Closed ejheil closed 5 years ago
FWIW, it works fine if you don't delete the key
I encountered this same error today installing on Azure
I encountered the same issue today deploying on my own Ubuntu 18.04 server.
Quick fix: change line 43 in server.yml to the following:
path: "configs/{{ IP_subject_alt_name }}/pki/private/cakey.pem"
+1 same error on ec2, with delete key option selected
Describe the bug
Tried to create DO droplet with algo, everything defaults except selected ad blocking. I was on another DO droplet while doing this.
Got the following error:
TASK [Delete the CA key] *** fatal: [157.230.91.66]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'ipsec_pki_path' is undefined\n\nThe error appears to have been in '/home/ed/src/algo/server.yml': line 40, column 11, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n - block:\n - name: Delete the CA key\n ^ here\n"}
To Reproduce
do the same thing again, happens the same way
Expected behavior
I get a beatiful new vpn droplet
Additional context
This is my uname -a from the droplet I'm running the scripts on
(env) ➜ algo git:(master) uname -a Linux gdangus 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Full log
(env) ➜ algo git:(master) ./algo
PLAY [Ask user for the input] *****
TASK [Gathering Facts] **** ok: [localhost]
TASK [pause] ** [pause] What provider would you like to use?
Enter the number of your desired provider : 1 ok: [localhost]
TASK [Set facts based on the input] *** ok: [localhost]
TASK [pause] ** [pause] Name the vpn server [algo] :
ok: [localhost]
TASK [pause] ** [pause] Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks? [y/N] :
ok: [localhost]
TASK [pause] ** [pause] Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi? [y/N] :
ok: [localhost]
TASK [pause] **
TASK [pause] ** [pause] Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure) [y/N] :
ok: [localhost]
TASK [pause] ** [pause] Do you want to retain the CA key? (required to add users in the future, but less secure) [y/N] :
ok: [localhost]
TASK [pause] ** [pause] Do you want to install an ad blocking DNS resolver on this VPN server? [y/N] : y ok: [localhost]
TASK [pause] ** [pause] Do you want each user to have their own account for SSH tunneling? [y/N] :
ok: [localhost]
TASK [Set facts based on the input] *** ok: [localhost]
PLAY [Provision the server] ***
TASK [Gathering Facts] **** ok: [localhost]
TASK [Display the invocation environment] *****
--> Please include the following block of text when reporting issues:
Algo running on: Ubuntu 16.04.5 LTS (Virtualized: kvm) Created from git clone. Last commit: c4ea880 Refactoring to support roles inclusion (#1365) Python 2.7.12 Runtime variables: algo_provider "digitalocean" algo_ondemand_cellular "False" algo_ondemand_wifi "False" algo_ondemand_wifi_exclude "X251bGw=" algo_local_dns "True" algo_ssh_tunneling "False" algo_windows "False" wireguard_enabled "True" dns_encryption "True" changed: [localhost -> localhost]
TASK [Install the requirements] *** ok: [localhost -> localhost]
TASK [Generate the SSH private key] *** ok: [localhost]
TASK [Generate the SSH public key] **** ok: [localhost]
TASK [Include a provisioning role] ****
TASK [cloud-digitalocean : Clean up the environment] **
TASK [cloud-digitalocean : Install requirements] ** ok: [localhost]
TASK [cloud-digitalocean : pause] ***** [cloud-digitalocean : pause] Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens): (output is hidden): ok: [localhost]
TASK [cloud-digitalocean : Set the token as a fact] *** ok: [localhost]
TASK [cloud-digitalocean : Get regions] *** ok: [localhost]
TASK [cloud-digitalocean : Set facts about thre regions] ** ok: [localhost]
TASK [cloud-digitalocean : Set default region] **** ok: [localhost]
TASK [cloud-digitalocean : pause] ***** [cloud-digitalocean : pause] What region should the server be located in?
