argo-cd: SSH SHA-256 key not accepted
If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a question in argocd slack channel.
Checklist:
- [ x] I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
- [ x] I’ve included steps to reproduce the bug.
- [x ] I’ve pasted the output of
argocd version.
Describe the bug
I am trying to add a new repo to my argocd. Everytime i try i get the error “Unable to connect SSH repository: unknown error: ERROR: You’re using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.”
I also tried from cli and from gui and receiving the same error:
argocd repo add git@github.com:generalpax/ci-cd-istio-tekton.git --ssh-private-key-path ~/.ssh/id_rsa_github --insecure-skip-server-verification
FATA[0001] rpc error: code = Unknown desc = unknown error: ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Also regenerated my key with type rsa-sha2-256: ssh-keygen -t rsa-sha2-256
To Reproduce
- Install ArgoCD Operator on Openshift 4.8.15
- Create namespace and add argocd instance to it.
- Add repo to argo
Expected behavior
Connected github repo
Screenshots
If applicable, add screenshots to help explain your problem.
Version
argocd: v2.1.2+7af9dfb.dirty
BuildDate: 2021-09-02T21:28:55Z
GitCommit: 7af9dfb3524c13e941ab604e36e49a617fe47d2e
GitTreeState: dirty
GoVersion: go1.17
Compiler: gc
Platform: darwin/amd64
argocd-server: v2.0.0+f5119c0
BuildDate: 2021-04-07T06:00:33Z
GitCommit: f5119c06686399134b3f296d44445bcdbc778d42
GitTreeState: clean
GoVersion: go1.16
Compiler: gc
Platform: linux/amd64
Ksonnet Version: v0.13.1
Kustomize Version: v3.9.4 2021-02-09T19:22:10Z
Helm Version: v3.5.1+g32c2223
Kubectl Version: v0.20.4
Jsonnet Version: v0.17.0
Logs
About this issue
- Original URL
- State: open
- Created 3 years ago
- Reactions: 8
- Comments: 16 (5 by maintainers)
Switching to Ed25519 as per GitHub’s recommendation worked for me. You can update existing repositories this way.
Add
cat ~/.ssh/id_ed25519.pubas a new repo deploy key in GitHub/Bitbucket/etc.Replace
sshPrivateKey: <encoded_private_key>with your new encoded private key.The problem is that the git client that Argo uses doesn’t do sha2 signatures. Use an ed25519 key.
We are impacted as of 15 minutes ago… Changes in Github security policy again?
EDIT: Generating a new
ed25519key as suggested above worked for us. Github have changed their instructions for generating SSH keys to useed25519by default.ssh-keygen -t ed25519 -C "your_email@corp.comI don’t know why the old key was blocked as it was SHA-256 and 4096 bits, it seems like Github deprecated a lot of other things like cipher suites and MAC types so it might have been something more obscure.
To be clear, this is an ArgoCD problem (or rather the SSH client ArgoCD is using), SSH RSA keys aren’t signed with SHA-1 (that would be nonsensical), the error relates to SHA-1 being used during the handshake. SSH client should being using SHA-256 (aka
rsa-sha2-256) during handshakes.https://datatracker.ietf.org/doc/html/rfc8332
Being more clean, the format of the RSA key isn’t the problem. Switching to Ed25519 just forces the client to not use
ssh-rsaduring handshakes (since handshakes should usessh-ed25519, https://datatracker.ietf.org/doc/html/rfc8709).I know this issue is still open but just to say that we had a similar problem where argocd and github wouldnt sync because of the key generation and this did work for us:
ssh-keygen -t ed25519 -a 100Thanks for the info but this didn’t work for me with argocd for some reason. IDK why all the sudden it won’t accept the same keys I’ve been using all month.