Context
This is regarding a Spring Cloud Config Server hobby project (with @EnableConfigServer).
Yesterday, the application could be started.
Today, the application failed to start because of a Git communication error.
From GitHub's official blog post, it is mentioned that SHA-1 is no longer supported starting from 15 March 2022. And that explains the results I'm getting these 2 days.
March 15, 2022
Changes made permanent.
We’ll permanently stop accepting DSA keys. RSA keys uploaded after the cut-off point above will work only with SHA-2 signatures (but again, RSA keys uploaded before this date will continue to work with SHA-1). The deprecated MACs, ciphers, and unencrypted Git protocol will be permanently disabled.
Even if I didn't delete the existing SSH key, it still failed to start today. But anyway, now the only key under the "Deploy keys" section of the repository settings is an SSH key that was added after the March 15, 2022 cut off date.
Dependency versions
Dependency Management:
| Dependency | Version |
|---|---|
| spring-cloud-dependencies | Hoxton.SR12 |
Dependency:
| Dependency | Version |
|---|---|
| spring-cloud-config-server | (Managed) |
Spring application configurations
application.yml:
spring:
cloud:
config:
server:
git:
ignore-local-ssh-settings: true
uri: [email protected]:xxx/xxx.git
private-key: |
-----BEGIN RSA PRIVATE KEY-----
(omitted)
-----END RSA PRIVATE KEY-----
Additional information
The involved repo is a GitHub private repo configured with an SSH key under the "Deploy keys" settings section.
I have been generating the SSH key pairs according to the Spring Cloud Config official documentation.
Error
From the console log, I see:
ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type. Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
This comes from JGit as a org.eclipse.jgit.errors.NoRemoteRepositoryException.
Question and my attempt to fix the issue
I tried upgrading the Spring Cloud dependency management version to the latest available in Maven repository, i.e. 2021.0.1, as it uses a newer version of JGit.
However, I'm still facing the same error.
If I just switch to GitLab with the exact same configurations, it just works regardless of the Spring Cloud dependency version and the JGit version.
What else can I do if I want to use GitHub?
CodePudding user response:
Tested the following with scs v2.1
use ecdsa:
Get the hostKey
ssh-keyscan -t ecdsa github.com
# github.com:22 SSH-2.0-babeld-4f04c79d
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/ Tpockg=
Generate a new key
ssh-keygen -t ecdsa -b 256 -m PEM
Add the generated public key to your github repo's deploy keys.
Create or update your config server with host key, host key algorithm, and generated private key.
cf create-service p-config-server standard <config-server-name> -c '{"git": { "uri": "[email protected]:<repo>.git", "privateKey": "<generated_key>", "hostKey": "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/ Tpockg=","hostKeyAlgorithm": "ecdsa-sha2-nistp256"} }'
CodePudding user response:
I have a same problem.
See https://github.com/spring-cloud/spring-cloud-config/issues/2061
For right now, I have a dirty workaround: use https uri, username and password(maybe personal secret token).
spring:
cloud:
config:
server:
git:
uri: https://github.com/org/repo
username: ...
password: ...