Git clone fails with extra SSH deploy key



Since Friday, we can’t clone inside a job step a specific private repository from Github with SSH. The strange thing is, it’s still working on one other CircleCI 2.0 build (with the same deploy key and Git & SSH versions). Cloning other Github repositories works.

The error message is:

Cloning into ‘REPOSITORY’…
Warning: Permanently added the RSA host key for IP address ‘’ to the list of known hosts.

ERROR: Repository not found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Exited with code 128

Things I’ve tested:

  • It works locally with the same private SSH key.
  • Adding a second deploy key on Github, as this message often means that the private key is not correct. Same error. On Github, it displays “Never used — Read-only” for this key.
  • git clone with HTTPS credentials works in the build container.
  • git clone works in the same job step with different Github repo (with another deploy key, for sure).
  • I reproduced the error with different base images:
    • golang:1.8-alpine (sha256:e653d2c77c9225d336bcc8d209100ef1b078047f4d6651f87e69c68f5d443513)
    • alpine:3.5 (sha256:58e1a1bb75db1b5a24a462dd5e2915277ea06438c3f105138f97eb53149673c4)
  • The working build’s base image: docker:17.03-git (sha256:0bf85ff24e546cdd532b73f7f818d734cb000dbd048883db9477286f4f551ee6)
  • All images above have the same Git & SSH versions:
    • openssh-client (7.4_p1-r0)
    • git (2.11.1-r0)

What could be the reason?

Deployment script can't clone github repo

I think you can add another step before the checkout with the connection test: this will show you both what keys agent offers to github and how it sees you:

ssh -T

If all is good it should say Hi, <username>! You've successfully authenticated, but GitHub does not provide shell access.. If not you’ll see, at least, what keys it tried to offer.


Hi @alexander,

running ssh -Tv returns:

Hi USERNAME/REPO! You’ve successfully authenticated, but GitHub does not provide shell access.

Tried it without and with the deploy key, adding -i ~/.ssh/id_rsa_github to the command.

The full commands used:

echo ${GITHUB__DEPLOY_KEY} | base64 -d - > ${HOME}/.ssh/id_rsa_github && chmod 400 ${HOME}/.ssh/id_rsa_github
cd ~ && GIT_SSH_COMMAND="ssh -i ${HOME}/.ssh/id_rsa_github" git clone -b 'feature/circleci2.0'


Can you try regenerating your deploy key from the CircleCI side:

  • Go to Project settings
  • Checkout SSH Keys
  • Delete the old key
  • Add a deploy key

We’ve seen this happen with some customers where an old deploy key doesn’t seem to work anymore. Regenerating the deploy key this way seems to fix it.


There’s no problem with the checkout step. We “import” another, general scripts repository via git clone in a run step. The reason why we’re using a SSH key, not a machine-user, is because it’s just one repository we use in other builds and don’t want our user keys (with full rights) available in the builds.

But your hint helped me: Adding the “user key” worked out. That’s even more strange then, as the private SSH key to use is set via the GIT_SSH_COMMAND.

Can it be that CircleCI 2.0 interprets the git command everytime* in the build config and runs the same Git as used in the checkout step? *Not only if there’s no git executable installed in the primary container’s image, according to the warning shown in the checkout step.

I also tried GIT_SSH_COMMAND="ssh -i ${HOME}/.ssh/id_rsa_github -F /dev/null" to be sure that a config file could overwrite this SSH settings.


This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.