Roots Discourse

SSH error when deploying to production

I can deploy via trellis to my remote staging server but when I run the same command on the production environment, I get an SSH error. Can anyone tell me why this is happening and how to fix it?

See the the verbose output below:

    Failed to connect to the host via ssh: OpenSSH_7.3p1, LibreSSL 2.4.1

debug1: Reading configuration data /Users/Tom/.ssh/config

debug1: /Users/Tom/.ssh/config line 5: Applying options for 162.243.6.59

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 20: Applying options for *

debug1: auto-mux: Trying existing master

debug1: Control socket "/Users/Tom/.ansible/cp/ansible-

ssh-162.243.6.59-22-web" does not exist

debug2: resolving "162.243.6.59" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to 162.243.6.59 [162.243.6.59] port 22.

debug2: fd 3 setting O_NONBLOCK

debug1: fd 3 clearing O_NONBLOCK

debug1: Connection established.

debug3: timeout: 9968 ms remain after connect

debug1: identity file /Users/Tom/.ssh/id_rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/Tom/.ssh/id_rsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/Tom/.ssh/id_dsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/Tom/.ssh/id_dsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/Tom/.ssh/id_ecdsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/Tom/.ssh/id_ecdsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/Tom/.ssh/id_ed25519 type -1

debug1: key_load_public: No such file or directory

debug1: identity file /Users/Tom/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.3

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1

Ubuntu-2ubuntu2.7

debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH_6.6.1* compat

0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to 162.243.6.59:22 as 'web'

debug3: hostkeys_foreach: reading file "/Users/Tom/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file

/Users/Tom/.ssh/known_hosts:10

debug3: load_hostkeys: loaded 1 keys from 162.243.6.59

debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-

sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com

,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-

sha2-nistp384,ecdsa-sha2-nistp521

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-

sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-

hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-

exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-

info-c

debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-

sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com

,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-

ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-

sha2-512,rsa-sha2-256,ssh-rsa

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes

256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,a

es256-cbc,3des-cbc

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes

256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,a

es256-cbc,3des-cbc

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-

sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-

sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256

,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-

sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-

sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256

,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com,zlib

debug2: compression stoc: none,zlib@openssh.com,zlib

debug2: languages ctos:

debug2: languages stoc:

debug2: first_kex_follows 0

debug2: reserved 0

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-

sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-

hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-

group1-sha1

debug2: host key algorithms: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256

debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,

aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,a

es128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour

,rijndael-cbc@lysator.liu.se

debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,

aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,a

es128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour

,rijndael-cbc@lysator.liu.se

debug2: MACs ctos: hmac-md5-etm@openssh.com,hmac-

sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-

sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-

ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-

md5-96-etm@openssh.com,hmac-md5,hmac-

sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512

,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: MACs stoc: hmac-md5-etm@openssh.com,hmac-

sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-

sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-

ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-

md5-96-etm@openssh.com,hmac-md5,hmac-

sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512

,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: compression ctos: none,zlib@openssh.com

debug2: compression stoc: none,zlib@openssh.com

debug2: languages ctos:

debug2: languages stoc:

debug2: first_kex_follows 0

debug2: reserved 0

debug1: kex: algorithm: curve25519-sha256@libssh.org

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:

<implicit> compression: none

debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:

<implicit> compression: none

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ecdsa-sha2-nistp256

SHA256:R4a+8FE4W7vIuVkK84PSJ5D8pcX14ObFfB22FpgbulM

debug3: hostkeys_foreach: reading file "/Users/Tom/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file

/Users/Tom/.ssh/known_hosts:10

debug3: load_hostkeys: loaded 1 keys from 162.243.6.59

debug1: Host '162.243.6.59' is known and matches the ECDSA host key.

debug1: Found key in /Users/Tom/.ssh/known_hosts:10

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS received

debug2: key: /Users/Tom/.ssh/id_rsa (0x7f986cc09400), agent

debug2: key: /Users/Tom/.ssh/id_dsa (0x0)

debug2: key: /Users/Tom/.ssh/id_ecdsa (0x0)

debug2: key: /Users/Tom/.ssh/id_ed25519 (0x0)

debug3: send packet: type 5

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug3: start over, passed a different list publickey

debug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey

debug3: authmethod_lookup publickey

debug3: remaining preferred: ,gssapi-keyex,hostbased,publickey

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /Users/Tom/.ssh/id_rsa

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug1: Trying private key: /Users/Tom/.ssh/id_dsa

debug3: no such identity: /Users/Tom/.ssh/id_dsa: No such file or directory

debug1: Trying private key: /Users/Tom/.ssh/id_ecdsa

debug3: no such identity: /Users/Tom/.ssh/id_ecdsa: No such file or directory

debug1: Trying private key: /Users/Tom/.ssh/id_ed25519

debug3: no such identity: /Users/Tom/.ssh/id_ed25519: No such file or

directory

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey).



