The other day I rebuilt a VM that we’re managing using Ansible and when we tried to have Ansible reset it’s configuration we received the following error:

fatal: [xxx.xxx.xxx.xxx] => SSH Error: Host key verification failed.
    while connecting to xxx.xxx.xxx.xxx:22
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.

Ansible doesn’t provide a good explanation of how to fix this but the issue resolves around the fact that the IP address stayed the same but when the server was rebuilt the SSH keys changed and there’s a conflict in the known_hosts file.

If you attempt to SSH into the box as that user SSH will help you fix the problem:

user@host:~/path$ ssh user@xxx.xxx.xxx.xxx
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
a0:c9:23:12:f4:91:91:f0:45:0e:6c:d3:2e:ae:63:d7.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:13
  remove with: ssh-keygen -f "/home/user/.ssh/known_hosts" -R xxx.xxx.xxx.xxx
ECDSA host key for xxx.xxx.xxx.xxx has changed and you have requested strict checking.
Host key verification failed.

Then running the ssh-keygen command removes the bad entry:

user@host:~/path$ ssh-keygen -f "/home/user/.ssh/known_hosts" -R xxx.xxx.xxx.xxx
# Host xxx.xxx.xxx.xxx found: line 13 type ECDSA
/home/user/.ssh/known_hosts updated.
Original contents retained as /home/user/.ssh/known_hosts.old

And finally we can now run Ansible and it will connect!

user@host:~/path$ ansible-playbook -v --inventory-file=ansible/inventory/production.ini -u user ansible/devel.yml

PLAY [all] ********************************************************************

GATHERING FACTS ***************************************************************
The authenticity of host 'xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)' can't be established.
ECDSA key fingerprint is a0:c9:23:12:f4:91:91:f0:45:0e:6c:d3:2e:ae:63:d7.
Are you sure you want to continue connecting (yes/no)? yes