search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.64k stars 2.31k forks source link

Algo on mac 10.12 to DO fails during initial setup #323

Closed dlehman closed 7 years ago

dlehman commented 7 years ago

OS / Environment

macOS 10.12.3

Ansible version

ansible 2.2.1.0

Version of components from requirements.txt

setuptools Version: 34.3.3 dopy Version: 0.3.5 boto Version: 2.46.1 boto3 Version: 1.4.4 azure Version: 2.0.0rc5 msrest Version: 0.4.1 apache-libcloud Version: 1.5.0 six Version: 1.10.0 pyOpenSSL Version: 16.2.0 Jinja2 Version: 2.8

Summary of the problem

Deploying to DigitalOcean At TASK [cloud-digitalocean : Get droplets] Error: fatal: [localhost]: FAILED! => {"changed": false, "content": "", "failed": true, "msg": "Status code was not [200]: An unknown error occurred: ~/.netrc access too permissive: access permissions must restrict access to only the owner (/Users/dave/.netrc, line 3)", "redirected": false, "status": -1, "url": "https://api.digitalocean.com/v2/droplets?tag_name=Environment:Algo"}

Steps to reproduce the behavior

./algo

  1. DigitalOcean desired region: 7 VPN On Demand, cellular: y VPN On Demand, wi-fi: y exclude trusted wi-fi: local DNS resolver: y own account for SSH tunneling: y apply operating system security enhancements: y support Windows 10 clients: n store the CA key: y ... TASK [cloud-digitalocean : Get droplets] *** fatal: [localhost]: FAILED! => {"changed": false, "content": "", "failed": true, "msg": "Status code was not [200]: An unknown error occurred: ~/.netrc access too permissive: access permissions must restrict access to only the owner (/Users/dave/.netrc, line 3)", "redirected": false, "status": -1, "url": "https://api.digitalocean.com/v2/droplets?tag_name=Environment:Algo"}

PLAY RECAP ***** localhost : ok=12 changed=5 unreachable=0 failed=1

The way of deployment (cloud or local)

local

Expected behavior

setup algo on VPS

Actual behavior

fails during setup

Full log

./algo

What provider would you like to use?

  1. DigitalOcean
  2. Amazon EC2
  3. Google Compute Engine
  4. Microsoft Azure
  5. Install to existing Ubuntu server

Enter the number of your desired provider : 1

Enter your API token (https://cloud.digitalocean.com/settings/api/tokens): [pasted values will not be displayed] : Name the vpn server: [algo.local]:

What region should the server be located in?

  1. Amsterdam (Datacenter 2)
  2. Amsterdam (Datacenter 3)
  3. Frankfurt
  4. London
  5. New York (Datacenter 1)
  6. New York (Datacenter 2)
  7. New York (Datacenter 3)
  8. San Francisco (Datacenter 1)
  9. San Francisco (Datacenter 2)
  10. Singapore
  11. Toronto
  12. Bangalore Enter the number of your desired region:

Do you want to enable VPN On Demand when connected to cellular networks?

Do you want to enable VPN On Demand when connected to Wi-Fi?

Do you want to exclude trusted Wi-Fi networks from using the VPN? (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi) :

Do you want to install a local DNS resolver to block ads while surfing?

Do you want each user to have their own account for SSH tunneling?

Do you want to apply operating system security enhancements on the server? (warning: replaces your sshd_config)

Do you want the VPN to support Windows 10 clients? (requires RSA certificates and key exchange, less secure)

Do you want to store the CA key? (required for update-users script, but less secure)

PLAY [Configure the server] ****

TASK [setup] *** ok: [localhost]

TASK [Generate the SSH private key] **** changed: [localhost -> localhost]

TASK [Generate the SSH public key] ***** ok: [localhost -> localhost]

TASK [Change mode for the SSH private key] ***** ok: [localhost -> localhost]

TASK [Ensure the dynamic inventory exists] ***** changed: [localhost]

TASK [cloud-digitalocean : Set the DigitalOcean Access Token fact] ***** ok: [localhost]

TASK [cloud-digitalocean : Delete the existing Algo SSH keys] ** ok: [localhost]

TASK [cloud-digitalocean : Upload the SSH key] ***** changed: [localhost]

TASK [cloud-digitalocean : Creating a droplet...] ** changed: [localhost]

TASK [cloud-digitalocean : Add the droplet to an inventory group] ** changed: [localhost]

TASK [cloud-digitalocean : set_fact] *** ok: [localhost]

TASK [cloud-digitalocean : Tag the groplet] **** ok: [localhost]

TASK [cloud-digitalocean : Get droplets] *** fatal: [localhost]: FAILED! => {"changed": false, "content": "", "failed": true, "msg": "Status code was not [200]: An unknown error occurred: ~/.netrc access too permissive: access permissions must restrict access to only the owner (/Users/dave/.netrc, line 3)", "redirected": false, "status": -1, "url": "https://api.digitalocean.com/v2/droplets?tag_name=Environment:Algo"}

PLAY RECAP ***** localhost : ok=12 changed=5 unreachable=0 failed=1

dguido commented 7 years ago

What's in your .netrc file?

dlehman commented 7 years ago

Sorry to be an idiot-- how do I connect to Droplet at this point? Can't seem to ssh in as algo or root...

dguido commented 7 years ago

You didn't set up a droplet. The install process failed because you have something weird in your netrc file that is screwing up headless SSH that Ansible needs.

dlehman commented 7 years ago

Ah, OK, that makes sense. Thanks-- i'll remove my local .netrc and try again...

Yeah, worked fine now.

eddyw commented 5 years ago

If anybody else (as me) had this issue, before removing the file (because I actually need it), set chmod to 600:

chmod 600 ~/.netrc

If that doesn't work, only then the content may be corrupted, so remove.