Spring Cloud Config Server GitHub SHA-1 error

Question

Context

This is regarding a Spring Cloud Config Server hobby project (with @EnableConfigServer).

Yesterday, the application could be started.

Today, the application failed to start because of a Git communication error.

From GitHub's official blog post, it is mentioned that SHA-1 is no longer supported starting from 15 March 2022. And that explains the results I'm getting these 2 days.

March 15, 2022

Changes made permanent.

We’ll permanently stop accepting DSA keys. RSA keys uploaded after the cut-off point above will work only with SHA-2 signatures (but again, RSA keys uploaded before this date will continue to work with SHA-1). The deprecated MACs, ciphers, and unencrypted Git protocol will be permanently disabled.

Even if I didn't delete the existing SSH key, it still failed to start today. But anyway, now the only key under the "Deploy keys" section of the repository settings is an SSH key that was added after the March 15, 2022 cut off date.

---

Dependency versions

Dependency Management:

Dependency	Version
spring-cloud-dependencies	Hoxton.SR12

Dependency:

Dependency	Version
spring-cloud-config-server	(Managed)

---

Spring application configurations

application.yml:

spring:
  cloud:
    config:
      server:
        git:
          ignore-local-ssh-settings: true
          uri: [email protected]:xxx/xxx.git
          private-key: |
                        -----BEGIN RSA PRIVATE KEY-----
                        (omitted)
                        -----END RSA PRIVATE KEY-----

---

Additional information

The involved repo is a GitHub private repo configured with an SSH key under the "Deploy keys" settings section.

I have been generating the SSH key pairs according to the Spring Cloud Config official documentation.

---

Error

From the console log, I see:

ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type. Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.

This comes from JGit as a org.eclipse.jgit.errors.NoRemoteRepositoryException.

---

Question and my attempt to fix the issue

I tried upgrading the Spring Cloud dependency management version to the latest available in Maven repository, i.e. 2021.0.1, as it uses a newer version of JGit.

However, I'm still facing the same error.

If I just switch to GitLab with the exact same configurations, it just works regardless of the Spring Cloud dependency version and the JGit version.

What else can I do if I want to use GitHub?

Answer 1

Tested the following with scs v2.1

use ecdsa:

Get the hostKey

ssh-keyscan -t ecdsa github.com
# github.com:22 SSH-2.0-babeld-4f04c79d
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=

Generate a new key

ssh-keygen -t ecdsa -b 256 -m PEM

Add the generated public key to your github repo's deploy keys.

Create or update your config server with host key, host key algorithm, and generated private key.

cf create-service p-config-server standard <config-server-name> -c '{"git": { "uri": "[email protected]:<repo>.git", "privateKey": "<generated_key>", "hostKey": "AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=","hostKeyAlgorithm": "ecdsa-sha2-nistp256"} }'

Answer 2

I have a same problem.

See https://github.com/spring-cloud/spring-cloud-config/issues/2061

For right now, I have a dirty workaround: use https uri, username and password(maybe personal secret token).

spring:
  cloud:
    config:
      server:
        git:
          uri: https://github.com/org/repo
          username: ...
          password: ...

Answer 3

if you previously used ssh from the local host, then the RSA key should be changed with ecdsa command: ssh-keygen -m PEM -t ecdsa -b 256 and your config file in the ./ssh folder should look like

Host github.com
        User git
        Hostname github.com
        IdentityFile ~/.ssh/id_ecdsa

If you override the local ssh in property files :

spring:
  cloud:
    config:
      server:
        git:
          host-key:  this can be found in know hosts example  : AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIb...........
          host-key-algorithm: ecdsa-sha2-nistp256
          ignore-local-ssh-settings: false
          private-key: |
                       -----BEGIN EC PRIVATE KEY-----
                       .................
                       .................
                       .........................
                       -----END EC PRIVATE KEY-----

ref : https://github.com/spring-cloud/spring-cloud-config/issues/2061#issuecomment-1070779477

Answer 4

Spring Cloud Config Server (this answer refers to spring-cloud-starter-parent version 2020.0.4) uses the org.eclipse.jgit library for its git operations and although they include a recent version 5.1.3 it in turn includes the "problematic" library com.jcraft.jsch version 0.1.55 for ssh based communication when checking out repositories. The problem/ issue here, is that this library has fallen behind and does not support newer versions of RSA keys (sha2-256 / sha2-512).

At this point, I will express I am not an authority here, but have just come out the other side of this issue that manifested itself when GitHub turned of RSA SHA-1 on 3.15.2022.

So even though you may have an RSA SHA-2 256/512 key pair, public key in GitHub, private key with your config server, the com.jcraft.jsch library seemingly downgrades to what it knows and then communicates with GitHub with sha-1 and has the connection rejected.

Now to the solution that worked the versions stated above. There is a fork of com.jcraft.jsch that implements the newer versions of RSA that Github accepts. This is a drop-in replacement mostly. Here are the changes I made:

pom.xml: switch out the problematic jar

        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-config-server</artifactId>
                <!-- Excluding this older, not maintained library that does not support newer versions of RSA -->
            <exclusions>
                <exclusion>
                    <groupId>com.jcraft</groupId>
                    <artifactId>jsch</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
<!--         Adding this fork of com.jcraft.jsch, which supports newer versions of RSA (sha2-256 / sha2-512) -->
        <dependency>
            <groupId>com.github.mwiede</groupId>
            <artifactId>jsch</artifactId>
            <version>0.2.0</version>
        </dependency>

However, the way jgit configures com.jcraft.jsch does not work just by configuring the pom.xml with the drop-in alone, I also had to add a shim configuration class to fix things:

import com.jcraft.jsch.JSch;
import org.springframework.context.annotation.Configuration;

@Configuration
public class JschConfig {
    //Shim to fix the way jGit configures JSch
    static{
        JSch.setConfig("signature.rsa", "com.jcraft.jsch.jce.SignatureRSA");
    }

}