Algo fails to generate wireguard private keys

[garrettreid]

Describe the bug

Algo fails to generate wireguard private keys, then fails to generate public keys because they're missing. This is without changing any configuration values, and answering with default settings for everything except server IP. Dependencies have all been installed, virtualenv is active. While the existing issue 1161 seems related, I'm failing with the current-latest Algo (commit db34d55).

Algo running on: Ubuntu 18.04.2 LTS (Virtualized: xen)
ZIP file created: 2019-03-17 15:19:24.000000000 +0000
Python 2.7.15rc1
Runtime variables:
algo_provider "local"
algo_ondemand_cellular "False"
algo_ondemand_wifi "False"
algo_ondemand_wifi_exclude "X251bGw="
algo_local_dns "False"
algo_ssh_tunneling "False"
algo_windows "False"
wireguard_enabled "True"
dns_encryption "True"

To Reproduce

Steps to reproduce the behavior:

1. Install dependencies

root@vpn:~# apt install build-essential libssl-dev libffi-dev python-dev python-pip python-setuptools python-virtualenv -y
Reading package lists... Done
Building dependency tree       
Reading state information... Done
build-essential is already the newest version (12.4ubuntu1).
libffi-dev is already the newest version (3.2.1-8).
python-dev is already the newest version (2.7.15~rc1-1).
python-setuptools is already the newest version (39.0.1-2).
python-virtualenv is already the newest version (15.1.0+ds-1.1).
libssl-dev is already the newest version (1.1.0g-2ubuntu4.3).
python-pip is already the newest version (9.0.1-2.3~ubuntu1).
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.

2. Activate virtual environment

root@vpn:~/algo-master# python -m virtualenv --python=`which python2` env && source env/bin/activate && python -m pip install -U pip virtualenv && python -m pip install -r requirements.txt
Running virtualenv with interpreter /usr/bin/python2
New python executable in /root/algo-master/env/bin/python2
Also creating executable in /root/algo-master/env/bin/python
Installing setuptools, pkg_resources, pip, wheel...done.
...
Installing collected packages: asn1crypto, enum34, ipaddress, pycparser, cffi, six, cryptography, MarkupSafe, jinja2, PyYAML, pynacl, pyasn1, bcrypt, paramiko, ansible
Successfully installed MarkupSafe-1.1.1 PyYAML-5.1 ansible-2.5.2 asn1crypto-0.24.0 bcrypt-3.1.6 cffi-1.12.2 cryptography-2.6.1 enum34-1.1.6 ipaddress-1.0.22 jinja2-2.10 paramiko-2.4.2 pyasn1-0.4.5 pycparser-2.19 pynacl-1.3.0 six-1.12.0

3. Invoke Algo (./algo)

Expected behavior

Algo playbook completes successfully.

Full log

(env) root@vpn:~/algo-master# ./algo

PLAY [Ask user for the input] **************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]
[pause]
What provider would you like to use?
    1. DigitalOcean
    2. Amazon Lightsail
    3. Amazon EC2
    4. Vultr
    5. Microsoft Azure
    6. Google Compute Engine
    7. Scaleway
    8. OpenStack (DreamCompute optimised)
    9. Install to existing Ubuntu 18.04 server (Advanced)
  
Enter the number of your desired provider
:
9

TASK [pause] *******************************************************************
ok: [localhost]

TASK [Set facts based on the input] ********************************************
ok: [localhost]
[pause]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:


TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:


TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
:


TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
:


TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want to install an ad blocking DNS resolver on this VPN server?
[y/N]
:


TASK [pause] *******************************************************************
ok: [localhost]
[pause]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:


TASK [pause] *******************************************************************
ok: [localhost]

TASK [Set facts based on the input] ********************************************
ok: [localhost]

PLAY [Provision the server] ****************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

--> Please include the following block of text when reporting issues:

Algo running on: Ubuntu 18.04.2 LTS (Virtualized: xen)
ZIP file created: 2019-03-17 15:19:24.000000000 +0000
Python 2.7.15rc1
Runtime variables:
    algo_provider "local"
    algo_ondemand_cellular "False"
    algo_ondemand_wifi "False"
    algo_ondemand_wifi_exclude "X251bGw="
    algo_local_dns "False"
    algo_ssh_tunneling "False"
    algo_windows "False"
    wireguard_enabled "True"
    dns_encryption "True"

TASK [Display the invocation environment] **************************************
changed: [localhost -> localhost]

TASK [Install the requirements] ************************************************
changed: [localhost -> localhost]
[local : pause]
Enter the IP address of your server: (or use localhost for local installation):
[localhost]
:
localhost

TASK [local : pause] ***********************************************************
ok: [localhost]