Enter the number of your desired region [6] : 5 ok: [localhost]
TASK [cloud-digitalocean : Set additional facts] ** ok: [localhost]
TASK [cloud-digitalocean : Delete the existing Algo SSH keys] ***** ok: [localhost]
TASK [cloud-digitalocean : Upload the SSH key] **** changed: [localhost]
TASK [cloud-digitalocean : Creating a droplet...] ***** changed: [localhost]
TASK [cloud-digitalocean : set_fact] ** ok: [localhost]
TASK [cloud-digitalocean : Tag the droplet] *** changed: [localhost]
TASK [cloud-digitalocean : Delete the new Algo SSH key] *** FAILED - RETRYING: Delete the new Algo SSH key (10 retries left). ok: [localhost]
TASK [Set subjectAltName as afact] **** ok: [localhost]
TASK [Add the server to an inventory group] *** changed: [localhost]
TASK [Additional variables for the server] **** changed: [localhost]
TASK [Wait until SSH becomes ready...] **** ok: [localhost]
TASK [debug] ** ok: [localhost] => { "IP_subject_alt_name": "157.230.178.183" }
TASK [A short pause, in order to be sure the instance is ready] *** Pausing for 20 seconds (ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) ok: [localhost]
PLAY [Configure the server and install required software] *****
TASK [common : Check the system] ** changed: [157.230.178.183]
TASK [common : include_tasks] ***** included: /home/ed/src/algo/roles/common/tasks/ubuntu.yml for 157.230.178.183
TASK [common : Gather facts] ** ok: [157.230.178.183]
TASK [common : Install software updates] ** changed: [157.230.178.183]
TASK [common : Check if reboot is required] *** changed: [157.230.178.183]
TASK [common : Reboot] **** changed: [157.230.178.183]
TASK [common : Wait until SSH becomes ready...] *** ok: [157.230.178.183 -> localhost]
TASK [common : Install unattended-upgrades] *** ok: [157.230.178.183]
TASK [common : Configure unattended-upgrades] ***** changed: [157.230.178.183]
TASK [common : Periodic upgrades configured] ** changed: [157.230.178.183]
TASK [common : Unattended reboots configured] ***** changed: [157.230.178.183]
TASK [common : Disable MOTD on login and SSHD] **** changed: [157.230.178.183] => (item={u'regexp': u'^session.optional.pam_motd.so.', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'}) changed: [157.230.178.183] => (item={u'regexp': u'^session.optional.pam_motd.so.', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})
TASK [common : Loopback for services configured] ** changed: [157.230.178.183]
TASK [common : systemd services enabled and started] ** ok: [157.230.178.183] => (item=systemd-networkd) ok: [157.230.178.183] => (item=systemd-resolved)
RUNNING HANDLER [common : restart systemd-networkd] *** changed: [157.230.178.183]
TASK [common : Check apparmor support] **** changed: [157.230.178.183]
TASK [common : set_fact] ** ok: [157.230.178.183]
TASK [common : Generate password for the CA key] ** changed: [157.230.178.183 -> localhost]
TASK [common : Generate p12 export password] ** changed: [157.230.178.183 -> localhost]
TASK [common : Define facts] ** ok: [157.230.178.183]
TASK [common : set_fact] ** ok: [157.230.178.183]
TASK [common : Set IPv6 support as a fact] **** ok: [157.230.178.183]
TASK [common : Check size of MTU] ***** ok: [157.230.178.183]
TASK [common : set_fact] ** ok: [157.230.178.183]
TASK [common : Install tools] ***** changed: [157.230.178.183]
TASK [common : Install headers] *** ok: [157.230.178.183]
TASK [common : include_tasks] ***** included: /home/ed/src/algo/roles/common/tasks/iptables.yml for 157.230.178.183
TASK [common : Iptables configured] *** changed: [157.230.178.183] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})
TASK [common : Iptables configured] *** changed: [157.230.178.183] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})
TASK [common : include_tasks] *****
