Capistrano 3 - access denied to git repository on production server

[Fabrice Cheng]

I wanted to try the newer version of Capistrano 3 on a new project and have been struggling with this problem for a few days now.

while running "cap production deploy" for the first time, I always got the same error (LOG :http://pastebin.com/DKvzRTc2).

Apparently, it fails to run this command "git ls-remote g...@bitbucket.org:......" on the server

I've tried everything : - forward_agent set as true with ssh key on local machine and uploaded on bitbucket - forward_agent set as false and uploaded manually the ssh key on the production server (when I run manually 'git ls-r...@bitbucket.org:......' on the server, it works perfectly.

I've already set the "user" attribute on the deploy.rb file, this doesn't fix the issue.

Thanks for the help, I'm open to any suggestion!

[Tom Harrison]

I was having what seem like similar issues, and took the time to write the two tasks described on this page: http://www.capistranorb.com/documentation/getting-started/cold-start/

These helped me diagnose two distinct problems: 1) my ssh agent identity had been lost (re-run ssh-add to fix); 2) the remote server was not about to connect to my git provider (GitHub).

Tom

[Lee Hambley]

Thanks for the validation that the docs helped Tom! It's often weird identity/agent issues that people unfamiliar with SSH run into!

Lee Hambley

--

http://lee.hambley.name/

+49 (0) 170 298 5667

--
--
* You received this message because you are subscribed to the Google Groups "Capistrano" group.
* To post to this group, send email to capis...@googlegroups.com
* To unsubscribe from this group, send email to capistrano+...@googlegroups.com For more options, visit this group at http://groups.google.com/group/capistrano?hl=en
---
You received this message because you are subscribed to the Google Groups "Capistrano" group.
To unsubscribe from this group and stop receiving emails from it, send an email to capistrano+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Tom Harrison]

Ha!  Even some of us quite familiar with ssh get into weird identity/agent issues :-)

Thanks for Cap 3!

You received this message because you are subscribed to a topic in the Google Groups "Capistrano" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/capistrano/S6n2L2HD9fU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to capistrano+...@googlegroups.com.

[Fabrice Cheng]

Thanks a lot Tom.

Unfortunately, I've already tried all these.

My ssh-agent is running, and my keys are stored in the ssh-add (ssh-add -L shows it).

And I've tried to run this task which proves that my agent forwarding is working perfectly :

task :forwarding do

  on roles(:all) do |h|

    if test("env | grep SSH_AUTH_SOCK")

      info "Agent forwarding is up to #{h}"

    else

      error "Agent forwarding is NOT up to #{h}"

    end

  end

end

Any other clues ? :(

[Tom Harrison]

There's the built-in `cap <stage> git:check` command -- it will very likely report the same results as what you report in your question.

The second problem I reported, that git:check helped me isolate was that my server was unable to route outbound requests to git (or anywhere else).  Log on to the server and try something like `curl google.com` to make sure it can send and receive.  The cause of my problem was that our servers were running in a newly configured Amazon VPC and we had not properly configured our NAT server to route traffic out and back.  If this might be the problem, check your server's or network's firewall settings.

Good luck!

[Fabrice Cheng]

"cap production git:check" indeed report the same error.

"curl google.com" works, my server is hosted from linode.com. It's an ubuntu 13.10.

The thing is that it was working with Capistrano 2, it's only when I switched to the Capistrano 3 that I got this error.

Thanks a lot for your time though, I appreciate.

[Piotr Kedziora]

did you managed to fix it ? i have the same issue 

[Michael Ni]

I'm having the same issue,

Do I need a passphrase for my private key?

[Lee Hambley]

Won't make a difference, your OS will ask you to unlock it if so.

Sent from my Nexus 4.

To view this discussion on the web, visit https://groups.google.com/d/msgid/capistrano/08f3f3eb-baa7-4205-9640-5f1e88dba136%40googlegroups.com.

[Tom Harrison]

Passphrase is not required.  If you follow the instructions (for Cap 3, not Cap 2) and use your local git account, you need to ensure that the command `ssh-add -L` or `ssh-add -l` list your (local) ssh key, the one accepted by your git host (e.g. GitHub. BitBucket, etc).  

In the documented setup, direct access to git is not available from the deployed servers.  Rather the same local connection you use from your machine is forwarded via ssh agent and used during deployment with Capistrano.  It is also possible (at least it was with Cap2) to have a local repository on the deployed server.  Depending on which method you choose, your Capistrano configuration will be different.  I think it's better, safer, and simpler to use the ssh agent approach.

I encourage you to write the sample tasks for checking access, as per doc.  Once I worked this out, everything has been great for our setup.

Good luck!

[Douglas Magnenat]

Your forwarding-agent may be working properly while your known_hosts may be missing "git repository server IP address" on your production server.

Please follow each step described here : https://help.github.com/articles/using-ssh-agent-forwarding

You must first connect to the git server from your production server to be able to use agent-forwarding properly from your workstation.

[Lee Hambley]

You must first connect to the git server from your production server to be able to use agent-forwarding properly from your workstation.

Not true anymore, and that guide refers to Capistrano 2. See https://github.com/capistrano/capistrano/blob/master/lib/capistrano/tasks/git.rake#L18

Lee Hambley

--

http://lee.hambley.name/

+49 (0) 170 298 5667

--

You received this message because you are subscribed to the Google Groups "Capistrano" group.
To unsubscribe from this group and stop receiving emails from it, send an email to capistrano+...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/capistrano/df0700cf-20c9-420a-af44-5609fe37a001%40googlegroups.com.