APT Key is Deprecated (MariaDB, Nginx)

I receive these warnings and errors on my install using trellis-cli to create a local dev server from wsl. Does anyone know how to fix the issue?

TASK [mariadb : Add MariaDB APT key] *******************************************
fatal: [default]: FAILED! => {"changed": false, "cmd": "/usr/bin/apt-key adv --no-tty --keyserver hkp://keyserver.ubuntu.com:80 --recv F1656F24C74CD1D8", "forced_environment": {"LANG": "C.utf8", "LC_ALL": "C.utf8", "LC_MESSAGES": "C.utf8"}, "msg": "Error fetching key F1656F24C74CD1D8 from keyserver: hkp://keyserver.ubuntu.com:80", "rc": 2, "stderr": "Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).\ngpg: CRC error; 808723 - D02496\ngpg: read_block: read error: Invalid keyring\ngpg: Total number processed: 0\n", "stderr_lines": ["Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).", "gpg: CRC error; 808723 - D02496", "gpg: read_block: read error: Invalid keyring", "gpg: Total number processed: 0"], "stdout": "Executing: /tmp/apt-key-gpghome.Eq8A6VTMci/gpg.1.sh --no-tty --keyserver hkp://keyserver.ubuntu.com:80 --recv F1656F24C74CD1D8\n", "stdout_lines": ["Executing: /tmp/apt-key-gpghome.Eq8A6VTMci/gpg.1.sh --no-tty --keyserver hkp://keyserver.ubuntu.com:80 --recv F1656F24C74CD1D8"]}


PLAY RECAP *********************************************************************
default                    : ok=42   changed=19   unreachable=0    failed=1    skipped=15   rescued=0    ignored=0

Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.
1 Like

Following along. I also hit this issue in the past couple days trying to provision a remote environment.

Hopefully a fix is on the way.

Also getting a similar error attempting to boot up an old project. I had several other errors I managed to bypass and now I am on this one:

TASK [common : Restrict journal log size] ************************************** fatal: [default]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'max_journal_size' is undefined\n\nThe error appears to be in '/trellis/roles/common/tasks/main.yml': line 191, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Restrict journal log size\n ^ here\n"}

Running trellis / vagrant / parallels on M2

Not sure if this will help any other cases but I was missing:

max_journal_size: 512M

from my group_vars/all/main.yml file for some reason but I got past that one.

Now onto the next error…

Did you have one about a deprecated key, that is where the system crashes on mine and does not complete.

I tried again with a fresh install today just to see if maybe I goofed a step up and the same “Deprecated key with for MariaDB.” error

Jup, I just bumped into the same error during a first deploy to a fresh droplet using Trellis 1.21.0 but instead for NGINX:

TASK [nginx : Add Nginx APT key] ***********************************************
fatal: [165.232.87.22]: FAILED! => {"changed": false, "cmd": "/usr/bin/apt-key adv --no-tty --keyserver https://nginx.org/keys/nginx_signing.key --recv ABF5BD827BD9BF62", "msg": "Error fetching key ABF5BD827BD9BF62 from keyserver: https://nginx.org/keys/nginx_signing.key", "rc": 2, "stderr": "Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).\ngpg: key ABF5BD827BD9BF62: public key \"nginx signing key <signing-key@nginx.com>\" imported\ngpg: key 2FD21310B49F6B46: rejected by import screener\ngpg: key BCDCD8A38D88A2B3: rejected by import screener\ngpg: Total number processed: 3\ngpg:               imported: 1\n", "stderr_lines": ["Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).", "gpg: key ABF5BD827BD9BF62: public key \"nginx signing key <signing-key@nginx.com>\" imported", "gpg: key 2FD21310B49F6B46: rejected by import screener", "gpg: key BCDCD8A38D88A2B3: rejected by import screener", "gpg: Total number processed: 3", "gpg:               imported: 1"], "stdout": "Executing: /tmp/apt-key-gpghome.qi2Ktx2iZU/gpg.1.sh --no-tty --keyserver https://nginx.org/keys/nginx_signing.key --recv ABF5BD827BD9BF62\n", "stdout_lines": ["Executing: /tmp/apt-key-gpghome.qi2Ktx2iZU/gpg.1.sh --no-tty --keyserver https://nginx.org/keys/nginx_signing.key --recv ABF5BD827BD9BF62"]}

To fix the MariaDB task, you need to pull in this commit

In the Add Nginx APT key task, trellis uses apt_key, but in the MariaDB Apt signing key task, it uses ansible.builtin.apt_key

If I apply the same commit changes to the NGINX task:

---
- name: Add Nginx APT key
  ansible.builtin.apt_key:
    url: "https://nginx.org/keys/nginx_signing.key"
    state: present

- name: Add Nginx PPA
  apt_repository:
    repo: "{{ nginx_ppa }}"
    update_cache: yes

- name: Install Nginx
  ansible.builtin.apt:
    name: "{{ nginx_package }}"
    state: "{{ nginx_package_state | default(apt_package_state) }}"
    update_cache: true

Provisioning seems to work again!
You can also remove these lines from roles/nginx/defaults/main.yml:

nginx_keyserver: "https://nginx.org/keys/nginx_signing.key"
nginx_keyserver_id: "ABF5BD827BD9BF62"
5 Likes

Can you submit a PR for this please?

Yes done!

2 Likes

Hey, just bumped into this as well, also in NGINX. Can confirm the lines above fix the issue for me.
:+1:t4:

2 Likes

For posterity:

3 Likes

Is this, by chance, somehow related to this apt update warning?:

Thanks for the fix :pray: Just to share, I had this issue with an existing deployment and needed to do some extra steps: I updated Trellis to v1.22.1 but found that to run provision on my existing install I needed to remove the extra sources on the server so apt update could run again:

cd /etc/apt/sources.list.d/
rm nginx_org_packages_mainline_ubuntu.list ppa_ondrej_php_jammy.list mirror_rackspace_com_mariadb_repo_10_6_ubuntu.list

Once the sources were removed I could provision, which recreated the sources. Not sure if there’s a better approach, maybe someone can advise?

@strarsis I think the underlying error this fixes is that the NGINX key expired. I am still seeing the deprecation notice after upgrading, but provisioning works again and I can run apt update without it failing.