Git clone fails with extra SSH deploy key

ssh
github
git
2.0

#1

Since Friday, we can’t clone inside a job step a specific private repository from Github with SSH. The strange thing is, it’s still working on one other CircleCI 2.0 build (with the same deploy key and Git & SSH versions). Cloning other Github repositories works.

The error message is:

Cloning into ‘REPOSITORY’…
Warning: Permanently added the RSA host key for IP address ‘192.30.253.112’ to the list of known hosts.

ERROR: Repository not found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Exited with code 128

Things I’ve tested:

  • It works locally with the same private SSH key.
  • Adding a second deploy key on Github, as this message often means that the private key is not correct. Same error. On Github, it displays “Never used — Read-only” for this key.
  • git clone with HTTPS credentials works in the build container.
  • git clone works in the same job step with different Github repo (with another deploy key, for sure).
  • I reproduced the error with different base images:
    • golang:1.8-alpine (sha256:e653d2c77c9225d336bcc8d209100ef1b078047f4d6651f87e69c68f5d443513)
    • alpine:3.5 (sha256:58e1a1bb75db1b5a24a462dd5e2915277ea06438c3f105138f97eb53149673c4)
  • The working build’s base image: docker:17.03-git (sha256:0bf85ff24e546cdd532b73f7f818d734cb000dbd048883db9477286f4f551ee6)
  • All images above have the same Git & SSH versions:
    • openssh-client (7.4_p1-r0)
    • git (2.11.1-r0)

What could be the reason?


Deployment script can't clone github repo
#2

I think you can add another step before the checkout with the connection test: this will show you both what keys agent offers to github and how it sees you:

ssh -T git@github.com

If all is good it should say Hi, <username>! You've successfully authenticated, but GitHub does not provide shell access.. If not you’ll see, at least, what keys it tried to offer.


#3

Hi @alexander,

running ssh -Tv git@github.com returns:

Hi USERNAME/REPO! You’ve successfully authenticated, but GitHub does not provide shell access.

Tried it without and with the deploy key, adding -i ~/.ssh/id_rsa_github to the command.

The full commands used:

echo ${GITHUB__DEPLOY_KEY} | base64 -d - > ${HOME}/.ssh/id_rsa_github && chmod 400 ${HOME}/.ssh/id_rsa_github
cd ~ && GIT_SSH_COMMAND="ssh -i ${HOME}/.ssh/id_rsa_github" git clone -b 'feature/circleci2.0' git@github.com:USERNAME/REPO.git

#4

Can you try regenerating your deploy key from the CircleCI side:

  • Go to Project settings
  • Checkout SSH Keys
  • Delete the old key
  • Add a deploy key

We’ve seen this happen with some customers where an old deploy key doesn’t seem to work anymore. Regenerating the deploy key this way seems to fix it.


#5

There’s no problem with the checkout step. We “import” another, general scripts repository via git clone in a run step. The reason why we’re using a SSH key, not a machine-user, is because it’s just one repository we use in other builds and don’t want our user keys (with full rights) available in the builds.

But your hint helped me: Adding the “user key” worked out. That’s even more strange then, as the private SSH key to use is set via the GIT_SSH_COMMAND.

Can it be that CircleCI 2.0 interprets the git command everytime* in the build config and runs the same Git as used in the checkout step? *Not only if there’s no git executable installed in the primary container’s image, according to the warning shown in the checkout step.

I also tried GIT_SSH_COMMAND="ssh -i ${HOME}/.ssh/id_rsa_github -F /dev/null" to be sure that a config file could overwrite this SSH settings.


#6

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.