Hello. I’m trying to register a Linux host with SSH key pair and I get error when check health
Starting health check for a limited set of machines.
December 6th 2022 13:17:15Info
Performing health check on 1 machine.
December 6th 2022 13:17:15Fatal
The health check failed. One or more machines were not available.
Check deployment target: by1-pgsql-01
Ran for 0 seconds
December 6th 2022 13:17:15Fatal
Could not connect to SSH endpoint: Unable to obtain endpoint fingerprint. Please try enter details manually.
Unable to obtain endpoint fingerprint. Please try enter details manually.
Summary
Ran for 0 seconds
December 6th 2022 13:17:15Info
Offline:
December 6th 2022 13:17:15Info
- by1-pgsql-01 at ssh://by1-pgsql-01:2200/, error: Could not connect to SSH endpoint: Unable to obtain endpoint fingerprint. Please try enter detail...
December 6th 2022 13:17:15Fatal
One or more machines were not available. Please see the output Log for details.
The other things to check are whether the port you have chosen to set the SSH target to listen on (default of 22) is open on the SSH target and is listening. Your networking team should be able to confirm that.
Did you copy the private key to the machine your Octopus Server is installed on and then use that for the SSH account?
Sorry to throw a few things at you, SSH targets can be complex to fault find on so I do appoligise for the multiple questions.
I also used “Enter Details Manually” and inserted the fingerprint received by the command: ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ed25519_key.pub | cut -d’ ’ -f2 | awk ‘{ print $1}’ | cut -d’:’ -f2-
ssh port is available and listening. Checked with telnet
I didn’t copy the ssh key to the octopus server. I copy in my machine and create Account via GUI and choose private key.
If I need to copy and install the ssh key on the octopus server, where should I put it? Octopus Server runinig on Windows Server
Thansk.
Sorry its taken a long time to get back to you, I was doing some tests and my Linux box was not playing ball!
As you are on 2022.2.7580 you should be fine to use the ed25519 key. I just wanted to make sure you were not on an older version as the ed25519 key would not have worked if you were.
I just ran through our documentation from scratch on my Linux box and created the key, when it says ‘upload to the Octopus Server’ or ‘Copy the key to the Octopus Server’ it just means via the Octopus UI so its fine if you uploaded it from your Linux box into the SSH Account section in the UI.
Did you upload the private key into the Account section? The one named ‘id_ed25519’
What did you put down as the username, is it the same username you created the key with?
Does Octopus actually register the SSH Target (ie when you set it up it allows you to find it and you can see the thumbprint etc) but then the health check fails?
If you know your SSH Account in the Octopus UI is correct (username/key/passphrase of key) then I would think about possibly deleting that SSH target in Octopus, deleting all keys from the SSH target itself and start fresh.
I will make sure we discuss this ticket in our Support meeting and see if any other of our Support staff have any other ideas.
Sorry for the double post but as promised I mentioned this post in our Support meeting and one of our other engineers said it looks like Octopus cant actually connect to the SSH target.
I was wondering if you can see a connection attempt being logged in the sshd logs on the target, if you run the command below does it output anything?
Thanks for your help.
Looked at journalctl -u ssh and saw the following errors:
Unable to negotiate with 10.10.10.24 port 50724: no matching MAC found. Their offer: hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96>
by1-pgsql-03 sshd[2917721]: error: kex_exchange_identification: client sent invalid protocol identifier "\003\003\003\004"
by1-pgsql-03 sshd[2917721]: banner exchange: Connection from 10.10.10.24 port 50796: invalid format
by1-pgsql-03 sshd[2918394]: Connection reset by authenticating user job-odeploy 10.10.10.24 port 50828 [preauth]
Next, I commented out the line in the ssh config and everything worked.
Fantastic news you got this working, thank you for posting up the fix too as it will help other customers who might run into this issue.
I did not know about that journal command until our lead support engineer mentioned it so I will keep that in my back pocket too as its good for troubleshooting issues such as this, thank you for your patience whilst we worked through this together.
Reach out in future if you need anything else as we love to help here over at Octopus Support!