TASK [common : Sysctl tuning] ***** changed: [157.230.178.183] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1}) changed: [157.230.178.183] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1}) changed: [157.230.178.183] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})
RUNNING HANDLER [common : restart iptables] *** changed: [157.230.178.183]
TASK [dns_encryption : Include tasks for Ubuntu] ** included: /home/ed/src/algo/roles/dns_encryption/tasks/ubuntu.yml for 157.230.178.183
TASK [dns_encryption : Add the repository] **** changed: [157.230.178.183]
TASK [dns_encryption : Install dnscrypt-proxy] **** changed: [157.230.178.183]
TASK [dns_encryption : Configure unattended-upgrades] ***** changed: [157.230.178.183]
TASK [dns_encryption : Ubuntu | Unbound profile for apparmor configured] ** changed: [157.230.178.183]
TASK [dns_encryption : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] *** ok: [157.230.178.183]
TASK [dns_encryption : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] *** changed: [157.230.178.183]
TASK [dns_encryption : Ubuntu | Add custom requirements to successfully start the unit] *** changed: [157.230.178.183]
TASK [dns_encryption : Include tasks for FreeBSD] *****
TASK [dns_encryption : dnscrypt-proxy ip-blacklist configured] **** changed: [157.230.178.183]
TASK [dns_encryption : dnscrypt-proxy configured] ***** changed: [157.230.178.183]
TASK [dns_encryption : dnscrypt-proxy enabled and started] **** ok: [157.230.178.183]
RUNNING HANDLER [dns_encryption : restart dnscrypt-proxy] ***** changed: [157.230.178.183]
TASK [dns_adblocking : Dnsmasq installed] ***** changed: [157.230.178.183]
TASK [dns_adblocking : The dnsmasq directory created] ***** changed: [157.230.178.183]
TASK [dns_adblocking : include_tasks] ***** included: /home/ed/src/algo/roles/dns_adblocking/tasks/ubuntu.yml for 157.230.178.183
TASK [dns_adblocking : Ubuntu | Dnsmasq profile for apparmor configured] ** changed: [157.230.178.183]
TASK [dns_adblocking : Ubuntu | Enforce the dnsmasq AppArmor policy] ** changed: [157.230.178.183]
TASK [dns_adblocking : Ubuntu | Ensure that the dnsmasq service directory exist] ** changed: [157.230.178.183]
TASK [dns_adblocking : Ubuntu | Setup the cgroup limitations for the ipsec daemon] **** changed: [157.230.178.183]
TASK [dns_adblocking : include_tasks] *****
TASK [dns_adblocking : Dnsmasq configured] **** changed: [157.230.178.183]
TASK [dns_adblocking : Adblock script created] **** changed: [157.230.178.183]
TASK [dns_adblocking : Adblock script added to cron] ** changed: [157.230.178.183]
TASK [dns_adblocking : Update adblock hosts] ** changed: [157.230.178.183]
RUNNING HANDLER [dns_adblocking : restart dnsmasq] **** changed: [157.230.178.183]
RUNNING HANDLER [dns_adblocking : daemon-reload] ** ok: [157.230.178.183]
TASK [dns_adblocking : Dnsmasq enabled and started] *** ok: [157.230.178.183]
TASK [wireguard : Ensure the required directories exist] ** changed: [157.230.178.183 -> localhost] => (item=private) changed: [157.230.178.183 -> localhost] => (item=public)
TASK [wireguard : Include tasks for Ubuntu] *** included: /home/ed/src/algo/roles/wireguard/tasks/ubuntu.yml for 157.230.178.183
TASK [wireguard : WireGuard repository configured] **** changed: [157.230.178.183]
TASK [wireguard : WireGuard installed] **** changed: [157.230.178.183]
TASK [wireguard : WireGuard reload-module-on-update] ** changed: [157.230.178.183]
TASK [wireguard : Configure unattended-upgrades] ** changed: [157.230.178.183]
TASK [wireguard : set_fact] *** ok: [157.230.178.183]
TASK [wireguard : Include tasks for FreeBSD] **
TASK [wireguard : Delete the lock files] **
TASK [wireguard : Generate private keys] ** changed: [157.230.178.183] => (item=phone) changed: [157.230.178.183] => (item=laptop) changed: [157.230.178.183] => (item=desktop) changed: [157.230.178.183] => (item=157.230.178.183)
TASK [wireguard : Save private keys] ** changed: [157.230.178.183] => (item=None) changed: [157.230.178.183] => (item=None) changed: [157.230.178.183] => (item=None) changed: [157.230.178.183] => (item=None)
