Open
Issue created Apr 27, 2020 by
Neither PUB key nor PRIV key: nested asn1 error when gitlab-runner checking for jobs
Summary
After updated to 12.10.1, when gitlab-runner try to checking for jobs, it’s fail (HTTP 500 error) due to an exception in the /var/log/gitlab/gitlab-rails/api_json.log log file (see below).
Steps to reproduce
- Update to 12.10.1
- Trying to start a new job
- Job seems to be inactive
-
/var/log/gitlab/nginx/gitlab_access.loghave an 500 error response -
/var/log/gitlab/gitlab-rails/api_json.loghave an exceptionNeither PUB key nor PRIV key: nested asn1 error(like #32097 maybe?)
What is the current bug behavior?
It’s seems that jwt.rb doesn’t read the Rails.application.secrets.openid_connect_signing_key option correctly in the lib/gitlab/ci/jwt.rb file, line 63.
What is the expected correct behavior?
Read the Rails.application.secrets.openid_connect_signing_key option correctly
Relevant logs and/or screenshots
In /var/log/gitlab/gitlab-rails/api_json.log file:
{"time":"2020-04-27T13:27:21.573Z","severity":"INFO","duration_s":0.24,"db_duration_s":0.1,"view_duration_s":0.14,"status":500,"method":"POST","path":"/api/v4/jobs/request","params":[{"key":"info","value":{"name":"gitlab-runner","version":"12.10.1","revision":"ce065b93","platform":"linux","architecture":"amd64","executor":"docker","shell":"bash","features":{"variables":"[FILTERED]","image":null,"services":null,"artifacts":null,"cache":null,"shared":null,"upload_multiple_artifacts":null,"upload_raw_artifacts":null,"session":null,"terminal":null,"refspecs":null,"masking":null,"proxy":null,"raw_variables":"[FILTERED]"}}},{"key":"token","value":"[FILTERED]"},{"key":"last_update","value":"6d94cba2f539cfa618b5038915bb35f4"}],"host":"[PRIVATE]","remote_ip":"[PRIVATE], [PRIVATE]","ua":"gitlab-runner 12.10.1 (12-10-stable; go1.13.8; linux/amd64)","route":"/api/:version/jobs/request","exception.class":"OpenSSL::PKey::RSAError","exception.message":"Neither PUB key nor PRIV key: nested asn1 error","exception.backtrace":["lib/gitlab/ci/jwt.rb:63:in `initialize'","lib/gitlab/ci/jwt.rb:63:in `new'","lib/gitlab/ci/jwt.rb:63:in `key'","lib/gitlab/ci/jwt.rb:67:in `public_key'","lib/gitlab/ci/jwt.rb:71:in `kid'","lib/gitlab/ci/jwt.rb:23:in `encoded'","lib/gitlab/ci/jwt.rb:10:in `for_build'","app/models/ci/build.rb:983:in `block in job_jwt_variables'","app/models/ci/build.rb:980:in `tap'","app/models/ci/build.rb:980:in `job_jwt_variables'","app/models/ci/build.rb:528:in `block in variables'","lib/gitlab/utils/strong_memoize.rb:30:in `strong_memoize'","app/models/ci/build.rb:525:in `variables'","app/presenters/ci/build_runner_presenter.rb:121:in `block in git_depth_variable'","lib/gitlab/utils/strong_memoize.rb:30:in `strong_memoize'","app/presenters/ci/build_runner_presenter.rb:120:in `git_depth_variable'","app/presenters/ci/build_runner_presenter.rb:28:in `git_depth'","app/presenters/ci/build_runner_presenter.rb:40:in `refspecs'"],"queue_duration_s":0.01,"gitaly_calls":2,"gitaly_duration_s":0,"redis_calls":9,"redis_duration_s":0.01,"correlation_id":"ERgArTStN83"}Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Debian 9.12 Current User: git Using RVM: no Ruby Version: 2.6.5p114 Gem Version: 2.7.10 Bundler Version:1.17.3 Rake Version: 12.3.3 Redis Version: 5.0.7 Git Version: 2.26.2 Sidekiq Version:5.2.7 Go Version: unknown GitLab information Version: 12.10.1 Revision: e658772bd63 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 11.7 URL: [DOMAIN] HTTP Clone URL: https://[DOMAIN]/some-group/some-project.git SSH Clone URL: ssh://git@[DOMAIN]/some-group/some-project.git Using LDAP: no Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 12.2.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 12.2.0 ? ... OK (12.2.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... yes Redis version >= 4.0.0? ... yes Ruby version >= 2.5.3 ? ... yes (2.6.5) Git version >= 2.22.0 ? ... yes (2.26.2) Git user has default SSH configuration? ... yes Active users: ... 15 Is authorized keys file accessible? ... yes
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
When I copy the gitlab_rails.openid_connect_signing_key from the gitlab-secrets.json file to directly in the /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ci/jwt.rb file, it’s works.
