In September 2021 GitHub announced changes to their security. They have since removed the unauthenticated git protocol from being able to access repositories along with removing weak keys, and further changes planned which can be found in the linked announcement.
Known Issues:
Problem: Remote end hangs up
Symptom: Deploy log shows deployment fails due to:
no matching mac found: client hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
fatal: The remote end hung up unexpectedly
Solution: Upgrade the version of openSSH on the instances.
Method: On each instance perform the following:
sudo echo =net-misc/openssh-5.9_p1-r1 >> /etc/portage/package.keywords/local
sudo emerge -av =net-misc/openssh-5.9_p1-r1
sudo /etc/init.d/ssh restart
Then retry the deploy.
Problem: Unsupported deploy key
Symptom: Deploy log shows deployment fails due to:
ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
Or:
no hostkey alg
fatal: The remote end hung up unexpectedly
Or similar failure message from another git host.
Solution: Replace the deploy key on the repository with a newly generated compatible one.
Method: In the Engine Yard dashboard, navigate to the relevant application (via the breadcrumb trail at the top of the Environment page), then:
- Click Edit Application.
- Select the checkbox Regenerate Deploy Key.
- Click Update Application.
- On the Application Page, click on Deploy Key.
- Copy the new key and add it to the repository.
- Navigate to the relevant Environment page(s) the application is associated with and run an Apply.
- Deploy the application.
Problem: Unsupported authentication for deploy method
Symptom: Deploy log shows deployment fails due to:
fatal: remote error:
The unauthenticated git protocol on port 9418 is no longer supported.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
Solution 1: Change the application repository access protocol.
Method: In the Engine Yard dashboard, navigate to the relevant application (via the breadcrumb trail at the top of the Environment page), then:
- Click Edit Application.
- Update the Git Repository URI to either the HTTPS format of https://github.com/_org_/_repo_.git for a public repository or the SSH format of git@github.com:_org_/_repo_.git for a private repository.
- For a private repository follow the instructions to put the deploy key in place, then navigate to the relevant Environment page(s) the application is associated with and run an Apply.
Solution 2: Change the application gem's repository access protocol.
Method: If the error message in the deploy log relates to a required gem and its repository rather than the application repository, then the source in your Gemfile needs updating. If you are using github in your Gemfile this can be replaced with git: 'https://github.com/_org_/_repo_.git'
and references to git: 'git://
should be replaced with git: 'https://
Once those changes are made, the app should be bundled locally to update the Gemfile.lock and then re-deployed.
Comments
Article is closed for comments.