SSH Key Error Fix
pipelines:
default:
– step:
name: Deploy Code to EC2
caches:
– node
script:
– apt-get update && apt-get install -y openssh-client
– eval $(ssh-agent -s) # Start the SSH agent
– echo "$SSH_PRIVATE_KEY" | base64 –decode > ~/.ssh/id_rsa # Decode and store the SSH private key
– chmod 600 ~/.ssh/id_rsa # Set correct permissions for the private key
– ssh-add ~/.ssh/id_rsa # Add the private key to the agent
– mkdir -p ~/.ssh
– chmod 700 ~/.ssh
– echo "$EC2_SSH_PUBLIC_KEY" > ~/.ssh/authorized_keys # Add the public key to authorized_keys
– chmod 600 ~/.ssh/authorized_keys
– ssh-keyscan -H ec2-16-170-254-93.eu-north-1.compute.amazonaws.com >> ~/.ssh/known_hosts # Add EC2 to known hosts
– rsync -avz –exclude=.git –exclude=node_modules ./ ubuntu@ec2-16-170-254-93.eu-north-1.compute.amazonaws.com:/var/www/shareyourthoughts
– ssh -o StrictHostKeyChecking=no ubuntu@ec2-16-170-254-93.eu-north-1.compute.amazonaws.com "cd /var/www/shareyourthoughts && git pull origin main"
give error in bitbucket pipeline
echo "$SSH_PRIVATE_KEY" | tr -d 'r' | ssh-add –
1. **Line Endings**: Since you're using `tr -d 'r'`, this should normally handle Windows line endings, but the SSH private key might still have an issue with its format (perhaps due to line breaks or a corrupted key). Double-check the key's integrity and formatting.
2. **Base64 Decoding**: Ensure that the private key is being decoded properly. You are using `echo "$SSH_PRIVATE_KEY" | base64 –decode > ~/.ssh/id_rsa` in your script, which should be fine, but you could try decoding with `base64 -d` explicitly. Also, check that `$SSH_PRIVATE_KEY` contains the key in base64 format and doesn't have extra line breaks.
3. **Key Format**: Make sure that the SSH private key is in the correct format. If your private key is in PEM format and you're using an OpenSSH key format, there could be compatibility issues. If needed, you can convert the key to the correct format using the following command:
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa4. **Key Permissions**: You’re setting the correct permissions with `chmod 600 ~/.ssh/id_rsa`, but ensure the directory `.ssh` also has correct permissions with `chmod 700 ~/.ssh`.
5. **Ensure SSH Agent is Running**: It seems you are using `eval $(ssh-agent -s)` to start the agent, but sometimes it's helpful to ensure the agent is fully initialized before adding the key. You can try the following instead:
eval $(ssh-agent)
echo "$SSH_PRIVATE_KEY" | tr -d 'r' | ssh-add -6. **Use a Different SSH Agent**: If the error persists, you could try using a different SSH agent or installing the OpenSSH client on a separate container for your pipeline.
Here’s an updated snippet with some potential fixes:
image: node:21
pipelines:
default:
- step:
name: Deploy Code to EC2
caches:
- node
script:
- apt-get update && apt-get install -y openssh-client
- eval $(ssh-agent -s) # Start the SSH agent
- echo "$SSH_PRIVATE_KEY" | tr -d 'r' | ssh-add - # Remove Windows line endings and add the key
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- echo "$EC2_SSH_PUBLIC_KEY" > ~/.ssh/authorized_keys # Add the public key to authorized_keys
- chmod 600 ~/.ssh/authorized_keys
- ssh-keyscan -H ec2-16-170-254-93.eu-north-1.compute.amazonaws.com >> ~/.ssh/known_hosts # Add EC2 to known hosts
- rsync -avz --exclude=.git --exclude=node_modules ./ ubuntu@ec2-16-170-254-93.eu-north-1.compute.amazonaws.com:/var/www/shareyourthoughts
- ssh -o StrictHostKeyChecking=no ubuntu@ec2-16-170-254-93.eu-north-1.compute.amazonaws.com "cd /var/www/shareyourthoughts && git pull origin main"If you're still encountering issues, it may be helpful to check the specific format of the SSH key or try regenerating it. Let me know if these steps help or if the error persists!
