The authenticity of host 'heroku.com (50.19.85.132)' can't be established

Deployments
1

Hi there, I’m trying to deploy my application with CircleCI 2.0 and Heroku.

My deploy phase blocks with this message:

#!/bin/bash -eo pipefail
git push --force git@heroku.com:$HEROKU_APP_NAME.git HEAD:refs/heads/master

The authenticity of host 'heroku.com (50.19.85.132)' can't be established.
RSA key fingerprint is 8b:48:5e:67:0e:c9:16:47:32:f2:87:0c:1f:c8:60:ad.
Are you sure you want to continue connecting (yes/no)?

How can I run over this ?

So far I have followed this guide: https://circleci.com/docs/2.0/deployment_integrations/#heroku

  • I have slightly changed some things, for example my file setup-heroku.sh file is:
 #!/bin/bash
wget -qO- https://cli-assets.heroku.com/install-ubuntu.sh | sh

  cat > ~/.netrc << EOF
  machine api.heroku.com
    login $HEROKU_LOGIN
    password $HEROKU_API_KEY
  EOF

  cat >> ~/.ssh/config << EOF
  VerifyHostKeyDNS yes
  StrictHostKeyChecking no
  EOF

  • I have created environment variables $HEROKU_LOGIN and $HEROKU_API_KEY

  • I have also set up Heroku api key in CircleCI UI

  • I have created private and public keys; Uploaded private key in CircleCI under “ssh permissions” and public key in heroku

  • In my .circleci/config.yml, I have a step called add_ssh_keys where I add the key previously added:

    • add_ssh_keys:
      fingerprints:
      - “b6:b2:a0:0a:db:47:a8:1f:eb:51:d4:b6:4f:86:6b:0a”

How can I go over and deploy to heroku?

2

I found the problem. It is so silly I spent two days on it.

I copy’n’pasted the setup.heroku.sh file from the documentation.

It has added two spaces (’ ') in front of cat instructions.

It was this:

  cat > ~/.netrc << EOF
    machine api.heroku.com
    login $HEROKU_LOGIN
    password $HEROKU_API_KEY
  EOF

  cat >> ~/.ssh/config << EOF
    VerifyHostKeyDNS yes
   StrictHostKeyChecking no
  EOF

By setting it to:

 #!/bin/bash
wget -qO- https://cli-assets.heroku.com/install-ubuntu.sh | sh

cat > ~/.netrc << EOF
machine api.heroku.com
  login $HEROKU_LOGIN
  password $HEROKU_API_KEY
EOF

cat >> ~/.ssh/config << EOF
  VerifyHostKeyDNS yes
  StrictHostKeyChecking no
EOF

(no spaces on the front of every line!)

Everything works.

4 Likes
3

I had the same problem, and the answer from @musikele to remove the leading space from the documentation code helped. However after it still did not recognize Heroku’s host key so my deploy stalled.

#!/bin/bash -eo pipefail
git push --force git@heroku.com:$HEROKU_APP_NAME.git HEAD:refs/heads/master

The authenticity of host 'heroku.com (50.19.85.156)' can't be established.
RSA key fingerprint is SHA256:8tF0wX2WquK45aGKs/Bh1dKmBXH08vxUe0VCJJWOA/o.
Are you sure you want to continue connecting (yes/no)?

First I fixed it by adding a step in my deploy job to dynamically put heroku in ~/.ssh/known_hosts:

       - run:
           name: Add Heroku to known_hosts
           command: ssh-keyscan -H heroku.com >> ~/.ssh/known_hosts

This doesn’t seem ideal, because the https://linux.die.net/man/1/ssh-keyscan doc describe a security risk:

If an ssh_known_hosts file is constructed using ssh-keyscan without verifying the keys, users will be vulnerable to man in the middle attacks.

To make it more secure, I changed the step to statically specify Heroku’s public key. This will break if Heroku changes their key, so I’ll have to see if that becomes a problem.

  - run:
      name: Add Heroku to known_hosts
      environment:
        HEROKU_PUBLIC_KEY: "|1|du6yP6VYFOQt2W1/LcEYuaPQhPg=|Db0+enWeW0eh8Fg3R93yFMZ/U/U= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAu8erSx6jh+8ztsfHwkNeFr/SZaSOcvoa8AyMpaerGIPZDB2TKNgNkMSYTLYGDK2ivsqXopo2W7dpQRBIVF80q9mNXy5tbt1WE04gbOBB26Wn2hF4bk3Tu+BNMFbvMjPbkVlC2hcFuQJdH4T2i/dtauyTpJbD/6ExHR9XYVhdhdMs0JsjP/Q5FNoWh2ff9YbZVpDQSTPvusUp4liLjPfa/i0t+2LpNCeWy8Y+V9gUlDWiyYwrfMVI0UwNCZZKHs1Unpc11/4HLitQRtvuk0Ot5qwwBxbmtvCDKZvj1aFBid71/mYdGRPYZMIxq1zgP1acePC1zfTG/lvuQ7d0Pe0kaw=="
      command: echo $HEROKU_PUBLIC_KEY >> ~/.ssh/known_hosts

I’d love some guidance from CircleCI on the best practice to handle this problem.

2 Likes
4

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.