fatal: [162.243.6.59]: UNREACHABLE! => {

    "changed": false, 

    "unreachable": true

}

It really just looks like the server isn’t accepting /Users/Tom/.ssh/id_rsa as a key for the web user.

Could you verify that you have run the server.yml playbook on the production machine? It loads the key for web user onto the server.

Could you double-check that users looks correct (esp. the keys for web_user; see also ssh-keys docs) then run:

ansible-playbook server.yml -e env=production --tags users

Then try your deploy again.

I’ve verified that users is correct. I have ssh forwarding setup correctly and can deploy to staging successfully.

I ran the command to suggested and it failed. I ran it again with --ask-become-pass and the SUDO password for the server and it failed. I ran it again with the verbose output (below) and other ideas?

Toms-MacBook-Air:trellis Tom$ ansible-playbook server.yml -e env=production --tags users --ask-become-pass -vvvv
Using /Users/Tom/harness-wordpress-app/trellis/ansible.cfg as config file
SUDO password: 
statically included: /Users/Tom/harness-wordpress-app/trellis/roles/common/tasks/reload_nginx.yml
statically included: /Users/Tom/harness-wordpress-app/trellis/vendor/roles/composer/tasks/global-require.yml
statically included: /Users/Tom/harness-wordpress-app/trellis/roles/letsencrypt/tasks/setup.yml
statically included: /Users/Tom/harness-wordpress-app/trellis/roles/letsencrypt/tasks/nginx.yml
statically included: /Users/Tom/harness-wordpress-app/trellis/roles/letsencrypt/tasks/certificates.yml
statically included: /Users/Tom/harness-wordpress-app/trellis/roles/wordpress-setup/tasks/database.yml
statically included: /Users/Tom/harness-wordpress-app/trellis/roles/wordpress-setup/tasks/self-signed-certificate.yml
statically included: /Users/Tom/harness-wordpress-app/trellis/roles/wordpress-setup/tasks/nginx.yml
Loading callback plugin output of type stdout, v2.0 from /Library/Python/2.7/site-packages/ansible/plugins/callback/__init__.pyc

PLAYBOOK: server.yml ***********************************************************
3 plays in server.yml

PLAY [Ensure necessary variables are defined] **********************************

PLAY [Determine Remote User] ***************************************************

TASK [remote-user : Require manual definition of remote-user] ******************
task path: /Users/Tom/harness-wordpress-app/trellis/roles/remote-user/tasks/main.yml:2
[DEPRECATION WARNING]: ansible.utils.unicode.to_unicode is deprecated.  Use 
ansible.module_utils._text.to_text instead.
This feature will be removed in 
version 2.4. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.
skipping: [162.243.21.18] => {
    "changed": false, 
    "skip_reason": "Conditional check failed", 
    "skipped": true
}