### 1. **Generate New SSH Keys**
Run the following commands to generate a new pair of SSH keys.
#### For Bitbucket:
Bitbucket will require a public key that you'll add to your Bitbucket repository or account for authentication.
# Generate a new SSH key for Bitbucket
ssh-keygen -t rsa -b 4096 -C "bitbucket@yourdomain.com" -f ~/.ssh/bitbucket_id_rsa– When prompted to save the file, press **Enter** to use the default location `~/.ssh/bitbucket_id_rsa`.
– When asked to enter a passphrase, you can choose to leave it empty for no passphrase or enter a secure one.
This will create two files:
– `~/.ssh/bitbucket_id_rsa` (private key)
– `~/.ssh/bitbucket_id_rsa.pub` (public key)
#### For AWS EC2:
To generate the key for AWS EC2 access, use the same process but with a different name:
# Generate a new SSH key for EC2
ssh-keygen -t rsa -b 4096 -C "ec2@yourdomain.com" -f ~/.ssh/ec2_id_rsa– As with the Bitbucket key, press **Enter** to accept the default file location or specify a custom one.
– Leave the passphrase empty or enter a secure one.
This will create:
– `~/.ssh/ec2_id_rsa` (private key)
– `~/.ssh/ec2_id_rsa.pub` (public key)
### 2. **Add Public Key to Bitbucket**
1. **Copy the Public Key for Bitbucket**:
Copy the contents of the `~/.ssh/bitbucket_id_rsa.pub` file. You can do this with the following command:
cat ~/.ssh/bitbucket_id_rsa.pub2. **Add the Key to Bitbucket**:
– Go to [Bitbucket Settings](https://bitbucket.org/account/settings/).
– Under **SSH keys**, click on **Add key**.
– Paste the contents of the `bitbucket_id_rsa.pub` file into the key field and give it a name (e.g., "Bitbucket Deploy Key").
### 3. **Add Public Key to EC2 Instance**
1. **Copy the Public Key for EC2**:
Copy the contents of the `~/.ssh/ec2_id_rsa.pub` file:
cat ~/.ssh/ec2_id_rsa.pub2. **Add the Key to EC2**:
If you have SSH access to the EC2 instance already, you can add the key to the `~/.ssh/authorized_keys` file of the `ubuntu` (or other user) account on EC2.
SSH into your EC2 instance:
ssh -i ~/.ssh/your_existing_key.pem ubuntu@ec2-16-170-254-93.eu-north-1.compute.amazonaws.comOnce logged in, add the public key to `~/.ssh/authorized_keys`:
echo "your-ec2-public-key" >> ~/.ssh/authorized_keysReplace `your-ec2-public-key` with the contents of `~/.ssh/ec2_id_rsa.pub`.
Ensure the permissions of the `authorized_keys` file are correct:
chmod 600 ~/.ssh/authorized_keys### 4. **Add the Private Keys to Bitbucket Pipeline**
In your Bitbucket repository's **Pipeline settings**, add the private keys as environment variables to authenticate the deployment process.
1. **Add SSH Private Key for Bitbucket**:
– Go to your Bitbucket repository.
– Navigate to **Repository settings** > **Pipeline settings** > **Environment Variables**.
– Add a variable named `SSH_PRIVATE_KEY` and paste the contents of the `bitbucket_id_rsa` private key (ensure you remove any line breaks or extra spaces).
2. **Add SSH Private Key for EC2**:
– Add another variable named `EC2_SSH_PRIVATE_KEY` and paste the contents of `ec2_id_rsa` private key.
