The authenticity of host 'app.example.com (xxx.xxx.xx.xxx)' can't be established

rails
2.0

#1

My config.yml looks like:

version: 2.0
jobs:
  build:
    environment:
      BUNDLE_PATH: vendor/bundle
    docker:
      - image: circleci/ruby:2.3-node-browsers
        environment:
          DATABASE_HOST: 127.0.0.1
          DATABASE_USER: ubuntu
          DATABASE_PASSWORD: ""
          RAILS_ENV: test
          RACK_ENV: test
      - image: circleci/postgres:9.6-alpine-postgis
        environment:
          POSTGRES_USER: ubuntu

    working_directory: ~/code

    steps:
      - checkout
      # Download and cache dependencies
      - restore_cache:
          keys:
          - v1-dependencies-{{ checksum "Gemfile.lock" }}
          # fallback to using the latest cache if no exact match is found
          - v1-dependencies-
      - run:
          name: install dependencies
          environment:
            BUNDLE_JOBS: 4
            BUNDLE_RETRY: 3
          command: |
            bundle check || bundle install
      - save_cache:
          paths:
            - ./vendor/bundle
          key: v1-dependencies-{{ checksum "Gemfile.lock" }}
      - run:
          name: Copy config
          command: |
            cp config/database.yml.example config/database.yml
      - run:
          name: Run unit tests
          command: |
            bundle exec rake db:create
            bundle exec rake db:test:prepare
            bundle exec rake test
      - add_ssh_keys:
          fingerprints:
            - "31:6b:xx:6d:xx:bf:1c:xx:ad"
      - deploy:
          name: Deploying
          command: |
            echo $CIRCLE_BRANCH
            if [ "${CIRCLE_BRANCH}" == "master" ]; then
              bundle exec mina deploy TO=production
            fi
            if [ "${CIRCLE_BRANCH}" == "staging" ]; then
              bundle exec mina deploy TO=staging
            fi

But while deploy command runs, I get stuck like below:

The authenticity of host ‘app.example.com (xxx.xxx.xx.xxx)’ can’t be established.
ED25519 key fingerprint is SHA256:iXXXXXXXlK90OfsYmk.
Are you sure you want to continue connecting (yes/no)? mina aborted!

I did what is said in Adding an SSH Key to CircleCI , still no luck. Any help what am I missing?


#2

Search the forum, that error has come up a few times :slightly_smiling_face:


#3

I did before I post. Found several tips, and I am looking for if there is any documentation on this. The documentation I followed didn’t solve my problem.


#4

I doubt there’d be official CircleCI documentation; general usage problems tend not to appear in docs, which are much more about things going right! I suppose it is conceivable that it could go in a FAQ though.

However, as I say, I think it has been covered here. Further tips to try:

  • log in via SSH and try running the command on the console to debug the issue
  • Use verbose flags in your SSH command to get some log output to debug why SSH keys are not working
  • Let us know what key algo you are using - it looks like you are using ED25519. I seem to recall one of the posts here saying that something worked (RSA?), and something else (ED25519?) did not. See this search.

#5

I was reading this Permissions and access during deployment. I have added private key of my hose to the settings page, as name app.example.com, so cat ~/.ssh/config should have an entry like IdentityFile /home/circleci/.ssh/id_rsa_app.example.com as per the documentation, but I see like:

circleci@fbe0ad158caf:~$ cat ~/.ssh/config
Host app.example.com
  IdentitiesOnly yes
  IdentityFile /home/circleci/.ssh/id_rsa_316b7b5a6d0dd0f207fc739dbf1c07ad
circleci@fbe0ad158caf:~$

Do you think it might be the issue? When I try to SSH from circle container I get this log .


#6

Possibly. That looks like something that CircleCI would have set up. I’m assuming that you’re doing a checkout from one place (e.g. GitHub) and deploying to another (e.g. Digital Ocean). Thus, there should not be a name clash, since it should be differentiated by the Host.

However, yes, if you are deploying to app.example.com and the config points to a key you did not intend, then work out how the config got like that, and see if you can append to it or replace it (depending on whether CircleCI needs it again for another step).


#7

I found a thread discussing the same. But it was not completed, so not sure how the OP solved it.


#8

Try this command before connect to host:

ssh-keyscan -H app.example.com >> ~/.ssh/known_hosts


#9

I tried what you said. But not sure why am I getting public key denied error.

#!/bin/bash -eo pipefail
ssh-keyscan -H app.example.com > >> ~/.ssh/known_hosts
echo $CIRCLE_BRANCH
if [ "${CIRCLE_BRANCH}" == "master" ]; then
  bundle exec mina deploy TO=production
fi
if [ "${CIRCLE_BRANCH}" == "staging" ]; then
  bundle exec mina deploy TO=staging
fi
# app.example.com >:22 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
# app.example.com >:22 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
# app.example.com >:22 SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
master
       Warning: Permanently added the ED25519 host key for IP address '139.200.66.160' to the list of known hosts.


       Permission denied (publickey).


 !     Run Error
Exited with code 1

#10

I would suggest authorizing a different key, removing the current key, and adding the newly authorized key back through the CircleCI interface. I’m not entirely sure why this happens, but in my own personal use I’ve found this resolved the problem.