The authenticity of host sub.domain.com (0.0.0.0) can't be can't be established. Are you sure you want to continue connecting (yes/no)?

ssh

#1

I’m working on deploying a static web application to an existing nginx web server and I can’t get past the Copy to Server step of my build.

Here’s my current config.yml

defaults: &defaults
  working_directory: ~/repo
  docker:
    - image: circleci/node:8.9

version: 2
jobs:
  build:
    <<: *defaults
    steps:
      # intentionally skipped, since this all works.
  deploy_storybook:
    <<: *defaults
    steps:
      - checkout
      - add_ssh_keys
      - run:
          name: NPM Install
          command: npm install
      - run:
          name: Output Files
          command: npm run storybook-build
      - run:
          name: Copy to Server
          command: |
            echo 'sub.domain.com ecdsa-sha2-nistp256 ~/.ssh/id_ecdsa.pub' >> ~/.ssh/known_hosts
            echo 'sub.domain.com ssh-rsa ~/.ssh/id_rsa.pub' >> ~/.ssh/known_hosts
            sudo scp -r ~/repo/.storybook-dist/. deploy@sub.domain.com:/home/deploy/sub.domain.com/public_html

workflows:
  version: 2
  build-and-deploy:
    jobs:
      - build
      - deploy_storybook:
          filters:
            branches:
              only:
                - development
          requires:
            - build

As you can see, I’ve at least attempted everything mentioned here and here.

Note: I’ve tried many others, but since I’m new here I’m only allowed to link to two.

I’ve SSH’d from my machine to the web server to verify I could connect. From the server I ran the command ssh-keygen -t edcsa and ssh-keygen -t rsa. I’ve taken the raw files and added both to my CircleCi settings. I’ve then taken the .pub output from both and used those in the echo 'sub.domain.com ecdsa-sha2-nistp256 ' >> ~/.ssh/known_hosts.

I also added the command ssh-keyscan sub.domain.com into my config and used the output from that in the command.

Regardless of what I’ve done, I’m constantly receiving the error:

The authenticity of host 'sub.domain.com (0.0.0.0)' can't be established.
ECDSA key fingerprint is SO:ME:FI:NG:ER:PR:IN:T.
Are you sure you want to continue connecting (yes/no)? 

I feel like this should be a pretty straight forward process, but I can’t seem to make it work. I’ve noticed that all of the documentation seems to point back to the same thing and I can’t seem to crack it.

Any ideas are greatly appreciated. I’m sure I’m just overlooking something simple somewhere.

Update:

Using links off this post, I’ve also tried modifying my scp command to include:

-o StrictHostKeyChecking=no 

I’ve also updated the SSH keys in my settings to use no hostname.

Neither of those worked.

Another Update:

Just to be sure I wasn’t doing anything wrong, I generated ANOTHER set of keys. This time, I made sure to use ECDSA (since that’s what the prompt is looking for) and I made sure to use my username (deploy@sub.domain.com). I added the private key to my CircleCi config both with and without a hostname and then added the public key onto my web server.

Still no dice.

I’ve now invested a lot of time into just trying to make scp work, maybe I should just throw this in a container and do it that way. Just seems like a really heavy handed way to run a simple website with a couple pages.


Getting SSH to work too ambiguous to follow?
#2

That might be your problem. Stick with RSA - it used to be the case that the CircleCI UI would only accept RSA keys, even when the newer algo became the SSH default.

I would suggest this approach:

  1. Generate an RSA key pair
  2. Add the private key to the CircleCI interface
  3. Run your build with the SSH option from the build screen and wait for failure
  4. SSH into the build server using instructions in the build output
  5. Check the keys are in place (presumably they will be in ~/.ssh/).
  6. Try the command scp -i /path/to/private.key and accept any prompts
  7. If this is successful, cat the known_hosts file on-screen and copy that into your repo
  8. In your CI config, copy the known_hosts file into place prior to doing the scp

If you can get that working, you can try ECDSA afterwards.


#3

So here’s what I did:

  • I already had an RSA key pair, so I verified those were in there and correct.
  • Ran the build with SSH option, connected to the CircleCi instance, and SSH’d into my server. I was prompted to accept the fingerprint and did. Everything worked great.
  • I disconnected from my web server and copied the ~/.ssh/known_hosts. (There was something weird here: read below)
  • I used the echo '' >> ~/.ssh/known_hosts command mentioned in other posts to add everything from the known_hosts through my config.yaml
  • Still prompted when trying to run the workflow through CircleCi

Here’s the weird thing, I currently have 3 keys added into the settings of this project. When I viewed the known_hosts there were only four. Two of them were github, and the other two started with |1|. When I accepted the key to make the SSH connection from CircleCi to my web server, two more keys starting with |1| were added.

So here are some things I don’t understand:

  • If I have so many keys in added through the settings, why aren’t all of them bring added?
  • How is it I can SSH to the build server and from there SSH to my web server, but I can’t run an scp from my config file?

I’ve taken some screen shots to hopefully help.

This is the add_ssh_keys step. Here you can see that it’s adding three unique fingerprints.

This is the output of the final step of my job. Basically, it looks like this.

cat ~/.ssh/known_hosts
echo '' >> ~/.ssh/known_hosts
echo '' >> ~/.ssh/known_hosts
cat ~/.ssh/known_hosts

The first cat is in pink, the second is in green. You can see the in the first try, there are only three keys added, even though there should be 5 (if I understand correctly). On the second pass we go to five keys, the two I added are highlighted in blue. There should be 7 here if I’m correct.

I don’t know if any of this helps, but I’m hoping to solve this. I have other projects I would like to do this way if I can get it to work.


#4

Oh how the plot thickens.

Per another post, I added ssh -o StrictHostKeyChecking=no deploy@sub.domain.com to my config, just to get a failure. Then I followed it with ssh -vvv deploy@sub.domain.com so I could see the logs.

Guess what?

That first command connected up to the server with no issue, thus not carrying forward with the logging.

So, I threw an exit on the end of the command. This accepts the fingerprint and bounces out for everything else.

      - run:
          name: Copy to Server
          command: |
            ssh -o StrictHostKeyChecking=no deploy@sub.domain.com exit
            scp -r ~/repo/.storybook-dist/. deploy@sub.domain.com:/home/deploy/sub.domain.com/public_html

Now it works like a charm.

It feels kind of crazy that after everything I jumped through, this ended up being the solution, but I hope it helps someone else.

EDIT:

In cleaning up my config before putting in my pull request, I found the actual cause of the issue.

The problem was drumroll that I was using sudo for the scp.

Using sudo elevates permissions, so I was adding the keys for user@sub.domain.com and the scp was using root@sub.domain.com

I hope that somewhere down the road all of this helps someone.


closed #5

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.