TASK [wireguard : Touch the lock file] **** changed: [157.230.178.183] => (item=phone) changed: [157.230.178.183] => (item=laptop) changed: [157.230.178.183] => (item=desktop) changed: [157.230.178.183] => (item=157.230.178.183)
TASK [wireguard : Generate public keys] *** ok: [157.230.178.183] => (item=phone) ok: [157.230.178.183] => (item=laptop) ok: [157.230.178.183] => (item=desktop) ok: [157.230.178.183] => (item=157.230.178.183)
TASK [wireguard : Save public keys] *** changed: [157.230.178.183] => (item=None) changed: [157.230.178.183] => (item=None) changed: [157.230.178.183] => (item=None) changed: [157.230.178.183] => (item=None)
TASK [wireguard : WireGuard user list updated] **** changed: [157.230.178.183 -> localhost] => (item=phone) changed: [157.230.178.183 -> localhost] => (item=laptop) changed: [157.230.178.183 -> localhost] => (item=desktop)
TASK [wireguard : set_fact] *** ok: [157.230.178.183 -> localhost]
TASK [wireguard : WireGuard users config generated] *** changed: [157.230.178.183 -> localhost] => (item=(0, u'phone')) changed: [157.230.178.183 -> localhost] => (item=(1, u'laptop')) changed: [157.230.178.183 -> localhost] => (item=(2, u'desktop'))
TASK [wireguard : Generate QR codes] ** ok: [157.230.178.183 -> localhost] => (item=(0, u'phone')) ok: [157.230.178.183 -> localhost] => (item=(1, u'laptop')) ok: [157.230.178.183 -> localhost] => (item=(2, u'desktop'))
TASK [wireguard : WireGuard configured] *** changed: [157.230.178.183]
TASK [wireguard : WireGuard enabled and started] ** changed: [157.230.178.183]
RUNNING HANDLER [wireguard : restart wireguard] *** changed: [157.230.178.183]
TASK [strongswan : include_tasks] ***** included: /home/ed/src/algo/roles/strongswan/tasks/ubuntu.yml for 157.230.178.183
TASK [strongswan : set_fact] ** ok: [157.230.178.183]
TASK [strongswan : Ubuntu | Install strongSwan] *** changed: [157.230.178.183]
TASK [strongswan : Ubuntu | Enforcing ipsec with apparmor] **** changed: [157.230.178.183] => (item=/usr/lib/ipsec/charon) changed: [157.230.178.183] => (item=/usr/lib/ipsec/lookip) changed: [157.230.178.183] => (item=/usr/lib/ipsec/stroke)
TASK [strongswan : Ubuntu | Enable services] ** ok: [157.230.178.183] => (item=apparmor) ok: [157.230.178.183] => (item=strongswan) ok: [157.230.178.183] => (item=netfilter-persistent)
TASK [strongswan : Ubuntu | Ensure that the strongswan service directory exist] *** changed: [157.230.178.183]
TASK [strongswan : Ubuntu | Setup the cgroup limitations for the ipsec daemon] **** changed: [157.230.178.183]
TASK [strongswan : Ensure that the strongswan user exist] ***** ok: [157.230.178.183]
TASK [strongswan : Install strongSwan] **** ok: [157.230.178.183]
TASK [strongswan : Setup the config files from our templates] ***** changed: [157.230.178.183] => (item={u'dest': u'strongswan.conf', u'src': u'strongswan.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'}) changed: [157.230.178.183] => (item={u'dest': u'ipsec.conf', u'src': u'ipsec.conf.j2', u'group': u'root', u'mode': u'0644', u'owner': u'root'}) changed: [157.230.178.183] => (item={u'dest': u'ipsec.secrets', u'src': u'ipsec.secrets.j2', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
TASK [strongswan : Get loaded plugins] **** changed: [157.230.178.183]
TASK [strongswan : Disable unneeded plugins] ** changed: [157.230.178.183] => (item=bypass-lan) changed: [157.230.178.183] => (item=gmp) changed: [157.230.178.183] => (item=md5) changed: [157.230.178.183] => (item=updown) changed: [157.230.178.183] => (item=connmark) changed: [157.230.178.183] => (item=xauth-generic) changed: [157.230.178.183] => (item=constraints) changed: [157.230.178.183] => (item=mgf1) changed: [157.230.178.183] => (item=sshkey) changed: [157.230.178.183] => (item=attr) changed: [157.230.178.183] => (item=pkcs1) changed: [157.230.178.183] => (item=resolve) changed: [157.230.178.183] => (item=counters) changed: [157.230.178.183] => (item=md4) changed: [157.230.178.183] => (item=fips-prf) changed: [157.230.178.183] => (item=dnskey) changed: [157.230.178.183] => (item=aesni) changed: [157.230.178.183] => (item=xcbc) changed: [157.230.178.183] => (item=rc2) changed: [157.230.178.183] => (item=agent) changed: [157.230.178.183] => (item=sha1) changed: [157.230.178.183] => (item=eap-mschapv2)
