I can test my keys doing ssh aitor@188.226.213.77 (connecting without ask password. It works)
I read caerfully the SSH docs and I don’t undestand why my admin_user, with his public key defined, can not connect with remote server from ansible. I know I am asking too much lately. Sorry about that, I’m doing my best
While server.yml provisions your server as the admin_user, it will perform some operations using sudo with a password. You will need to set the sudoer password for admin in the list of vault_sudoer_passwords defined in group_vars/<environment>/vault.yml.
Although this statement in the docs implies that your admin_user must be listed in vault_sudoer_passwords, it could be more explicit that if you change the name of the admin_user, you’ll need to add that new user name to vault_sudoer_passwords.
I’d recommend just going back to the default admin_user: admin (note that the default sudoer password for admin is example_password, as mentioned in the docs above). That way you can have a colleague also use admin for the occasional sudo need, instead of having him/her use aitor. Or you could set up additional users for colleagues. Of course, it’s fine to have admin_user: aitor, but you’d need to add aitor to vault_sudoer_passwords.
You can also simplify your users list by removing one of the two keys listed for admin_user, given that you say they are the same key (just from different locations).
Indeed your admin_user can connect, as you verified with ssh aitor@188.226.213.77. The problem was after Ansible had connected, it tested the sudo password it needed to run as the become user. With no password set for aitor the message was ERROR! Incorrect sudo password.
Note that -K (uppercase letter K) is a convenient shortcut for --ask-become-pass.
Ok, then, I went back to “admin”. Should I type “example_password” when the terminal promt me for the password after -K?
In any case, I got this error:
TASK [setup] *******************************************************************
fatal: [188.226.213.77]: UNREACHABLE! => {"changed": false, "msg": "ERROR! SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue", "unreachable": true}
Also, a while ago, I tryied the second way, to generate a password with passlib and set it up for “aitor” in vault_sudoer_passwords of group_vars/staging and keep “aitor” as admin_user (With the same error as in the first post in this thread).
Yes. Don’t hesitate to experiment like this, especially given that this is your staging site and not production. From the Trellis docs for admin user:
[once you] add the option --ask-become-pass when running server.yml … This prompts you to enter the sudoer password described in the “Admin User Sudoer Password” section [ i.e. example_password]
UNREACHABLE! ... ERROR! SSH encountered an unknown error during the connection.
This can arise after you recreate your VPS and your ~/.ssh/known_hosts has an outdated host key for your domain/ip. Open ~/.ssh/known_hosts and remove the entry for 188.226.213.77 and for any associated domain names. Save the file, and try running server.yml again.
I don’t think this is related to the ssh connection problem. The problem is probably with outdated known_hosts entries. Just be sure that your local machine has the private key that corresponds to the public key you put on your server at time of creating the current VPS (e.g., creating the DigitalOcean droplet). That key pair enables server.yml to connect as the root user.
You can use the root user’s same key pair for the web_user and/or admin_user if you want, or a different pair. Just be sure that your local machine has the private key that corresponds to the public key(s) you list for web_user and admin_userin the users dictionary.
Ok, yesterday I detected, with verbosity option -vvvv, the know hosts issue and I fixed it with ssh-keygen -R. Anyway, I did it again by hand with no success.
I have an ERROR! SSH encountered an unknown error message in the terminal output and several no such identity at the end of the output.
Looking at the pastebin output, I see admin... does not exist. This is probably because on your previous runs of server.yml the user admin was not created. The users dictionary had the admin_user variable but that variable resolved to aitor not admin, so only the user aitor was created.
Easiest approach – recreate VPS
If it’s convenient to just recreate the VPS, go ahead and do it, and again clean out the known_hosts entries. Leaving admin_user: admin, run server.yml and the connection should work.
Harder, but keeps current VPS
If you prefer not to recreate the VPS, temporarily set admin_user: aitor just so Trellis can connect as aitor. Manually add the user named admin to users, like this:
Run server.yml with -K as you have been doing, enter example_password when prompted. Assuming it runs to completion, you will now have both the admin and aitor users on the VPS. You can leave the edits above as they are, or reverse them. With admin created on the server, you can have admin_user: admin and the connection should succeed when you run server.yml again in the future.