TASK [remote-user : Check whether Ansible can connect as root] *****************
task path: /Users/Tom/harness-wordpress-app/trellis/roles/remote-user/tasks/main.yml:9
Using module file /Library/Python/2.7/site-packages/ansible/modules/core/commands/command.py
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: Tom
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo ~/.ansible/tmp/ansible-tmp-1486401760.17-273289756406186 `" && echo ansible-tmp-1486401760.17-273289756406186="` echo ~/.ansible/tmp/ansible-tmp-1486401760.17-273289756406186 `" ) && sleep 0'
<localhost> PUT /var/folders/zv/vztpwhpj51b_sl8z8grzd74r0000gn/T/tmpqndHGp TO /Users/Tom/.ansible/tmp/ansible-tmp-1486401760.17-273289756406186/command.py
<localhost> EXEC /bin/sh -c 'chmod u+x /Users/Tom/.ansible/tmp/ansible-tmp-1486401760.17-273289756406186/ /Users/Tom/.ansible/tmp/ansible-tmp-1486401760.17-273289756406186/command.py && sleep 0'
<localhost> EXEC /bin/sh -c '/usr/bin/python /Users/Tom/.ansible/tmp/ansible-tmp-1486401760.17-273289756406186/command.py; rm -rf "/Users/Tom/.ansible/tmp/ansible-tmp-1486401760.17-273289756406186/" > /dev/null 2>&1 && sleep 0'
ok: [162.243.21.18 -> localhost] => {
    "changed": false, 
    "cmd": [
        "ansible", 
        "162.243.21.18", 
        "-m", 
        "raw", 
        "-a", 
        "whoami", 
        "-u", 
        "root"
    ], 
    "delta": "0:00:01.903062", 
    "end": "2017-02-06 12:22:42.552877", 
    "failed": false, 
    "failed_when_result": false, 
    "invocation": {
        "module_args": {
            "_raw_params": "ansible 162.243.21.18 -m raw -a whoami -u root ", 
            "_uses_shell": false, 
            "chdir": null, 
            "creates": null, 
            "executable": null, 
            "removes": null, 
            "warn": true
        }, 
        "module_name": "command"
    }, 
    "rc": 4, 
    "start": "2017-02-06 12:22:40.649815", 
    "stderr": "", 
    "stdout": "162.243.21.18 | UNREACHABLE! => {\n    \"changed\": false, \n    \"msg\": \"Failed to connect to the host via ssh: Permission denied (publickey).\\r\\n\", \n    \"unreachable\": true\n}", 
    "stdout_lines": [
        "162.243.21.18 | UNREACHABLE! => {", 
        "    \"changed\": false, ", 
        "    \"msg\": \"Failed to connect to the host via ssh: Permission denied (publickey).\\r\\n\", ", 
        "    \"unreachable\": true", 
        "}"
    ], 
    "warnings": []
}

TASK [remote-user : Set remote user for each host] *****************************
task path: /Users/Tom/harness-wordpress-app/trellis/roles/remote-user/tasks/main.yml:16
ok: [162.243.21.18] => {
    "ansible_facts": {
        "ansible_user": "admin"
    }, 
    "changed": false, 
    "invocation": {
        "module_args": {
            "ansible_user": "admin"
        }, 
        "module_name": "set_fact"
    }
}

TASK [remote-user : Announce which user was selected] **************************
task path: /Users/Tom/harness-wordpress-app/trellis/roles/remote-user/tasks/main.yml:21
Note: Ansible will attempt connections as user = admin
ok: [162.243.21.18] => {}

TASK [remote-user : Load become password] **************************************
task path: /Users/Tom/harness-wordpress-app/trellis/roles/remote-user/tasks/main.yml:25
ok: [162.243.21.18] => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result"}

PLAY [WordPress Server - Install LEMP Stack with PHP 7.0 and MariaDB MySQL] ****

TASK [setup] *******************************************************************
Using module file /Library/Python/2.7/site-packages/ansible/modules/core/system/setup.py
<162.243.21.18> ESTABLISH SSH CONNECTION FOR USER: admin
<162.243.21.18> SSH: EXEC ssh -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/Users/Tom/.ansible/cp/ansible-ssh-%h-%p-%r 162.243.21.18 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo ~/.ansible/tmp/ansible-tmp-1486401763.03-147472028159488 `" && echo ansible-tmp-1486401763.03-147472028159488="` echo ~/.ansible/tmp/ansible-tmp-1486401763.03-147472028159488 `" ) && sleep 0'"'"''
<162.243.21.18> PUT /var/folders/zv/vztpwhpj51b_sl8z8grzd74r0000gn/T/tmpadTIS1 TO /home/admin/.ansible/tmp/ansible-tmp-1486401763.03-147472028159488/setup.py
<162.243.21.18> SSH: EXEC sftp -b - -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/Users/Tom/.ansible/cp/ansible-ssh-%h-%p-%r '[162.243.21.18]'
<162.243.21.18> ESTABLISH SSH CONNECTION FOR USER: admin
<162.243.21.18> SSH: EXEC ssh -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/Users/Tom/.ansible/cp/ansible-ssh-%h-%p-%r 162.243.21.18 '/bin/sh -c '"'"'chmod u+x /home/admin/.ansible/tmp/ansible-tmp-1486401763.03-147472028159488/ /home/admin/.ansible/tmp/ansible-tmp-1486401763.03-147472028159488/setup.py && sleep 0'"'"''
<162.243.21.18> ESTABLISH SSH CONNECTION FOR USER: admin
<162.243.21.18> SSH: EXEC ssh -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/Users/Tom/.ansible/cp/ansible-ssh-%h-%p-%r -tt 162.243.21.18 '/bin/sh -c '"'"'sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-kljvgxgrvjsiszebgwycjtjtuzjixiyq; /usr/bin/python /home/admin/.ansible/tmp/ansible-tmp-1486401763.03-147472028159488/setup.py; rm -rf "/home/admin/.ansible/tmp/ansible-tmp-1486401763.03-147472028159488/" > /dev/null 2>&1'"'"'"'"'"'"'"'"' && sleep 0'"'"''
System info:
  Ansible 2.2.1.0; Darwin
  Trellis at "Wrap my.cnf password in quotes"
---------------------------------------------------
MODULE FAILURE
OpenSSH_7.3p1, LibreSSL 2.4.1
debug1: Reading configuration data /Users/Tom/.ssh/config
debug1: /Users/Tom/.ssh/config line 9: Applying options for 162.243.21.18
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 30908
debug3: mux_client_request_session: session request sent
debug1: mux_client_request_session: master session id: 2
debug3: mux_client_read_packet: read header failed: Broken pipe
debug2: Received exit status from master 1
Shared connection to 162.243.21.18 closed.