TASK [strongswan : Ensure that required plugins are enabled] ** changed: [157.230.178.183] => (item=pubkey) changed: [157.230.178.183] => (item=stroke) changed: [157.230.178.183] => (item=pem) changed: [157.230.178.183] => (item=nonce) changed: [157.230.178.183] => (item=openssl) changed: [157.230.178.183] => (item=kernel-netlink) changed: [157.230.178.183] => (item=aes) changed: [157.230.178.183] => (item=random) changed: [157.230.178.183] => (item=pkcs7) changed: [157.230.178.183] => (item=pkcs12) changed: [157.230.178.183] => (item=pkcs8) changed: [157.230.178.183] => (item=socket-default) changed: [157.230.178.183] => (item=hmac) changed: [157.230.178.183] => (item=x509) changed: [157.230.178.183] => (item=revocation) changed: [157.230.178.183] => (item=sha2) changed: [157.230.178.183] => (item=pgp) changed: [157.230.178.183] => (item=gcm)
TASK [strongswan : Set subjectAltName as a fact] ** ok: [157.230.178.183 -> localhost]
TASK [strongswan : Ensure the pki directory does not exist] ***
TASK [strongswan : Ensure the pki directories exist] ** changed: [157.230.178.183 -> localhost] => (item=ecparams) changed: [157.230.178.183 -> localhost] => (item=certs) changed: [157.230.178.183 -> localhost] => (item=crl) changed: [157.230.178.183 -> localhost] => (item=newcerts) changed: [157.230.178.183 -> localhost] => (item=private) changed: [157.230.178.183 -> localhost] => (item=public) changed: [157.230.178.183 -> localhost] => (item=reqs)
TASK [strongswan : Ensure the config directories exist] *** changed: [157.230.178.183 -> localhost] => (item=apple) changed: [157.230.178.183 -> localhost] => (item=windows) changed: [157.230.178.183 -> localhost] => (item=manual)
TASK [strongswan : Ensure the files exist] **** changed: [157.230.178.183 -> localhost] => (item=.rnd) changed: [157.230.178.183 -> localhost] => (item=private/.rnd) changed: [157.230.178.183 -> localhost] => (item=index.txt) changed: [157.230.178.183 -> localhost] => (item=index.txt.attr) changed: [157.230.178.183 -> localhost] => (item=serial)
TASK [strongswan : Generate the openssl server configs] *** changed: [157.230.178.183 -> localhost]
TASK [strongswan : Build the CA pair] ***** changed: [157.230.178.183 -> localhost]
TASK [strongswan : Copy the CA certificate] *** changed: [157.230.178.183 -> localhost]
TASK [strongswan : Generate the serial number] **** changed: [157.230.178.183 -> localhost]
TASK [strongswan : Build the server pair] ***** changed: [157.230.178.183 -> localhost]
TASK [strongswan : Build the client's pair] *** changed: [157.230.178.183 -> localhost] => (item=phone) changed: [157.230.178.183 -> localhost] => (item=laptop) changed: [157.230.178.183 -> localhost] => (item=desktop)
TASK [strongswan : Build openssh public keys] ***** changed: [157.230.178.183 -> localhost] => (item=phone) changed: [157.230.178.183 -> localhost] => (item=laptop) changed: [157.230.178.183 -> localhost] => (item=desktop)
TASK [strongswan : Build the client's p12] **** changed: [157.230.178.183 -> localhost] => (item=phone) changed: [157.230.178.183 -> localhost] => (item=laptop) changed: [157.230.178.183 -> localhost] => (item=desktop)
TASK [strongswan : Copy the p12 certificates] ***** changed: [157.230.178.183 -> localhost] => (item=phone) changed: [157.230.178.183 -> localhost] => (item=laptop) changed: [157.230.178.183 -> localhost] => (item=desktop)
