Troubleshooting AWS OpsWorks for Chef Automate
This topic contains some common AWS OpsWorks for Chef Automate issues, and suggested solutions for those issues.
General Troubleshooting Tips
If you are unable to create or work with a Chef server, you can view error messages or logs to help you troubleshoot the issue. The following tasks describe general places to start when you are troubleshooting a Chef server issue. For information about specific errors and solutions, see the Troubleshooting Specific Errors section of this topic.
Use the AWS OpsWorks for Chef Automate console to view error messages if a Chef server fails to start. On the Chef server detail page, error messages related to launching and running the server are shown at the top of the page. Errors can come from AWS OpsWorks for Chef Automate, AWS CloudFormation, or Amazon EC2, services that are used to create a Chef server. On the detail page, you can also view events that occur on a running server, which can contain failure event messages.
To help resolve EC2 issues, connect to your server's instance by using SSH, and view logs. EC2 instance logs are stored in the
/var/log/aws/opsworks-cmdirectory. These logs capture command outputs while AWS OpsWorks for Chef Automate launches a Chef server.
Troubleshooting Specific Errors
Chef server doesn't recognize organization names added in the Chef Automate dashboard
Problem: You've added new Workflow organization
names in the Chef Automate dashboard, or specified a
value other than
"default" in the unattended node association script, but node association fails. Your
AWS OpsWorks for Chef Automate server does not recognize the new organization names.
Cause: Workflow organization names and Chef server organization names are not the same. You can create new Workflow organizations in the web-based Chef Automate dashboard, but not Chef server organization names. You can use the Chef Automate dashboard only to view existing Chef server organizations. A new organization that you create in the Chef Automate dashboard is a Workflow organization, and is not recognized by the Chef server. You cannot create new organization names by specifying them in the node association script. Referring to an organization name in a node association script when the organization has not first been added to the Chef server will cause node association to fail.
Unable to create the server's Amazon EC2 instance
Problem: Server creation failed with an error message similar to the following: "The following resource(s) failed to create: [EC2Instance]. Failed to receive 1 resource signal(s) within the specified duration."
Cause: This is most likely because the EC2 instance doesn’t have network access.
Solution: Ensure the instance has outbound Internet access, and the AWS service agent is able to issue commands. Be sure that your VPC (a VPC with a single public subnet) has DNS resolution enabled, and that your subnet has the Auto-assign Public IP setting enabled.
Service role error prevents server creation
Problem: Server creation fails with an error message that states, "Not authorized to perform sts:AssumeRole."
Cause: This can occur when the service role you are using lacks adequate permissions to create a new server.
Solution: Open the AWS OpsWorks for Chef Automate console; use the console to generate a new service role and an instance profile role. If you would prefer to use your own service role, attach the AWSOpsWorksCMServiceRole policy to the role. Verify that opsworks-cm.amazonaws.com is listed among services in the role's Trust Relationships. Verify that the service role that is associated with the Chef server has the AWSOpsWorksCMServerRole managed policy attached.
Elastic IP address limit exceeded
Problem: Server creation fails with an error message that states, "The following resource(s) failed to create: [EIP, EC2Instance]. Resource creation cancelled, the maximum number of addresses has been reached."
Cause: This occurs when your account has used the maximum number of Elastic IP (EIP) addresses. The default EIP address limit is five.
Solution: You can either release existing EIP addresses or delete ones that your account is not actively using, or you can contact AWS Customer Support to increase the limit of EIP addresses that is associated with your account.
Cannot sign into the Chef Automate dashboard
Problem: The Chef Automate dashboard shows an error similar to the following: "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://myserver-name.region.opsworks-cm.io/api/v0/e/default/verify-token. (Reason: CORS header 'Access-Control-Allow-Origin' missing)". The error can also be similar to "The User Id / Password combination entered is incorrect."
Cause: The Chef Automate dashboard explicity sets the FQDN, and does not accept relative URLs. At this time, you cannot sign in by using the Chef server's IP address; you can only sign in by using the DNS name of the server.
Solution: Sign in to the Chef Automate dashboard only by using the Chef server's DNS name entry, not its IP address. You can also try resetting the Chef Automate dashboard credentials by running an AWS CLI command, as described in Reset Chef Automate Dashboard Credentials.
Unattended node association fails
Problem: Unattended, or automatic, association of
new Amazon EC2 nodes is failing. Nodes that should have been added to the Chef server are
not showing up in the Chef Automate dashboard, and are not listed in results of the
knife client show or
knife node show commands.
Cause: This can occur when you do not have an
IAM role set up as an instance profile that permits
calls to communicate with new EC2 instances.
Solution: Attach a policy to your EC2 instance
profile that allows the
DescribeNodeAssociationStatus API calls to work with EC2, as
described in Adding Nodes Automatically in AWS OpsWorks for Chef Automate.
Additional help and support
If you do not see your specific problem described in this topic, or you have tried the suggestions in this topic and are still having problems, visit the AWS OpsWorks forums.
You can also visit the AWS Support Center. The AWS Support Center is the hub for creating and managing AWS Support cases. The AWS Support Center also includes links to other helpful resources, such as forums, technical FAQs, service health status, and AWS Trusted Advisor.