3. **Ensure Permissions**:
– Ensure you are granting the necessary read permissions to your private key, for example:
chmod 600 ~/.ssh/bitbucket_id_rsa
chmod 600 ~/.ssh/ec2_id_rsa### 5. **Update Bitbucket Pipeline Script**
Update your Bitbucket pipeline script to use the new keys:
image: node:21
pipelines:
default:
- step:
name: Deploy Code to EC2
caches:
- node
script:
- apt-get update && apt-get install -y openssh-client
- eval $(ssh-agent -s) # Start the SSH agent
- echo "$SSH_PRIVATE_KEY" | tr -d 'r' | ssh-add - # Bitbucket key for Bitbucket repository
- echo "$EC2_SSH_PRIVATE_KEY" | tr -d 'r' | ssh-add - # EC2 private key
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- echo "$EC2_SSH_PUBLIC_KEY" > ~/.ssh/authorized_keys # Add EC2 public key to authorized_keys
- chmod 600 ~/.ssh/authorized_keys
- ssh-keyscan -H ec2-16-170-254-93.eu-north-1.compute.amazonaws.com >> ~/.ssh/known_hosts # Add EC2 to known hosts
- rsync -avz --exclude=.git --exclude=node_modules ./ ubuntu@ec2-16-170-254-93.eu-north-1.compute.amazonaws.com:/var/www/shareyourthoughts
- ssh -o StrictHostKeyChecking=no ubuntu@ec2-16-170-254-93.eu-north-1.compute.amazonaws.com "cd /var/www/shareyourthoughts && git pull origin main"This should regenerate your keys, set them up properly, and allow the Bitbucket pipeline to deploy your code to AWS EC2 without any SSH issues.
### 1. **Ensure Correct Private Key Format**
Make sure the private key is in the correct format. Bitbucket's `SSH_PRIVATE_KEY` environment variable should be the raw private key content without any extra characters, line breaks, or additional encoding. If you're base64 encoding the key for storage, ensure it gets properly decoded.
– **Check for Corrupt Key**: Verify the integrity of the key by copying the contents again. You should see the key starting with `—–BEGIN OPENSSH PRIVATE KEY—–` or `—–BEGIN RSA PRIVATE KEY—–`, and ending with `—–END OPENSSH PRIVATE KEY—–` or `—–END RSA PRIVATE KEY—–`.
– **Base64 Encoding**: If you're using base64 encoding to pass the key as an environment variable, make sure you're decoding it properly before passing it to `ssh-add`. The error could also arise if the base64-encoded string is not decoded properly before it's used.
### 2. **Check the Private Key's Permissions**
Ensure that the private key permissions are set to `600`:
chmod 600 ~/.ssh/id_rsa### 3. **Use `ssh-add` Correctly**
Make sure `ssh-add` is being used correctly. Instead of directly passing the private key through a pipe, try saving it to a file and adding it:
echo "$SSH_PRIVATE_KEY" | tr -d 'r' > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
ssh-add ~/.ssh/id_rsaThis avoids potential issues caused by piping the key through `ssh-add` directly.
### 4. **Check for Windows Line Breaks**
If your key is stored on a Windows machine or environment (e.g., Bitbucket's web UI or Windows development environment), there might be extra carriage return (`r`) characters that are causing issues.
Ensure the key doesn't contain any extra carriage returns or line breaks before running the `ssh-add` command. You can do this by using `tr -d 'r'` to remove `r` characters before adding the key.
### 5. **Try Using a Different Key Format (PEM)**
If you're still encountering issues with the OpenSSH key format, you can try converting the key to PEM format:
ssh-keygen -p -m PEM -f ~/.ssh/id_rsaThis will convert the private key to the PEM format, which might resolve the issue.
### 6. **Manually Inspect the Private Key**
You can manually inspect the private key by opening it and checking for any obvious errors or inconsistencies.
cat ~/.ssh/id_rsaLook for any strange characters or missing lines, and ensure the entire private key is intact.
### 7. **Test SSH Authentication**
To verify that the key is working, try logging into your EC2 instance manually using the private key:
ssh -i ~/.ssh/id_rsa ubuntu@ec2-16-170-254-93.eu-north-1.compute.amazonaws.comIf this works, the private key is correct, and the issue likely lies in how it's being passed to `ssh-add` or handled in the Bitbucket pipeline.
