I have two web servers behind a load balancer that use Let's Encrypt for automatic SSL. web1 will handle the creation and renewal of the SSL keys and then synchronize those keys onto web2. Trying to use a variant of this isn't working for me:
- name: Sync SSL files from master to slave(s)
synchronize:
src: "{{ item }}"
dest: "{{ item }}"
when: inventory_hostname != 'web1'
delegate_to: web1
with_items:
- /etc/nginx/ssl/letsencrypt/
- /var/lib/letsencrypt/csrs/
- /var/lib/letsencrypt/account.key
- /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem
That returns an immediate error of:
Permission denied (publickey).\r\nrsync: connection unexpectedly closed (0 bytes received so far) [Receiver]\nrsync error: unexplained error (code 255) at io.c(605) [Receiver=3.0.9]\n"
Why isn't the ssh forwarding working once ansible logs into web1 or web2? When I execute this manually, it works fine:
ssh -A user@web1
#logged into web1 successfully
ssh user@web2
#logged into web2 successfully
Here is my ansible.cfg
[defaults]
filter_plugins = ~/.ansible/plugins/filter_plugins/:/usr/share/ansible_plugins/filter_plugins:lib/trellis/plugins/filter
host_key_checking = False
force_color = True
force_handlers = True
inventory = hosts
nocows = 1
roles_path = vendor/roles
[ssh_connection]
ssh_args=-o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/tmp/ansible-ssh-%h-%p-%r -o ForwardAgent=yes
pipelining = True
retries = 1
What I think is happening is I am trying to copy contents from a folder with root only permissions. So sudo is being used, which switches my user and why I get a permission denied, b/c the SSH key is associated with non-root. So it seems I need a way to access contents of a root only folder and send it across with a regular user. I might create a few steps to copy and change permissions with root, then sync with non-root, and use sudo to fix permissions on the remote host.
Seems like a lot of steps, but not sure if synchronize can handle my use case.
UPDATED: Added more relevant error