Replacing:
@key ||= OpenSSL::PKey::RSA.new(Rails.application.secrets.openid_connect_signing_key)by:
@key ||= OpenSSL::PKey::RSA.new("-----BEGIN RSA PRIVATE KEY-----n<MY_RSA_PRIVATE_KEY_CONTENT>n-----END RSA PRIVATE KEY-----n")New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
Sign in
to your account
Comments
It’s all ok with that library but I have this error
OpenSSL::PKey::RSAError (Neither PUB key nor PRIV key: nested asn1 error):
on Single Logout.
It seems that is when library read the private_key
formatted_private_key = OneLogin::RubySaml::Utils.format_private_key( *thestringwithkey* )
OpenSSL::PKey::RSA.new(formatted_private_key)
error is at OpenSSL::PKey::RSA.new
Someone can help me? I don’t understand the error!
How are you providing that Private key?
Can you try to copy the formatted_private_key, save it in a file and try to validate it with the openssl command?
openssl rsa -noout -text -in sp.key
I found that it was a problem of passphrase. I didn’t find in ruby-saml a way to pass the passphrase and also the Util formatter it seems to give a wrong data.
I can fix the problem like this: nunziofiore@6264bcf
Yes, the toolkit is not able to manage private keys with a passphrase.
You can also remove the passphrase:
https://knowledge.digicert.com/solution/SO5292.html
At the end, having the private key encrypted, but the secret that unencrypt it in the same setting file is not far away than having the private key directly unencrypted,
Ok great, I’ll try that way. Thank you
2 participants
I am trying to initialize OpenSSL::PKey::RSA using a public key, and it is not working.
Following is the key pair:
-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBALbkpbDFbZ54bM5ybwwdCqsUHjxWQF4B0Q1sAOBFEYdpxZJZ8dAz
ycPzIgSlPc8yqjeqwJQtvCpktrntALpX1ksCAwEAAQJAYT0XyvBs48BrOSgmWm5m
aab8nF/PQSv+FgDCRnryYue3WZOpUqITB0w6ivC68G/+Mf6IXyE4ljqw2iIAdjyv
YQIhAOE20o2bLPMtziEOdH0KGpN0gNYpe38jGyvGw7k5gZd9AiEAz+TWZRJpc9yX
5dew3xcBtIhaTPFmVLgmfU7FwIWW32cCIQCvKK9LmUO1gouN5CsvUNtokbTeW/cD
467vNjDlb1deFQIhAK55pZ1p2GrOpgTWArEYg+vZy79rkbBkZJkh9UFgXIDdAiBm
Rglcmt9cD2Vqg7xMr7cP3FJbSmJffSwYve1fazuZOw==
-----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MEoCAQACQLbkpbDFbZ54bM5ybwwdCqsUHjxWQF4B0Q1sAOBFEYdpxZJZ8dAzycPz
IgSlPc8yqjeqwJQtvCpktrntALpX1ksCAwEAAQ==
-----END PUBLIC KEY-----
OpenSSL::PKey::RSA.new(private_key) # WORKS!
OpenSSL::PKey::RSA.new(public_key) # FAILS!
