cPanel Question posted in
The official documentation can be seen here.

GitLab CI failing with SSH error loading key invalid format – CPanel

I am starting to get into GitLab CI for my company. We have a PrestaShop, and I want automatic deployment to the web server after a Git push.

Unit testing will come later. At the moment I just need it to deal with putting a copy of the "/app" folder in the web root of the web server.

So this is what I have got…

before_script:
  - apt-get update -qq
  - apt-get install -qq git
  - 'which ssh-agent || ( apt-get install -qq openssh-client )'
  - eval $(ssh-agent -s)
  - ssh-add <(echo "$SSH_PRIVATE_KEY")
  - mkdir -p ~/.ssh
  - '[[ -f /.dockerenv ]] && echo -e "Host *ntStrictHostKeyChecking nonn" > ~/.ssh/config'


deploy_test:
  type: deploy
  environment:
    name: test
    url: [test server domain]
  script:
    - ssh [user]@[server] -p [port] "cd [repo folder] && git checkout master && git pull origin master && exit"
    - ssh [user]@[server] -p [port] "rsync -rzvh [repo /app folder] [web server root path]"
  only:
    - master

Recently, gitlab-runner has started failing with the error Error loading key "/dev/fd/63": invalid format.

Can you help me to solve that error?

FYI, I have my personal private key set as $SSH_PRIVATE_KEY environment var in GitLab – the public on the web server of course. SSH is enabled on the web server which has WHM and cPanel. And I pre-checked out a copy of master via cPanel on the web server into the [repo folder].

Tags:

2

Answers


  1. 0

    Originally, OpenSSH used the PKCS #1 format for RSA private keys. This format is not very secure, so newer versions have moved to a different format for storing private keys which is specific to OpenSSH. This is more secure, but it’s not backwards compatible.

    While it is possible to convert the keys with ssh-keygen, it would be far better for you to create a new key that you used only for deployments. That’s a best practice because it separates your personal key from the deployments and means that if one is compromised, the other is not affected.

    Since you’d need to create a new key anyway, you’d be better off using an Ed25519 key. Mozilla and others recommend this format of key because it is fast, secure, and easy to make constant time. You can create such a key with ssh-keygen -t ed25519 -f deployment-key, where deployment-key and deployment-key.pub will be the private and public keys.

    If you’re using CentOS 7 on the server, it does indeed support Ed25519 keys if it have been appropriately updated with patches, and whatever you’re using on GitLab should also support it. You’ll need to add the new public key to the remote server as with your personal key.

    If you really want to continue to use this key, you should be able to export it with ssh-keygen -e -m PEM.

    Login or Signup to reply.
  2. 0

    Did you check the $SSH_PRIVATE_KEY run on protected branches and tags pipeline only? if so you need to add your branch into protected. Setting->Repository->Protected Branch. or unchecked the option in Setting->CI/CD->Variables

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search