arrow-rightgithublinkedinscroll-to-topzig-zag

Solved - Spring Cloud Config Server invalid SSH key on a MacOS Mojave

Published on

Introduction

More and more often it's all about configuration and some hidden "setting" which does the job...

Spring Config Server allows to fetch a configuration from the remote git repository via https:

spring:
  cloud:
    config:
      server:
        git:
          uri: https://github.com/my-organization/my-config-repo.git
          username: goat
          password: mystrongpa$$word

I'm not a security expert, but this approach has an obvious downside ("username" and "password" in code). One might argue that it's possible to inject the values via environment variables or using some other technique. Nonetheless, the main flaw is the idea of supplying "username" and "password" in the first place.

An alternative way and the problem

An better technique is to use ssh key:

spring:
  cloud:
    config:
      server:
        git:
          uri: git@github.com:my-organization/my-config-repo.git

It's a good solution, but doesn't work out of the box. According to spring docs it should:

If you do not use HTTPS and user credentials, SSH should also work out of the box when you store keys in the default directories (~/.ssh) and the URI points to an SSH location, such as git@github.com:configuration/cloud-configuration. It is important that an entry for the Git server be present in the ~/.ssh/known_hosts file and that it is in ssh-rsa format. Other formats (such as ecdsa-sha2-nistp256) are not supported. To avoid surprises, you should ensure that only one entry is present in the known_hosts file for the Git server and that it matches the URL you provided to the config server. If you use a hostname in the URL, you want to have exactly that (not the IP) in the known_hosts file. The repository is accessed by using JGit, so any documentation you find on that should be applicable. HTTPS proxy settings can be set in ~/.git/config or (in the same way as for any other JVM process) with system properties (-Dhttps.proxyHostand -Dhttps.proxyPort).

After googling around I found multiple threads on StackOverflow that helped other people. Particularly, this one Spring Cloud Config cannot clone private bitbucket repository using ssh key. However, after applying proper configuration in my ~/.ssh/config file it still didn't work (as you can see from the screenshot for this post).

The solution

Turns out the problem is hidden in the bowels of Mac OS Mojave (and any later version). By default, It creates the key in different, new "OpenSSH" format where Spring only supports ssh-rsa (more on this here). The solution is to re-generate ssh key for the account using the following command:

ssh-keygen -m PEM -t rsa -b 4096 -C "your_email@example.com"

Once I applied newly generated key, the application was able to start successfully:

Thanks to Wpigott who pointed this solution.