Custom deployment - Problem with SFTP key and cURL: "curl failed to verify the legitimacy of the server"

Deployment
,
1

Hi everyone.
I have a problem when I triying to use cURL for a custom deployment. I follow this guide: Custom Deployment but when the script reaches the cURL call, I obtain the following:

curl: (60) SSL peer certificate or SSH remote key was not OK, More details here: >curl - SSL CA Certificates. curl failed to verify the legitimacy of the server and >therefore could not establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

This is my configuration:

    after_success:
    - echo "${SFTP_KEY}" | base64 --decode > /tmp/sftp_rsa
    - cd $HOME/.m2/repository/acme
    - zip -r acme.zip acme-tfg
    - curl -T acme.zip --key /tmp/sftp_rsa
    sftp://${SFTP_USER}:${SFTP_PASSWORD}@${SFTP_DOMAIN}/${SFTP_DIRECTORY}/acme.zip

The SFTP_KEY is the ssh-keygen public key of my server, and is written ‘as is’ in the travis.yml file, is not re-encoded by anything. What I’m doing wrong?
In the top of the build, the job indicates me that the key is exported, but in the resume of the top on the page, Travis doesn’t show me the SFTP_KEY variable, while the others are shown: (FTP_USER=[secure] SFTP_PASSWORD=[secure] SFTP_DOMAIN=[secure] SFTP_DIRECTORY=[secure]) - the SFTP_KEY is missing.
Thanks.

2

“curl failed to verify the legitimacy of the server” means that the remote public key is not trusted.

https://everything.curl.dev/usingcurl/scpsftp#known-hosts

3

But, which key should I put in the known_hosts file? As I said, the SFTP_KEY enviroment variable contains the public key of my server, generated using the ssh-keygen command, in the same user folder which I’m going to upload the build. This is why I don’t understand the error.
A fact, I don’t know if is a normal behaviur, but the echo command show nothing in the build’s log.

4

The public key of the remote server that you’re connecting to.

5

Not work. Thanks for the help, but I’m going to use de -k option. The user, password, IP and so are encripted by Travis CLI, so I haven’t any private data in clear text.

6

I don’t know what you’re talking about. The encrypted envvars are encrypted inside .travis.yml and their contents are filtered from the log, but the build logic sees their real values.

7

Yes. What I said is that I’m using de -k (or --insecure) option in the cURL command because I have encrypted all the conection parameters, such as the IP adress, the folder, the username and the password, so I think that I don’t “need” to use the --key option because the envvars used for connect with the server are encrypted yet.

8

Do whatever you want. If you aren’t getting the remote server’s public key beforehand and adding it to known_hosts, you are not verifying its identity, leaving yourself open to a MITM attack. As simple as that.

9

Yes, I understood that is a security risk.
One doubt: the known_hosts file, is the Travis virtual machine own file?.
What I want to say: my server public key must be placed in the known_hosts inside the Travis virtual machine that run the buils?
If that is the solution, the steps I must to follow will be:

  1. Create the .ssh folder, and the known_hosts file.
  2. Copy the public key from travis.yml to known_hosts
    Isn’t it?
    Thanks.
10

Yes.

11

Okay.
First: I have added the public key file to the Travis’s known_hosts file. Here is the code:

  • mv id_rsa.pub $HOME/.ssh
  • cd $HOME/.ssh
  • cat id_rsa.pub >> known_hosts

The id_rsa.pub file is on the root of the repo.
Then, I have added the private key file, encrypted with travis encrypt-file --pro id_rsa --add. The private key is required by cURL in order to work. Again, here is the code:

  • openssl aes-256-cbc -K $encrypted_9806a53ad28f_key -iv $encrypted_9806a53ad28f_iv in id_rsa.enc -out id_rsa -d
  • mv id_rsa $HOME

The id_rsa file is also on the root of the repo. And the cURL order:

curl -T acme.zip --key $HOME/id_rsa sftp://${SFTP_USER}:${SFTP_PASSWORD}@${SFTP_DOMAIN}/${SFTP_DIRECTORY}/acme.zip

(All the dollar signs all write, but it don’t appear)
With the two keys added, cURL fails again with the same error:
curl: (60) SSL peer certificate or SSH remote key was not OK

I don’t know what more I can do. I have added the two keys in the Travis build, in my local terminal works, but in Travis no.
Thanks in advance.

12

There’s nothing Travis-specific here, you need to do it the same way as you would do locally for the same software, only do it programmatically.

known_hosts has a different format than id_rsa.pub so you can’t just copy one to the other. If it “worked” locally then you had actually added the key in some other way before (perhaps manually) and the copying had nothing to do with it. See e.g.

13

You’re right, the format is different.
But now I face other problem, that I think is Travis-specific.
I cut and paste the “rsa fingerprint” that I have locally into a new file. I encrypt this file using travis encrypt-file --pro xxxxx --add. Also, I do the same with the private key file.
Now, in my travis.yml file I have 2 openssl aes-256-cbc ... commands. But, when Travis builds, the first file is well decrypted but with the second file, the builds fail and the openssh command returns a bad decryption output.
I cannot do this? Only I must have one encrypted file? Or, I’m doing anything wrong?
Thanks.

Screenshot_20210309_112724
Screenshot_20210309_1127241512×512 62.4 KB

14
15

A lot of thanks @native-api
As you said in the linked post, I has an outdated version, so I only update the travis gem, re-encrypt the files and commit the changes.