OpenSSL::PKey::RSAError: Neither PUB key nor PRIV key:: nested asn1 error
from (irb):16:in `initialize'
from (irb):16:in `new'
from (irb):16
from /Users/dhracker/.rvm/gems/ruby-1.9.3-p194/gems/railties-3.2.8/lib/rails/commands/console.rb:47:in `start'
from /Users/dhracker/.rvm/gems/ruby-1.9.3-p194/gems/railties-3.2.8/lib/rails/commands/console.rb:8:in `start'
from /Users/dhracker/.rvm/gems/ruby-1.9.3-p194/gems/railties-3.2.8/lib/rails/commands.rb:41:in `<top (required)>'
from script/rails:6:in `require'
from script/rails:6:in `<main>'
another_public_key = OpenSSL::PKey::RSA.new(512).public_key
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMS6XZD2NHTCwdgT+A2/PkStyJwYX/Qu
mfCyZc5TE5IZYaKsBg4uGcI97r8lxEv6rx5b0b6cIwQ7A7e6CUVph5MCAwEAAQ==
-----END PUBLIC KEY-----
OpenSSL::PKey::RSA.new(another_public_key) # WORKS!
What is wrong with public_key that causes things to fail?
4 Answers
Following this link http://skim.la/2012/01/16/rsa-public-key-interoperability-between-ruby-and-android/ I had more success this way.
require 'openssl'
require 'base64'
public_key = "MIIBCgKCAQEA20O377QEiZvPsj14LKl2xO23iirJB5WDTVjeab1cIOJu1vbV+Pdwl1Bov8m896ZG4K0S/qvfJcdHLovr2WJ+o2maK1XZCNy8lA" +
"zIPzZrj/yDZAB2GSjR3in1lQRQPtWjIOdB8Cy2FGybEstIkpf8MD3XMWp5g8BtdOv43ekjBuTiGGLlPRG0+IiazjHlWjyl6DU9x9m2Jxks0H6YZud6zf4s9Q6" +
"9vPUYgOZXWs7IghxqrVGE5mWxoRudsDFhLYP706+IrSxGOf5fE0/8fjtzj/eJayCLmkUWq/xsts5tBAbwsX5xKdk8iD0OU2qOEbVuiYmehEiJnvO2vyd+t76C" +
"xwIDAQAB"
rsa_public_key = OpenSSL::PKey::RSA.new(Base64.decode64(public_key))
It looks like what you’ve got there should work only the public key itself isn’t valid. Maybe you mangled them at some point by adding or removing an extra character by accident. You can test this key out and should see it work out
public_key = "-----BEGIN RSA PUBLIC KEY-----nMIIBCgKCAQEAoxi2V0bSKqAqUtoQHxWkOPnErCS541r6/MOSHmKOd6VSNHoBbnasnZRQSDUTbffB6C++DbmBCOHmvzYORD0ZWYgyMcgbYJD48Z2fe0nm+WMYN5u8DPnTPnvf8b/rJBxGF0dsaoFAWlB81tTnKFCxAbCSgfmQt+Vd4qupGZ5gGu9uoKlaPjmYuAnIxIjUMcu3dov7PQ+PZIvdkM0fiz8YIl8zo+iWWyI2s6/XLoZJ4bYs2YJHZDf6biUnsZhs8xqh/F6qlcRt3Ta25KMa0TB9zE3HHmqA/EJHFubWFRCrQqpboB0+nwCbmZUlnhaxA79FRvYtORvFAoncoFD4tq3rGXcUQQwIDAQABn-----END RSA PUBLIC KEY-----n"
OpenSSL::PKey::RSA.new(public_key)
I generated my key by first running the linux command for generating an openSSH key pair
$ ssh-keygen -t rsa -b 1024
Then I converted OpenSSH style public key to an OpenSSL style key (PEM format), storing it in a file called ‘pem’.
$ ssh-keygen -f testing_rsa.pub -e -m pem > pem
I was facing the same issue and I tried lot of different solutions given across internet.
But the actual problem was with the key that I was providing.
The formatting of the key should be proper. There should not be any extra character or n , t.
I hope this might help you. So, please check your key once again.
Same day I was stuck with the same issue, changing passphrase might help you. So verify your passphrase and change it in notification class.I hope this might help you.
I have changed in file app/jobs/notification_job.rb
certificate: Rails.root.join('Your Pem File Name Goes Here'),# required
passphrase: "PASSPHRASE GOES HERE", # optional
gateway: "gateway.push.apple.com", # optional; See note below.
# gateway: "gateway.sandbox.push.apple.com", # optional; See note below.