By following these steps, you should be able to resolve the `Error loading key "(stdin)": error in libcrypto` error. Let me know how it goes!
### How `ssh-add` Works:
1. **Add Keys to the SSH Agent**: The primary use of `ssh-add` is to load your private SSH keys into the `ssh-agent`. Once the keys are added, you can authenticate to remote systems (like EC2, Bitbucket, or GitHub) without having to enter your password or passphrase each time.
2. **Passphrase Handling**: If your SSH key is protected by a passphrase, `ssh-add` can store it in memory, so you don’t have to type the passphrase every time you use the key.
3. **Key Management**: You can use `ssh-add` to manage which keys are loaded into `ssh-agent` and remove keys if necessary.
### Basic Usage of `ssh-add`:
#### 1. **Add a Key to the SSH Agent**:
To add an SSH private key to the agent, use:
ssh-add ~/.ssh/id_rsaThis adds the private key `id_rsa` located in the `~/.ssh` directory.
#### 2. **Start the SSH Agent**:
If the SSH agent isn't already running, you'll need to start it first:
eval $(ssh-agent -s)This starts the `ssh-agent` process and sets the necessary environment variables for it.
#### 3. **List Loaded Keys**:
You can list all the SSH keys currently loaded in the agent with:
ssh-add -lThis shows the fingerprints of the loaded keys.
#### 4. **Remove a Key from the SSH Agent**:
To remove a specific key from the agent:
ssh-add -d ~/.ssh/id_rsaTo remove all keys from the agent:
ssh-add -D#### 5. **Add Keys Automatically Using `ssh-add` in Scripts**:
In a continuous integration (CI) environment like Bitbucket Pipelines, you can automate the process of loading SSH keys for deployment purposes. For example, you might use a command like:
echo "$SSH_PRIVATE_KEY" | tr -d 'r' | ssh-add -This command reads the private key (passed as an environment variable `SSH_PRIVATE_KEY`), removes any carriage return characters, and adds the key to `ssh-agent` for use in subsequent SSH connections (like to an EC2 instance or Bitbucket repository).
### Why Use `ssh-add`?
– **Security**: Storing keys in `ssh-agent` improves security by allowing you to use keys without saving them in files that are easily accessible.
– **Convenience**: It simplifies SSH-based authentication. Once a key is added to `ssh-agent`, you don’t need to type a passphrase every time you SSH into a server.
– **Key Management**: It makes managing multiple SSH keys easier, especially when using keys for different services like GitHub, Bitbucket, and EC2.
In short, `ssh-add` simplifies the management and use of SSH keys, especially for automated or frequent SSH connections.
pipelines:
default:
– step:
name: Deploy Code to EC2
caches:
– node
script:
– apt-get update && apt-get install -y openssh-client
– eval $(ssh-agent -s) # Start the SSH agent
– echo "$SSH_PRIVATE_KEY" | tr -d 'r' | ssh-add – # Bitbucket key for Bitbucket repository
– echo "$EC2_SSH_PRIVATE_KEY" | tr -d 'r' | ssh-add – # EC2 private key
– mkdir -p ~/.ssh
– chmod 700 ~/.ssh
– echo "$EC2_SSH_PUBLIC_KEY" > ~/.ssh/authorized_keys # Add EC2 public key to authorized_keys
– chmod 600 ~/.ssh/authorized_keys
– ssh-keyscan -H ec2-16-170-254-93.eu-north-1.compute.amazonaws.com >> ~/.ssh/known_hosts # Add EC2 to known hosts
– rsync -avz –exclude=.git –exclude=node_modules ./ ubuntu@ec2-16-170-254-93.eu-north-1.compute.amazonaws.com:/var/www/shareyourthoughts
– ssh -o StrictHostKeyChecking=no ubuntu@ec2-16-170-254-93.eu-north-1.compute.amazonaws.com "cd /var/www/shareyourthoughts && git pull origin main"
filename is bitbucket_id_rsa
1. **Store the Private Key**: Store the `bitbucket_id_rsa` private key as an environment variable in your Bitbucket repository's settings. You will need to encode it properly to avoid line breaks and special characters.