TASK [strongswan : Get active users] ** changed: [157.230.178.183 -> localhost]
TASK [strongswan : Revoke non-existing users] *****
TASK [strongswan : Genereate new CRL file] ****
TASK [strongswan : Copy the CRL to the vpn server] ****
TASK [strongswan : Copy the keys to the strongswan directory] ***** changed: [157.230.178.183] => (item={u'dest': u'cacerts/ca.crt', u'src': u'cacert.pem', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'}) changed: [157.230.178.183] => (item={u'dest': u'certs/157.230.178.183.crt', u'src': u'certs/157.230.178.183.crt', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'}) changed: [157.230.178.183] => (item={u'dest': u'private/157.230.178.183.key', u'src': u'private/157.230.178.183.key', u'group': u'root', u'mode': u'0600', u'owner': u'strongswan'})
TASK [strongswan : Register p12 PayloadContent] *** changed: [157.230.178.183 -> localhost] => (item=phone) changed: [157.230.178.183 -> localhost] => (item=laptop) changed: [157.230.178.183 -> localhost] => (item=desktop)
TASK [strongswan : Set facts for mobileconfigs] *** ok: [157.230.178.183 -> localhost]
TASK [strongswan : Build the mobileconfigs] *** changed: [157.230.178.183] => (item=None) changed: [157.230.178.183] => (item=None) changed: [157.230.178.183] => (item=None)
TASK [strongswan : Build the client ipsec config file] **** changed: [157.230.178.183 -> localhost] => (item=phone) changed: [157.230.178.183 -> localhost] => (item=laptop) changed: [157.230.178.183 -> localhost] => (item=desktop)
TASK [strongswan : Build the client ipsec secret file] **** changed: [157.230.178.183 -> localhost] => (item=phone) changed: [157.230.178.183 -> localhost] => (item=laptop) changed: [157.230.178.183 -> localhost] => (item=desktop)
TASK [strongswan : Build the windows client powershell script] ****
TASK [strongswan : Restrict permissions for the local private directories] **** ok: [157.230.178.183 -> localhost]
TASK [strongswan : strongSwan started] **** ok: [157.230.178.183]
RUNNING HANDLER [dns_adblocking : restart apparmor] *** changed: [157.230.178.183]
RUNNING HANDLER [dns_adblocking : daemon-reload] ** ok: [157.230.178.183]
RUNNING HANDLER [strongswan : restart strongswan] ***** changed: [157.230.178.183]
TASK [ssh_tunneling : Ensure that the sshd_config file has desired options] ***
TASK [ssh_tunneling : Ensure that the algo group exist] ***
TASK [ssh_tunneling : Ensure that the jail directory exist] ***
TASK [ssh_tunneling : Ensure that the SSH users exist] ****
TASK [ssh_tunneling : Clean up the ssh-tunnel directory] **
TASK [ssh_tunneling : Ensure the config directories exist] ****
TASK [ssh_tunneling : Check if the private keys exist] ****
TASK [ssh_tunneling : Build ssh private keys] *****
TASK [ssh_tunneling : Build ssh public keys] **
TASK [ssh_tunneling : Build the client ssh config] ****
TASK [ssh_tunneling : The authorized keys file created] ***
TASK [ssh_tunneling : Get active users] ***
TASK [ssh_tunneling : Delete non-existing users] **
TASK [Delete the CA key] ** fatal: [157.230.178.183]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'ipsec_pki_path' is undefined\n\nThe error appears to have been in '/home/ed/src/algo/server.yml': line 40, column 11, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n - block:\n - name: Delete the CA key\n ^ here\n"}
TASK [include_tasks] ** included: /home/ed/src/algo/playbooks/rescue.yml for 157.230.178.183
TASK [debug] ** ok: [157.230.178.183] => { "fail_hint": [ "Sorry, but something went wrong!", "Please check the troubleshooting guide.", "https://trailofbits.github.io/algo/troubleshooting.html" ] }
TASK [fail] *** fatal: [157.230.178.183]: FAILED! => {"changed": false, "msg": "Failed as requested from task"}
PLAY RECAP **** 157.230.178.183 : ok=116 changed=80 unreachable=0 failed=2
localhost : ok=36 changed=6 unreachable=0 failed=0
(env) ➜ algo git:(master)