Question

Django app for continuous deployment using Gitlab on DigitalOcean droplet return permission denied for SSH

I’m trying to implement CD for my containerized(Docker, nginx) Django app using gitlab on DigitalOcean droplet.

I have created a pair of SSH keys and add the public key to DigitalOcean platform. I can login to my droplet using that SSH key.

Now, I have added the private key as the environment variable at gitlab as: $PRIVATE_KEY , so now when I run the deployment it return the permission denied error.

Here’s my : .gitlab-ci.yml:

image:
  name: docker/compose:1.29.2
  entrypoint: [""]

services:
  - docker:dind

stages:
  - build
  - deploy

variables:
  DOCKER_HOST: tcp://docker:2375
  DOCKER_DRIVER: overlay2

before_script:
  - export IMAGE=$CI_REGISTRY/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME
  - export WEB_IMAGE=$IMAGE/web:web
  - export NGINX_IMAGE=$IMAGE/nginx:nginx
  - apk add --no-cache openssh-client bash
  - chmod +x ./setup_env.sh
  - bash ./setup_env.sh
  - docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY

build:
  stage: build
  script:
    - docker pull $IMAGE/web:web || true
    - docker pull $IMAGE/nginx:nginx || true
    - docker-compose -f docker-compose.prod.yml build
    - docker push $IMAGE/web:web
    - docker push $IMAGE/nginx:nginx

deploy:
  stage: deploy
  script:
    - mkdir -p ~/.ssh
    - echo "$PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
    - cat ~/.ssh/id_ed25519
    - chmod 700 ~/.ssh/id_ed25519
    - eval "$(ssh-agent -s)"
    - ssh-add ~/.ssh/id_ed25519
    - ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
    - chmod +x ./deploy.sh
    - scp  -o StrictHostKeyChecking=no -r ./.env ./docker-compose.prod.yml root@$DO_PUBLIC_IP_ADDRESS:/root/Pythonist.org
    - bash ./deploy.sh

The build stage is passed but the deploy is failed with the following error:

$ chmod +x ./setup_env.sh
$ bash ./setup_env.sh
$ docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ mkdir -p ~/.ssh
$ echo "$PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
$ cat ~/.ssh/id_ed25519
   <MY_PRIVATE_KEY>
$ chmod 700 ~/.ssh/id_ed25519
$ eval "$(ssh-agent -s)"
Agent pid 27
$ ssh-add ~/.ssh/id_ed25519
Identity added: /root/.ssh/id_ed25519 (<COMMENT>)
$ ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
# gitlab.com:22 SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
$ chmod +x ./deploy.sh
$ scp  -o StrictHostKeyChecking=no -r ./.env ./docker-compose.prod.yml root@$DO_PUBLIC_IP_ADDRESS:/root/app
Warning: Permanently added '143.198.103.99' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
root@143.198.103.99: Permission denied (publickey,password).
lost connection
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 1

Here’s my deploy.sh:

#!/bin/sh

ssh -o StrictHostKeyChecking=no root@$DO_PUBLIC_IP_ADDRESS << 'ENDSSH'
  cd /root/Pythonist.org
  export $(cat .env | xargs)
  docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
  docker pull $IMAGE/web:web
  docker pull $IMAGE/nginx:nginx
  docker-compose -f docker-compose.prod.yml up -d
ENDSSH
Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hello,

What I could suggest trying is to add a new line at the end of the PRIVATE_KEY variable so that it matches the required format.

If this does not work, what I could suggest is adding the -vvv debug flag for the scp command so that you could see the actual error rather than just the permission denied message. This extra output might give you more information on why the connection is failing.

Let me know how it goes! Regards, Bobby