.:/usr/local/bin:/usr/sbin:/opt/OV/bin/OpC:/home/rundeck/:/opt/middleware/Tools

Permanent fix:

vi /etc/bash.bashrc

Change to:

type rvm >/dev/null 2>/dev/null || echo ${PATH} | __rvm_grep “/usr/local/rvm/bin” > /dev/null || export PATH=”${PATH}:/usr/local/rvm/bin”

vi /root/.bashrc

export PATH=/usr/bin:$PATH:/root/bin

But this hoses up ruby, better to get the right version of chef-client:

mv /usr/local/rvm/gems/ruby-2.3.1/bin/chef-client /usr/local/rvm/gems/ruby-2.3.1/bin/chef-client-12.21.1

mv /usr/local/rvm/gems/ruby-2.3.1@global/bin/chef-client /usr/local/rvm/gems/ruby-2.3.1@global/bin/chef-client-12.21.1

mv /usr/local/rvm/rubies/ruby-2.3.1/bin/chef-client /usr/local/rvm/rubies/ruby-2.3.1/bin/chef-client-12.21.1

/usr/bin/chef-client –version

cd /usr/local/rvm/gems/ruby-2.3.1/bin/

ln /usr/bin/chef-client chef-client

chef-client –version

590  [2018-10-10 15:27:33] echo ${PATH}

  591  [2018-10-10 15:29:27] chef-client

  592  [2018-10-10 15:30:07] which chef-client

  593  [2018-10-10 15:30:28] /usr/local/rvm/gems/ruby-2.3.1/bin/chef-client –version

  594  [2018-10-10 15:30:40] mv /usr/local/rvm/gems/ruby-2.3.1/bin/chef-client /usr/local/rvm/gems/ruby-2.3.1/bin/chef-client-12.21.1

  595  [2018-10-10 15:30:43] which chef-client

  596  [2018-10-10 15:30:55] /usr/local/rvm/gems/ruby-2.3.1@global/bin/chef-client –version

  597  [2018-10-10 15:31:08] mv /usr/local/rvm/gems/ruby-2.3.1@global/bin/chef-client /usr/local/rvm/gems/ruby-2.3.1@global/bin/chef-client-12.21.1

  598  [2018-10-10 15:31:10] which chef-client

  599  [2018-10-10 15:31:20] /usr/local/rvm/rubies/ruby-2.3.1/bin/chef-client –version

  600  [2018-10-10 15:31:55] mv /usr/local/rvm/rubies/ruby-2.3.1/bin/chef-client /usr/local/rvm/rubies/ruby-2.3.1/bin/chef-client-12.21.1

  601  [2018-10-10 15:31:57] which chef-client

  602  [2018-10-10 15:32:05] /usr/bin/chef-client –version

  603  [2018-10-10 15:32:15] chef-client

  604  [2018-10-10 15:32:24] which chef-client

  605  [2018-10-10 15:32:30] chef-client

  606  [2018-10-10 15:32:38] cd /usr/local/rvm/gems/ruby-2.3.1/bin/

  607  [2018-10-10 15:32:39] ll

  608  [2018-10-10 15:33:28] ln chef-client /usr/bin/chef-client

  609  [2018-10-10 15:33:38] ln /usr/bin/chef-client chef-client

  610  [2018-10-10 15:33:42] chef-client

  611  [2018-10-10 15:35:00] history

[rundeck][nl-fldi-02119][~]

$ chef-client –version

Chef: 12.19.36

Encrypted Data Bags version requires an OpenSSL version with “aes-256-gcm” algorithm support

openssl enc -help 2>&1 | grep gcm

[bwilliam@nl-fldi-02119 ~]$ openssl enc -help 2>&1 | grep gcm

-aes-128-ctr               -aes-128-ecb               -aes-128-gcm

-aes-192-gcm               -aes-192-ofb               -aes-256-cbc

-aes-256-ecb               -aes-256-gcm               -aes-256-ofb

The used Encrypted Data Bags version requires an OpenSSL version with “aes-256-gcm” algorithm support

knife data bag show −−secret-file=./rev_secret_key rev_secret revpass

knife data bag show −−secret-file=/etc/chef/encrypted_data_bag_secret users rundeck

[2018-10-10T09:38:11-04:00] ERROR: The used Encrypted Data Bags version requires an OpenSSL version with “aes-256-gcm” algorithm support

Recipe Compile Error in /var/chef/cache/cookbooks/wdprt_rundeck_client/recipes/default.rb

  ================================================================================

  Chef::EncryptedDataBagItem::EncryptedDataBagRequirementsFailure

  —————————————————————

  The used Encrypted Data Bags version requires an OpenSSL version with “aes-256-gcm” algorithm support

[root@nl-fldi-02119 chef]# chef-client –version

Chef: 12.21.1

knife data bag show users rundeck

  cipher:         aes-256-gcm

which knife

which chef-client

[rundeck][nl-fldi-02119][~]

$ chef-client –version

Chef: 12.19.36

knife data bag show users rundeck

Leave a Reply

Your email address will not be published. Required fields are marked *