Deployment errors due to GitHub changes

In September 2021 GitHub announced changes to their security. They have since removed the unauthenticated git protocol from being able to access repositories along with removing weak keys, and further changes planned which can be found in the linked announcement.

 

Known Issues:

 

Problem: Remote end hangs up

Symptom: Deploy log shows deployment fails due to:

no matching mac found: client hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
fatal: The remote end hung up unexpectedly

Solution: Upgrade the version of openSSH on the instances.

Method: On each instance perform the following:

sudo echo =net-misc/openssh-5.9_p1-r1 >> /etc/portage/package.keywords/local

sudo emerge -av =net-misc/openssh-5.9_p1-r1

sudo /etc/init.d/ssh restart

Then retry the deploy.

 

Problem: Unsupported deploy key

Symptom: Deploy log shows deployment fails due to:

ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.

Or:

no hostkey alg
fatal: The remote end hung up unexpectedly

Or similar failure message from another git host.

Solution: Replace the deploy key on the repository with a newly generated compatible one.

Method: In the Engine Yard dashboard, navigate to the relevant application (via the breadcrumb trail at the top of the Environment page), then:

  • Click Edit Application.
  • Make a slight change to the Git Repository URI (e.g. append `1` to it) so that it is altered. It does not need to be a valid URI at this stage.
  • Click Update Application.
  • On the following Allow Engine Yard access to private repository page, ignore the given deploy key and use your browser's back button to return to the Edit Application page.
  • Change the Git Repository URI back to the correct one.
  • Click Update Application.
  • This time on the Allow Engine Yard access to private repository page, follow the instruction and copy the deploy key and add it to the repository.
  • Click My Deploy Key is in place.
  • Navigate to the relevant Environment page(s) the application is associated with and run an Apply.
  • Deploy the application.

 

Problem: Unsupported authentication for deploy method

Symptom: Deploy log shows deployment fails due to:

fatal: remote error:
The unauthenticated git protocol on port 9418 is no longer supported.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.

Solution 1: Change the application repository access protocol.

Method: In the Engine Yard dashboard, navigate to the relevant application (via the breadcrumb trail at the top of the Environment page), then:

  • Click Edit Application.
  • Update the Git Repository URI to either the HTTPS format of https://github.com/_org_/_repo_.git for a public repository or the SSH format of git@github.com:_org_/_repo_.git for a private repository.
  • For a private repository follow the instructions to put the deploy key in place, then navigate to the relevant Environment page(s) the application is associated with and run an Apply.

Solution 2: Change the application gem's repository access protocol.

Method: If the error message in the deploy log relates to a required gem and its repository rather than the application repository, then the source in your Gemfile needs updating. If you are using github in your Gemfile this can be replaced with git:  'https://github.com/_org_/_repo_.git' and references to git: 'git:// should be replaced with git: 'https://

Once those changes are made, the app should be bundled locally to update the Gemfile.lock and then re-deployed.

Comments

Article is closed for comments.