Provisioning of server works fine. Deployment Fails for Production. Trellis SSH fails

tziady · March 4, 2025, 3:13am

Hello All:

So, I am not doing a staging as this is a new environment and we are skipping staging.

However, development works great and I have 2 sites up and running in .test without issue and have been fully developed.

The server provisioning appears to work great. And I am able to SSH into the server using ssh ubuntu@mydomain.com (AWS Install) so all well and machine is accessible and it appears that nginx and everything is installed and ready for deployment.

So:

$ trellis deploy production myfirstsite.com

TASK [deploy : Failed connection to remote repo] *******************************
fatal: [mydomain.com]: FAILED! => {"changed": false, "msg": "Git repo git@github.com:*********/***********.git on branch production cannot be accessed. Please verify the repository/branch are correct

The Repo exists as a private repo and the branch exists. So, it is obviously an SSH issue.

and you have SSH forwarding set up correctly.\nMore info:\n> https://roots.io/trellis/docs/deploys/#ssh-keys\n> https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding\n\nError:\ngit@github.com: Permission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n"}

So I try:


$ trellis ssh production mydomain.com
Running command => ssh admin@mydomain.com
admin@mydomain.com: Permission denied (publickey).
Error running ssh: exit status 255

My User File from group_vars:

# Documentation: https://roots.io/trellis/docs/ssh-keys/
admin_user: ubuntu

# Also define 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`)
users:
  - name: "{{ web_user }}"
    groups:
      - "{{ web_group }}"
    keys:
      - "{{ lookup('file', '~/.ssh/id_rsa.pub', errors='ignore') }}"
      - "{{ lookup('file', '~/.ssh/id_ed25519.pub', errors='ignore') }}"
      - https://github.com/tziady.keys
  - name: "{{ admin_user }}"
    groups:
      - sudo
    keys:
      - "{{ lookup('file', '~/.ssh/id_rsa.pub', errors='ignore') }}"
      - "{{ lookup('file', '~/.ssh/id_ed25519.pub', errors='ignore') }}"
      - https://github.com/tziady.keys

web_user: web
web_group: www-data
web_sudoers:
  - "/usr/sbin/service php{{ php_version }}-fpm *"

I guess the easiest path recreate the instance using admin instead of ubuntu.

Out of curiosity; is there a way to change this in the trellis user configs?

jasperfrumau · March 4, 2025, 9:11am

Did you try ssh-ing the normal non Trellis way ssh user@domain.com ? Perhaps you need to remove stored data at ~/.ssh/known_hosts for host in question and retry. If not and you do still have root access you can check stored keys on server as well

tziady · March 4, 2025, 9:20am

Thanks for the response.

I am able to SSH via shell without any issues.

I have also deleted / removed the old site from known_hosts to avoid any SSH conflicts.

The biggest issue is it appears that trellis is trying to access with admin rather than ubuntu

I also tried since posting changing the group_vars

with both

admin_user: ubuntu
&
admin_user: admin

and it fails at the point of git cloning.

The repos are private and my ssh key has access.

I am able to clone the repo addresses from the CLI.

Again, thanks for the response.

Cheers,
T

jasperfrumau · March 4, 2025, 9:26am

Did have once that the public key did not get stored for the user set in Trellis at trellis/group_vars/all/users.yml for admin_user. Not sure anymore why that was the case. But then add the missing key manually on the server at

youradminuser@yourserver:~/.ssh$ ll authorized_keys 
-rw------- 1 youradminuser sudo 164 Feb 15 01:42 authorized_keys

and all is well. Trellis will always use the user set and not root. It even recommends turning of root access via ssh.

tziady · March 4, 2025, 3:24pm

k, will give it a try and report back.

Another question is accessing a private REPO; the server would need the private key also? Or am I missing something?

Should I put up both Public and Private Keys?

Thanks,
T

jasperfrumau · March 4, 2025, 10:36pm

It is a different type of connection, however, when Trellis clones a remote private repo during deployment. In this case, your remote server is allowed to forward your local machine’s SSH credentials to the remote repo to authorize the connection

See SSH Keys | Trellis Docs | Roots

tziady · March 7, 2025, 3:42am

I just finally threw my hands up in the air and transferred my private key (I actually just created a repository specific keys and put it on the server. The agent forwarding is not working for whatever reason that I cannot figure out.

Thanks for the help.

Cheers,
T

jasperfrumau · March 7, 2025, 8:43am

And you are sure the repository name and branch was correct? You did use something like

...
 branch: main
 repo: git@github.com:user/repo-name.git
...

And little general access test:

ssh -T git@github.com
Hi jasperf! You've successfully authenticated, but GitHub does not provide shell access.

Just really odd the error does not get resolved without adding the private key.

Also , check if agent forwarding is enabled in your local SSH config:

cat ~/.ssh/config

You should see something like:

Host yourserver
    ForwardAgent yes

If missing, add:

Host yourserver
    HostName yourserver.com
    User your-ssh-user
    ForwardAgent yes

I have

...
Host *
  AddKeysToAgent yes
  IdentityFile ~/.ssh/id_ed25519
...

And two, ensure your SSH agent is running:

eval "$(ssh-agent -s)"

To check if your SSH key is added:

ssh-add -l

If empty, add your key:

ssh-add ~/.ssh/id_rsa

tziady · March 7, 2025, 5:14pm

I didn’t have that part of it. For whatever reason, there were a bunch of entries from the local dev environment by vagrant; however, nothing about the production host. I added it. I will respond back when I try it later tonight. But I believe that was my issue.

Thanks,
T

tziady · March 12, 2025, 4:31am

Worked like a charm…Thank you again…