ERROR: You're using an RSA key with SHA-1, which is no longer allowed

DSuhinin · January 11, 2022, 3:16pm

Hello everybody. Today I started receiving such error:

Using SSH Config Dir '/home/circleci/.ssh'
git version 2.14.2
Cloning git repository
Cloning into '.'...
Warning: Permanently added the ECDSA host key for IP address '140.82.113.3' to the list of known hosts.
ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.

fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists

Nothing has changed in my CircleCI configuration but today it’s just sopped working. I tried to reconnect CircleCI with my Github and update keys but without success. Also from the link mentioned inside the error I can see that today Github did a final update:

Final brownout.

This is the full brownout period where we’ll temporarily stop accepting the deprecated key and signature types, ciphers, and MACs, and the unencrypted Git protocol. This will help clients discover any lingering use of older keys or old URLs.

and it seems like it deprecated old keys. So my question is - will this situation be solved by CircleCI and and all keys soon should be not in rsa format? or how can I solve it?

RoryKiefer · January 11, 2022, 3:53pm

Im in the same boat. I went to my project and used CircleCI’s project settings UI to delete and remake both deploy and user keys, but both the new user and deploy keys still warrant the same message:

ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.

Do we need to generate our own custom keys to get around this?

Edit: I went to Improving Git protocol security on GitHub | The GitHub Blog and looked for advice. Apparently, OpenSSH > 7.2 is needed in the excecution context. I went and tested and saw Im running v6.7, so I’ll try to use a newer build image and see if that helps.

nbialostosky · January 11, 2022, 4:36pm

Hi Y’all!

We started to see an increase of this error, and @RoryKiefer as you mentioned, upgrading the image you are using should usually work, as long as the newer version has the proper openSSH installed. I created a topic with some other resolutions as well, you can find it here:

If you encounter any issues implementing the fixes feel free to reply in the above thread and we will continue to assist.

Thanks!
-Nick

DSuhinin · January 11, 2022, 5:27pm

@nbialostosky thank you! it works right now when I started using specific machine image.

Topic		Replies	Views
CircleCI User Key uses RSA with SHA1, which GitHub has deprecated Feedback & Bug Reports suggested	5	2271	January 11, 2022
"git@github.com: Permission denied (publickey)." on repo that previously worked Integrations and Accounts	4	41189	May 29, 2021
SSH no longer works Build Environment	6	4548	June 18, 2018
SSH Handshake error on new project Build Environment ssh	3	2564	April 5, 2022
SSH keys not valid after upgrading to circle ci v2 Build Environment ssh , docker , circle-yml , 2.0	3	1677	August 25, 2018

ERROR: You're using an RSA key with SHA-1, which is no longer allowed

Related Topics