Hi there, I’m trying to deploy my application with CircleCI 2.0 and Heroku.
My deploy phase blocks with this message:
#!/bin/bash -eo pipefail
git push --force git@heroku.com:$HEROKU_APP_NAME.git HEAD:refs/heads/master
The authenticity of host 'heroku.com (50.19.85.132)' can't be established.
RSA key fingerprint is 8b:48:5e:67:0e:c9:16:47:32:f2:87:0c:1f:c8:60:ad.
Are you sure you want to continue connecting (yes/no)?
How can I run over this ?
So far I have followed this guide: https://circleci.com/docs/2.0/deployment_integrations/#heroku
- I have slightly changed some things, for example my file setup-heroku.sh file is:
#!/bin/bash
wget -qO- https://cli-assets.heroku.com/install-ubuntu.sh | sh
cat > ~/.netrc << EOF
machine api.heroku.com
login $HEROKU_LOGIN
password $HEROKU_API_KEY
EOF
cat >> ~/.ssh/config << EOF
VerifyHostKeyDNS yes
StrictHostKeyChecking no
EOF
-
I have created environment variables $HEROKU_LOGIN and $HEROKU_API_KEY
-
I have also set up Heroku api key in CircleCI UI
-
I have created private and public keys; Uploaded private key in CircleCI under “ssh permissions” and public key in heroku
-
In my .circleci/config.yml, I have a step called add_ssh_keys where I add the key previously added:
- add_ssh_keys:
fingerprints:
- “b6:b2:a0:0a:db:47:a8:1f:eb:51:d4:b6:4f:86:6b:0a”
How can I go over and deploy to heroku?
I found the problem. It is so silly I spent two days on it.
I copy’n’pasted the setup.heroku.sh file from the documentation.
It has added two spaces (’ ') in front of cat instructions.
It was this:
cat > ~/.netrc << EOF
machine api.heroku.com
login $HEROKU_LOGIN
password $HEROKU_API_KEY
EOF
cat >> ~/.ssh/config << EOF
VerifyHostKeyDNS yes
StrictHostKeyChecking no
EOF
By setting it to:
#!/bin/bash
wget -qO- https://cli-assets.heroku.com/install-ubuntu.sh | sh
cat > ~/.netrc << EOF
machine api.heroku.com
login $HEROKU_LOGIN
password $HEROKU_API_KEY
EOF
cat >> ~/.ssh/config << EOF
VerifyHostKeyDNS yes
StrictHostKeyChecking no
EOF
(no spaces on the front of every line!)
Everything works.
I had the same problem, and the answer from @musikele to remove the leading space from the documentation code helped. However after it still did not recognize Heroku’s host key so my deploy stalled.
#!/bin/bash -eo pipefail
git push --force git@heroku.com:$HEROKU_APP_NAME.git HEAD:refs/heads/master
The authenticity of host 'heroku.com (50.19.85.156)' can't be established.
RSA key fingerprint is SHA256:8tF0wX2WquK45aGKs/Bh1dKmBXH08vxUe0VCJJWOA/o.
Are you sure you want to continue connecting (yes/no)?
First I fixed it by adding a step in my deploy job to dynamically put heroku in ~/.ssh/known_hosts:
- run:
name: Add Heroku to known_hosts
command: ssh-keyscan -H heroku.com >> ~/.ssh/known_hosts
This doesn’t seem ideal, because the https://linux.die.net/man/1/ssh-keyscan doc describe a security risk:
If an ssh_known_hosts file is constructed using ssh-keyscan without verifying the keys, users will be vulnerable to man in the middle attacks.
To make it more secure, I changed the step to statically specify Heroku’s public key. This will break if Heroku changes their key, so I’ll have to see if that becomes a problem.
- run:
name: Add Heroku to known_hosts
environment:
HEROKU_PUBLIC_KEY: "|1|du6yP6VYFOQt2W1/LcEYuaPQhPg=|Db0+enWeW0eh8Fg3R93yFMZ/U/U= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAu8erSx6jh+8ztsfHwkNeFr/SZaSOcvoa8AyMpaerGIPZDB2TKNgNkMSYTLYGDK2ivsqXopo2W7dpQRBIVF80q9mNXy5tbt1WE04gbOBB26Wn2hF4bk3Tu+BNMFbvMjPbkVlC2hcFuQJdH4T2i/dtauyTpJbD/6ExHR9XYVhdhdMs0JsjP/Q5FNoWh2ff9YbZVpDQSTPvusUp4liLjPfa/i0t+2LpNCeWy8Y+V9gUlDWiyYwrfMVI0UwNCZZKHs1Unpc11/4HLitQRtvuk0Ot5qwwBxbmtvCDKZvj1aFBid71/mYdGRPYZMIxq1zgP1acePC1zfTG/lvuQ7d0Pe0kaw=="
command: echo $HEROKU_PUBLIC_KEY >> ~/.ssh/known_hosts
I’d love some guidance from CircleCI on the best practice to handle this problem.