I am new to Trellis but still love it! But there is something I really don’t understand : the root user and its password. So, I want to make a provision + deploy, but I only get 4 “ok” before getting this error : Incorrect sudo password fatal: [my_ip_here]: FAILED! => {}.
In my /group_vars/production/vault.yml I changed every password for a more…personnal one (and a tougher one!), then, with the help of ansible I encrypted my file. But, I have this wonderful error which explicitly says that my sudo password is incorrect.
I don’t understand why it’s incorrect ; should I change it again? remove it? Off course, I did all that and nothing works anyway.
For this to happen, I think ssh for root must be disabled. So, we’re dealing with the password for the admin_user.
If this is a new VPS and Trellis has not yet had a successful run of server.yml, then apparently your admin_user already has a password. Or, perhaps you ran server.yml before but have now changed the password and want it to update on the server. Please let us now if your situation is actually something else.
You can leave your new password in group_vars/production/vault.yml. When Trellis gets the chance, it will change the user’s password to this one.
To make the initial connection, however, you must provide the old existing password when invoking ansible: ansible-playbook server.yml -e env=production --ask-become-pass
Respond to the immediate prompt to type in the old existing password. The playbook will then run for a bit and fail mid-process when it changes the password. (Ansible continues to try to use the old password which no longer works.)
Now just rerun server.yml, but without --ask-become-pass this time. Ansible will now just use the password in vault.yml and should finish successfully. There’s a tiny chance you’ll have to wait 60s before the next connection will succeed.
I don’t believe this is a very common issue, but it could be confusing when it arises. I recall some similar discussion in a thread a year ago.
If none of the above helps, you could google how to just manually change the admin_user password via SSH. Once the password the server knows matches the password in your local vault.yml, that should be the end of the issue.
Thank you for your response. I did try step 1-2-3, still nothing works. And I never have a full and successful run of server.yml, this is my first time to provision and deploy on my server with the help of trellis/ansible.
I am still working on this issue today…and hope it will corrected soon enough
Maybe we should take a step back to some more fundamental questions.
Who is your cloud provider? If you’re using an Ubuntu droplet from Digital ocean, you should have created the droplet (e.g., in web GUI) with your SSH key preloaded on the droplet. I’m pretty sure any password should be irrelevant for first connection as root.
If you’re using an Ubuntu ami from AWS you will need to have created the EC2 with your SSH key preloaded. Again, I don’t know how the password could be relevant unless you used an ami or installer option that isn’t just bare Ubuntu (e.g., if ubuntu user somehow already has some password set, etc.). For AWS you’ll need to change the Trellis admin_user to match what is allowed by the AWS ami:
- admin_user: admin
+ admin_user: ubuntu
Remember that you should be using a bare Ubuntu image, not a one-click install WordPress image or something.
Can you SSH manually to your server? If so, which user are you using? If you can’t SSH manually, this isn’t yet really a Trellis issue because Trellis assumes a starting point of SSH access is already successful. In any case, you’ll find a ton of SSH connection troubleshooting info by searching this forum. See also the various tips at Troubleshooting | Trellis Docs | Roots
Hi, I’m experiencing this problem and can’t find anything on google on how to change admin_user password via SSH. Could you point me in the right direction?