sudo: a password is required

fatal: [162.243.21.18]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "invocation": {
        "module_name": "setup"
    }
}
	to retry, use: --limit @/Users/Tom/harness-wordpress-app/trellis/server.retry

PLAY RECAP *********************************************************************
162.243.21.18              : ok=4    changed=0    unreachable=0    failed=1

Shot in the dark: have you rebuilt your Production server since you originally provisioned it? Could it be a key mismatch in ~/.ssh/known_hosts ?

1 Like

Nope. And I can manually ssh into the server so I don’t think there’s a problem there. Thanks though.

The first post looked like a failed authentication for web user with deploy.yml, but this latest error snippet looks like the server.yml connection as root and/or admin is having a problem with shared SSH connections, multiplexing.

I wish I had some good ideas, but the best I can come up with is a couple threads that seem relevant: first, second.

In your ssh_args (in ansible.cfg), you might try ControlMaster=no -o ControlPersist=no to avoid shared connections.

Maybe somehow it would help to reboot your local machine just to give your SSH client a fresh start.


I think you could avoid that warning by applying roots/trellis#683

Thanks Phil. Nothing has worked yet. Any chance I can hire you to help me sort out my setup? I’m just faking the whole developer thing :slight_smile:

Sure! I’d love to do a Roots call.

Sorry to hear the issue isn’t resolving. This seems to be a pretty unusual issue.

Compare provisioning/deploying to a different test server

You could copy your project files to a temp folder, create a new test server, plug that new IP into hosts/production (in temp folder) and try to provision. Maybe you’d have to set SSL enabled: false for provisioning to succeed (if using provider: letsencrypt).

If it works, it suggests that your production server has an issue. You could troubleshoot or maybe just back up data (DB, uploads, etc.) then rebuild server from scratch (server.yml) if/when production can stand the downtime.

Otherwise, if this test provisioning/deploying fails, it suggests a problem in your project files or local environment generally.

Compare Ansible config between staging and production

Maybe you can find differences between group_vars/staging and group_vars/production that might affect connection. You could double-check for meaningful differences between hosts/staging and hosts/production too, if you’ve added anything nonstandard in there (seems unlikely).

Compare SSH config per host

You might also find some important SSH config difference between the hosts by doing a diff on the output of these two commands (run on local machine).

# SSH client config for connecting to STAGING
# (use ip or host name from hosts/staging)
ssh -G 12.34.56.78

# SSH client config for connecting to PRODUCTION
ssh -G 162.243.21.18

This seems unlikely to yield anything helpful because it tests SSH client settings for manual connections, which apparently all succeed for you, whether staging or production.

Compare execution on different local machines

You could clone your project files to a different machine and try the server.yml and deploy.yml playbooks. Of course, if the problem persists, then it’s most likely an issue with the project files. If the problem resolves, it’s most likely an issue with the environment and/or files on your original local machine.

1 Like