Setup
The first real, working development pipeline for this blog used the GitHub to FTP approach. Before that, I tried a somewhat convoluted version of the “Pull” approach the guide in the official cPanel docs, which outlines two basic options:
Push Method
Edit your website on your computer, push the changes to a single Git repo in cPanel, and it will automatically update
- Use cPanel’s Git Version Control tool to make an empty repository
- Clone that to your computer
- Use a
.cpanel.ymlfile to tell cPanel to deploy the files from the repo to your production website
Pull Method
Edit your website files on your computer, push changes to the first repository (probably on GitHub), then manually tell your secondary cPanel Git repo to pull those changes and deploy them to the live website
- Start with some other repo that you want to use
- Clone that to your computer
- Push changes to the secondary cPanel repo
- Click on “Update from Remote” and “Deploy HEAD commit” in the cPanel GUI
My method…
…turned out to be redundant and overly complicated, for a few reasons.
- Create a private GitHub repository
- Setup SSH access so cPanel’s repo had permission to snag the website files from GitHub
- Create a
.cpanel.ymlfile, but also setup up the Pull method, so I had to get into cPanel and manually deploy changes, anyway
Why did it work out like that?
- I conflated Git with GitHub. Git is a platform-agnostic system that companies like GitHub and cPanel use. When I was reading the docs and tutorials, it was easy to forget about that. I didn’t need both for the recommended Push method
- I wanted to use a private repo and set up SSH access. That was just for practice, since this is a home lab project, after all. But it made things needlessly complex
Process / Hurdles
“/usr/local/cpanel/3rdparty/bin/git” reported error code “128”
- cPanel Git™ Version Control: /usr/local/cpanel/3rdparty/bin/git reported error code 128 when it ended: Permission denied – cPanel
- Key isn’t working; authentication is failing
- Make sure you’re using the SSH link from GitHub, not the HTTPS link
“ERROR: You’re using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.”
- Eclipse/Git: “You’re using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.” - Stack Overflow
- Generating an ECDSA key instead fixed the issue
ssh-keygen -t ecdsa -b 521
- Generating a new SSH key and adding it to the ssh-agent - GitHub Docs
- “RSA keys generated after [November 2, 2021] must use a SHA-2 signature algorithm.”
- How could you generate an RSA key that uses SHA-2 as the signature algorithm?
“fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.”
- github - Git : fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists - Stack Overflow
- The
evalcommand is used to start an SSH agent and set the necessary environment variables for it to work in the current shell session
- The
eval `ssh-agent -s`
ssh-add ../.ssh/RSAkey
“You’ve successfully authenticated, but GitHub does not provide shell access.”
- The first guide linked to Guide to Git™ - Set Up Access to Private Repositories | cPanel & WHM Documentation for directions on cloning the GitHub repo using SSH
- Once you generate the new SSH key, add it to your configuration file, and register it with the GitHub repo, you test the access:
ssh -i ~/.ssh/repo -T git@example.com
- NOTE: In the command above, you do need to use the path and key name specific to your project when you set them up. BUT, you literally enter “git@github.com”, assuming you are using GitHub as the platform for the remote repo
- This message actually means you added the SSH key correctly. But you’ll just be using it to securely clone a repo, not gain remote access to GitHub
- You’ve successfully authenticated, but GitHub does not provide shell access. · community · Discussion #33982
- After getting these errors out of the way, I was able to clone my private GitHub repo into my secondary cPanel Git repo
Takeaways
Public vs Private Repo
- All of this is only necessitated by having a private repo
- Anyone can clone a public repo
- You can clone your own private repo
- But GitHub doesn’t know your web server is you without signing in
- Instead of just signing in with a username/password, you authenticate with an SSH private/public key pair
- You can generate the key in the shell or through the cPanel plugin, makes no difference
- Just remember to activate it
- Then copy the public key over to GitHub as an SSH or Deploy key
GitHub SSH key vs Deploy key
- git - difference between account ssh-key vs deployment ssh-key - Stack Overflow
- SSH key identifies / authenticates you
- Always provides read-write access
- Limited number depending on account type
- Deploy key provides read-only access
- It is usually used for CI/CD
- You can enable it for write access as well when you create it
Future Improvements
- The current system I have in place works fine. But there is really no particular reason I need to have GitHub involved at all
- I might simplify things at some point in the future by using this guide: Hosting Remote Git™ Repositories with cPanel | cPanel
Sources
- Guide to Git™ - How to Set Up Deployment | cPanel & WHM Documentation
- Guide to Git™ - Set Up Access to Private Repositories | cPanel & WHM Documentation
- Guide to Git™ - Deployment | cPanel & WHM Documentation
- How to configure SSH Key Authentication for use with cPanel Git™ Version Control – cPanel
- GitHub - About SSH