2. **Bitbucket Pipeline Setup**: You can update the pipeline script to reference this key and ensure that it's used properly by the SSH agent.
### Steps to Correctly Reference the Private Key:
#### 1. **Add the Private Key as an Environment Variable**:
In Bitbucket, go to **Repository Settings** > **Pipeline Settings** > **Environment Variables**.
Add an environment variable for the `bitbucket_id_rsa` private key:
– **Name**: `SSH_PRIVATE_KEY`
– **Value**: The contents of the `bitbucket_id_rsa` private key (ensure no extra spaces, and it’s the raw key).
If you’re passing it as base64 encoded, make sure to decode it as shown in the script.
#### 2. **Updated Bitbucket Pipeline Script**:
Modify your pipeline script to ensure the `bitbucket_id_rsa` key is used correctly.
image: node:21
pipelines:
default:
- step:
name: Deploy Code to EC2
caches:
- node
script:
- apt-get update && apt-get install -y openssh-client
# Start the SSH agent
- eval $(ssh-agent -s)
# Add the Bitbucket private key to the SSH agent
- echo "$SSH_PRIVATE_KEY" | tr -d 'r' | ssh-add - # Bitbucket key for Bitbucket repository
# Add the EC2 private key to the SSH agent
- echo "$EC2_SSH_PRIVATE_KEY" | tr -d 'r' | ssh-add - # EC2 private key
# Set up SSH config
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
# Add EC2 public key to authorized_keys
- echo "$EC2_SSH_PUBLIC_KEY" > ~/.ssh/authorized_keys
- chmod 600 ~/.ssh/authorized_keys
# Add EC2 to known hosts
- ssh-keyscan -H ec2-16-170-254-93.eu-north-1.compute.amazonaws.com >> ~/.ssh/known_hosts
# Sync files using rsync, excluding git and node_modules directories
- rsync -avz --exclude=.git --exclude=node_modules ./ ubuntu@ec2-16-170-254-93.eu-north-1.compute.amazonaws.com:/var/www/shareyourthoughts
# Pull the latest code from the repository on EC2
- ssh -o StrictHostKeyChecking=no ubuntu@ec2-16-170-254-93.eu-north-1.compute.amazonaws.com "cd /var/www/shareyourthoughts && git pull origin main"### Key Details:
– **Private Key (`SSH_PRIVATE_KEY`)**: This is your Bitbucket private key (`bitbucket_id_rsa`) which is added to the SSH agent using `ssh-add`.
– **EC2 Private Key (`EC2_SSH_PRIVATE_KEY`)**: This is the private key used for connecting to the EC2 instance. It should be added to the agent using `ssh-add` as well.
– **Public Key (`EC2_SSH_PUBLIC_KEY`)**: This should be your EC2 instance's public key that is used to set up `authorized_keys` on the EC2 instance.
### Troubleshooting:
– **Ensure the key is in the correct format**: The key should be the raw private key. If it's base64 encoded, make sure to decode it properly before passing it into `ssh-add` as shown in the script (`echo "$SSH_PRIVATE_KEY" | tr -d 'r' | ssh-add -`).
– **Permissions**: Verify that the private keys have the correct permissions (`chmod 600 ~/.ssh/id_rsa` for both Bitbucket and EC2 keys).
With this setup, your Bitbucket pipeline will load the SSH private keys into the SSH agent, allowing it to deploy code to your EC2 instance successfully.
I had that error because file with private key was not ended with the new line. Once I have added new line to the end of the file – problem has gone.
By adding the newline at the end of the private key file, you allowed `ssh-add` to properly read and load the key into the SSH agent, resolving the error.
### Key Takeaway:
Always ensure that the private key file ends with a newline character when working with SSH keys in scripts or CI/CD pipelines. It’s a simple fix but can avoid frustrating issues like the one you encountered.