Capistrano Deploy Failing on git:check - Permission denied (publickey)
Thanks to everyone who answered, I've managed to find a solution! The main culprit was Git Bash, which, for whatever reason, was not changing the permissions on my ~/.ssh
directory to 0700 when I ran chmod 700 ~/.ssh
. This prevented SSH agent forwarding from working when Capistrano was deploying but not when I manually SSH'd into my server. I decided to try using Bash on Ubuntu on Windows (BUW) instead of Git Bash, and sure enough, my deploy worked! I copied over the same exact configuration and keys from Git Bash over to BUW. The only difference is that I was able to change the permissions on BUW's ~/.ssh
directory to 0700. With that said, here is the solution to my problem:
1. Create a deploy key and add it to GitLab
As @Onur and @grizzthedj, and @Gokul M indicated, I needed to create a deploy key for GitLab and authorize it on my server. Here's how I did that:
- Generate a new SSH key on my local machine:
ssh-keygen -t rsa -b 4096
- Copy the output of the public key:
cat ~/.ssh/id_rsa.pub
- SSH into my server
- Add the public key to the end of
~/.ssh/authorized_keys
- Back on my local machine, open up a browser, log into GitLab, go to my repository page, and paste the public key in Settings > Repository > Deploy Keys
2. Use BUW instead of Git Bash
- On my local machine, I set up BUW to start the SSH agent on session load using the instructions from this SO answer.
- Change the permissions on
~/.ssh
:chmod 700 ~/.ssh
Start the SSH agent and add my deploy key to it:
eval $(ssh-agent -s) ssh-add ~/.ssh/id_rsa
I've removed the set :ssh_options
line from my deploy.rb file because it works just fine without it.
And that's it! It looks like I'll be deploying using BUW from now on.
Add your public key to the list of deploy keys in your repository setting by following the below steps:
Local machine setup:
Check if your local system has
~/.ssh/id_rsa.pub
key file. If not, create a new one:$ ssh-keygen -t rsa
Add the newly created public key
~/.ssh/id_rsa.pub
to the repository's deployment(access) keys in settings:- Bitbucket :
- https://confluence.atlassian.com/bitbucket/set-up-ssh-for-git-728138079.html#SetupSSHforGit-Step4.InstallthepublickeyonyourBitbucketaccount
- Github :
- https://developer.github.com/v3/guides/managing-deploy-keys/#deploy-keys
- GitLab :
- https://docs.gitlab.com/ce/ssh/README.html#deploy-keys
- Bitbucket :
Load the keys to
ssh-agent
:Check whether
ssh-agent
is running, If not, start the ssh agent$ ssh-agent /bin/bash
Add the
id_rsa
key to the agent:$ ssh-add ~/.ssh/id_rsa
Note: Sometimes, this step(Step - 3) needs to be done before each deployment if you receive "Access denied to the repository" error during deployment.
Add your local SSH Key to deployment server Authorized Keys file (remember to replace the port number with your customized port number):
$ cat ~/.ssh/id_rsa.pub | ssh -p port_num user@server_ip 'cat >> ~/.ssh/authorized_keys'
Ref: https://www.digitalocean.com/community/tutorials/deploying-a-rails-app-on-ubuntu-14-04-with-capistrano-nginx-and-puma
deploy.rb
Try to change the ssh_options
in deploy.rb file as below:
set :ssh_options, { forward_agent: true, user: "deploy", auth_methods: ['publickey'], keys: %w(~/.ssh/privatekey.pem) }
Replace ~/.ssh/privatekey.pem
with the path to your SSH private key file path.
Deploy:
Just run cap staging deploy
to deploy to the server.
Replace staging
in cap
deploy command with the environment as needed.
Based on your cap deploy
output, it looks like SSH connectivity from your laptop to your server is not the issue.
00:00 git:wrapper
01 mkdir -p /tmp
✔ 01 [email protected] 0.286s
Uploading /tmp/git-ssh-myapp-staging-localuser.sh 100.0%
02 chmod 700 /tmp/git-ssh-myapp-staging-localuser.sh
✔ 02 [email protected] 0.277s
This issue is when capistrano tries to run git ls-remote [email protected]:MyApp/myapp.git HEAD
over SSH.
You need to add the public key to your SSH Keys in GitLab, since SSH agent forwarding requires installation of public keys on all target systems. Gitlab, in your case, is a target system.
cat ~/.ssh/id_rsa.pub # Copy the contents of your public key(filename may be different)
Login to GitLab, and paste the public key into your repo's SSH Keys (found in repo settings) and you should be good.
You also need to specify the user that you created the SSH key with in ssh_options
.
set :ssh_options, {
forward_agent: true,
user: 'deploy',
}