search

Shopify / shipit-engine

Deployment coordination
https://shopify.engineering/introducing-shipit
MIT License
1.42k stars 144 forks source link

Github Private key error: OpenSSL::PKey::RSAError: Neither PUB key nor PRIV key: nested asn1 error #1238

Closed kevinpolar closed 2 years ago

kevinpolar commented 2 years ago

Hi,

I'm trying to deploy a shipit instance in our environment on GCP using kubernetes

The particular error I'm having is in this line of code: key = OpenSSL::PKey::RSA.new(private_key) in the github_app.rb when trying to run the teams:fetch command.

I've placed the private key in a kubernetes secret, the actual value that was encoded to base64 had new line as a string \\n(double back slash for escape char) in it. Upon checking via the rails console, the private key being set in the Shipit.github and the Rails.application.secrets has spaces in between them, see the screenshot below:

Screen Shot 2021-12-21 at 4 38 17 PM

I did some testing, I tried manually running the OpenSSL::PKey::RSA.new(Rails.application.secrets.github[:private_key]) and I did indeed get the same error. Now I also tried running the same command but supplying my private key with the \n in the actual string and it worked.

Screen Shot 2021-12-21 at 5 13 53 PM
casperisfine commented 2 years ago

Yes, newlines in RSA keys are significant. Not much we can do about it.

Your issue is solved right?

kevinpolar commented 2 years ago

ah well, I do have the new lines in the values, in the secrets, but when it goes to the app, in the secrets, it changes into white spaces, that's actually the problem I wanted to bring up.

EDIT: checking the env variable via the rails console also shows the new line in the string

casperisfine commented 2 years ago

Our yaml is like this:

private_key: "-----BEGIN RSA PRIVATE KEY-----\nMIIE....

To generate it properly I recommend to use:

puts File.read("<path/to/key>").to_yaml
casperisfine commented 2 years ago

checking the env variable

Oh, you pass it through an env var? Do you interpolate it in the YAML or something? If so you might need a to_yaml to make sure newlines and such are escaped.

kevinpolar commented 2 years ago

Right, your response gave me an idea. Just tested passing the RSA key with the escaped newline (\\\\n) for the env variable, sure enough, it did render the correct value when running Rails.application.secrets (with the \n character).

Thank you! Closing this now