Load key "/root/.ssh/key: error in libcrypto

[longtt2705]

I am trying to install a private repository in Dockerfile via ssh. But when the runner trying to install the package, I got the error
Load key "/root/.ssh/key-801a24afcf65bdde333b552f2805263d9fe735a5977559ff47216d0f58d02aa5": error in libcrypto.

Here are what I have done:

• Gen the key pairs

ssh-keygen -t rsa -b 4096 -C "[email protected]:xxx/repo.git"

• Add content of the public key as Deploy key to the [email protected]:xxx/repo.git. Then add the private key's content to secrets
  SSH_PRIVATE_KEY of the project which wants to install repo.git.

• Here is my package json, build.yml and Dockerfile

// package.json

    "repo": "git+ssh://[email protected]:xxx/repo.git",

// build.yml

name: Build & push image

on:
  workflow_call:
    inputs:
      GITHUB_PACKAGE_REPO_NAME:
        required: true
        type: string

jobs:
  build-push-image:
    runs-on: ubuntu-latest
    steps:
      - name: Set up SSH agent
        uses: webfactory/[email protected]
        with:
          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Collect Git and SSH config files in a directory that is part of the Docker build context
        run: |
          mkdir root-config
          cp -r ~/.gitconfig  ~/.ssh root-config/

      - name: Log in to the Github Packages
        uses: docker/login-action@xxx
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Add VERSION_LABEL with commit short sha
        run: echo "VERSION_LABEL=`echo ${GITHUB_SHA} | cut -c1-8`" >> $GITHUB_ENV

      - name: Build and push Docker image
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: ghcr.io/xxx/${{ inputs.GITHUB_PACKAGE_REPO_NAME }}:${{ env.VERSION_LABEL }}
          ssh: |
            default=${{ env.SSH_AUTH_SOCK }}
            

// Dockerfile:

FROM node:18-alpine

USER root

# Copy the two files in place and fix different path/locations inside the Docker image
COPY root-config /root/
RUN sed 's|/home/runner|/root|g' -i.bak /root/.ssh/config

# Install Git
RUN apk update && apk add git
RUN apk add --no-cache openssh-client
RUN mkdir -p -m 0700 ~/.ssh && ssh-keyscan github.com >> ~/.ssh/known_hosts
RUN --mount=type=ssh ssh -q -T [email protected] 2>&1 | echo "Welcome to Github"

WORKDIR /app/

COPY package.json ./
COPY yarn.lock ./
COPY tsconfig.json ./
COPY ./ ./

# RUN yarn add @nestjs/cli
RUN yarn install --no-cache
RUN yarn prisma generate
RUN yarn build

EXPOSE 8100

CMD yarn start

Whenever the workflow ran into RUN yarn install --no-cache and tried to install the [email protected]:xxx/repo.git via SSH, I got the error: Load key "/root/.ssh/key-801a24afcf65bdde333b552f2805263d9fe735a5977559ff47216d0f58d02aa5. Can you tell me where I did wrong or what I am missing?

[EusGoed]

Make sure you didn't switch the private and public keys!

[jerbaroo]

Make sure you didn't switch the private and public keys!

We had the same issue, and it was not because of accidentally switching keys.

It was related to webfactory/ssh-agent not doing post-action cleanup, which affected subsequent runs (of a different workflow from another repo in our case).

The following was our fix:

    - run: rm $HOME/.gitconfig $HOME/.ssh/key-* || true
    - name: Add SSH private keys for submodules
      uses: webfactory/[email protected]

Possibly related to:
#178
#184

[fre171csiro]

Make sure you didn't switch the private and public keys!

We had the same issue, and it was not because of accidentally switching keys.

It was related to webfactory/ssh-agent not doing post-action cleanup, which affected subsequent runs (of a different workflow from another repo in our case).

The following was our fix:

    - run: rm $HOME/.gitconfig $HOME/.ssh/key-* || true
    - name: Add SSH private keys for submodules
      uses: webfactory/[email protected]

Possibly related to: #178 #184

Tried this without luck :-(

[dk-teknologisk-lag]

@mpdude It seems that the public key is saved here (output of ssh-add -L gives the public keys) ?:

ssh-agent/index.js

Line 69 in fd34b8d

fs.writeFileSync(`${homeSsh}/key-${sha256}`, key + "\n", { mode: '600' });

Should that have been the private key? as its set to permission 600, which is that for the private key part?

At least I get the same: error in libcrypto, when trying to use the key-file saved using this agent.

If I cat the Secret input(ie. private key) directly to a file and copy that to the docker, I can get ssh / git working.

I'm no way a linux ssh key guru, so I might have misunderstood things.

Lastly, shouldn't

        with:
          ssh: |
            default=${{ env.SSH_AUTH_SOCK }}

allow the docker instances to use ssh which the ssh-agent from the github action runner?

[dk-teknologisk-lag]

I realized that this makes the private key end up in the built docker images, which it shouldn't.

An alternative is that you should mount a folder with the private key in.

But actually I wanted to use the the "host" ssh agent, so I looked at some more examples how to get that to work and figured that I need to add:

--mount=type=ssh

in front of the git clone commands.

Now it seems to work with the ssh-agent being passed to the docker build, thanks for sharing this tool.

[dhanimay]

@longtt2705 did you find any resolution to this issue? I'm currently facing the same.