Spring Cloud Config with public/private key git access - solving the "Auth fail" error

spring May 14, 2019

So I was setting up Spring Cloud Config for our project. Access your config through a public Git repo seems quite straight forward. And then it wasn't. This post is about solving the "Auth fail" error when using a public/private keypair.

A basic (server) setup

So the Spring Cloud Config (SCC from here on) server has to have access to your Git repo. If you don't want to or can't supply a username password, a public/private keypair is possible.

The promise is simple: generate a public/private keypair, put the public key in Git and the private key with your SCC server. There are several posts around the internet that tell you where to put the private key, but in the end (we're running it in Kubernetes, so it's in a Docker image) it's in /root/.ssh/id_rsa. Set up the SCC config file to use local ssh settings and you're good to go:

          uri: [email protected]:awesomecompany/excellentrepo.git
          ignoreLocalSshSettings: false
          strictHostKeyChecking: false

Run it and it should work. It did, when my colleague drafted the first version. Then we moved (Kubernetes) clusters and had to regenerate the keypair, because we didn't save it back then. No biggy.

The problem

So when I regenerated the keypair and put it in place and ran it...

Caused by: com.jcraft.jsch.JSchException: Auth fail
	at com.jcraft.jsch.Session.connect(Session.java:519) ~[jsch-0.1.54.jar:na]
	at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:136) ~[org.eclipse.jgit-]

This exception with the sole message "Auth fail". Could mean anything. So I tried everything. Finally, after some forceful pointing SCC to my private key, it suddenly found my private key to be "invalid". A lot of debugging into the JSch library (the ssh part of SCC) I found out why JSch would label it invalid.
It seems, last time my colleague who ran the ssh-keygen to generate the public/private keypair did this on his Windows machine. This time around, I ran the same command line on macOS.

ssh-keygen -f ./id_rsa

And this resulted in an id_rsa file starting like this:


And the debugging showed, that JSch didn't like the header "BEGIN OPENSSH PRIVATE KEY". It expects it to read "BEGIN RSA PRIVATE KEY". Nice going, "Auth fail"! About as helpful as the average person calling a helpdesk.

Fixing it

So the fix is to specify the correct key format (PEM) when generating your keys. You set the PEM format for your keys with -m:

ssh-keygen -m PEM -f ./id_rsa

And then Spring Cloud Config reads it just fine and gets your config from Git.