TASK [local : Set the facts] ***************************************************
ok: [localhost]

TASK [local : Set the facts] ***************************************************
ok: [localhost]
[local : pause]
Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate)
[localhost]
:
1.2.3.4

TASK [local : pause] ***********************************************************
ok: [localhost]

TASK [local : Set the facts] ***************************************************
ok: [localhost]

TASK [Set subjectAltName as afact] *********************************************
ok: [localhost]

TASK [Add the server to an inventory group] ************************************
changed: [localhost]

TASK [debug] *******************************************************************
ok: [localhost] => {
    "IP_subject_alt_name": "1.2.3.4"
}
Pausing for 20 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)

TASK [A short pause, in order to be sure the instance is ready] ****************
ok: [localhost]

PLAY [Configure the server and install required software] **********************

TASK [common : Check the system] ***********************************************
changed: [localhost]

TASK [common : include_tasks] **************************************************
included: /root/algo-master/roles/common/tasks/ubuntu.yml for localhost

TASK [common : Gather facts] ***************************************************
ok: [localhost]

TASK [common : Install unattended-upgrades] ************************************
ok: [localhost]

TASK [common : Configure unattended-upgrades] **********************************
ok: [localhost]

TASK [common : Periodic upgrades configured] ***********************************
ok: [localhost]

TASK [common : Unattended reboots configured] **********************************
ok: [localhost]
ok: [localhost] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/login'})
ok: [localhost] => (item={u'regexp': u'^session.*optional.*pam_motd.so.*', u'line': u'# MOTD DISABLED', u'file': u'/etc/pam.d/sshd'})

TASK [common : Disable MOTD on login and SSHD] *********************************

TASK [common : Loopback for services configured] *******************************
ok: [localhost]
ok: [localhost] => (item=systemd-networkd)
ok: [localhost] => (item=systemd-resolved)

TASK [common : systemd services enabled and started] ***************************

TASK [common : Check apparmor support] *****************************************
changed: [localhost]

TASK [common : set_fact] *******************************************************
ok: [localhost]

TASK [common : Generate password for the CA key] *******************************
changed: [localhost -> localhost]

TASK [common : Generate p12 export password] ***********************************
changed: [localhost -> localhost]

TASK [common : Define facts] ***************************************************
ok: [localhost]

TASK [common : set_fact] *******************************************************
ok: [localhost]

TASK [common : Set IPv6 support as a fact] *************************************
ok: [localhost]

TASK [common : Check size of MTU] **********************************************
ok: [localhost]

TASK [common : set_fact] *******************************************************
ok: [localhost]
ok: [localhost] => (item=[u'git', u'screen', u'apparmor-utils', u'uuid-runtime', u'coreutils', u'iptables-persistent', u'cgroup-tools', u'openssl'])

TASK [common : Install tools] **************************************************

TASK [common : Install headers] ************************************************
ok: [localhost]

TASK [common : include_tasks] **************************************************
included: /root/algo-master/roles/common/tasks/iptables.yml for localhost
ok: [localhost] => (item={u'dest': u'/etc/iptables/rules.v4', u'src': u'rules.v4.j2'})

TASK [common : Iptables configured] ********************************************
ok: [localhost] => (item={u'dest': u'/etc/iptables/rules.v6', u'src': u'rules.v6.j2'})

TASK [common : Iptables configured] ********************************************
ok: [localhost] => (item={u'item': u'net.ipv4.ip_forward', u'value': 1})
ok: [localhost] => (item={u'item': u'net.ipv4.conf.all.forwarding', u'value': 1})
ok: [localhost] => (item={u'item': u'net.ipv6.conf.all.forwarding', u'value': 1})

TASK [common : Sysctl tuning] **************************************************

TASK [dns_encryption : Include tasks for Ubuntu] *******************************
included: /root/algo-master/roles/dns_encryption/tasks/ubuntu.yml for localhost

TASK [dns_encryption : Add the repository] *************************************
ok: [localhost]

TASK [dns_encryption : Install dnscrypt-proxy] *********************************
ok: [localhost]

TASK [dns_encryption : Configure unattended-upgrades] **************************
ok: [localhost]

TASK [dns_encryption : Ubuntu | Unbound profile for apparmor configured] *******
ok: [localhost]

TASK [dns_encryption : Ubuntu | Enforce the dnscrypt-proxy AppArmor policy] ****
ok: [localhost]

TASK [dns_encryption : Ubuntu | Ensure that the dnscrypt-proxy service directory exist] ***
ok: [localhost]

TASK [dns_encryption : Ubuntu | Add custom requirements to successfully start the unit] ***
ok: [localhost]

TASK [dns_encryption : dnscrypt-proxy ip-blacklist configured] *****************
ok: [localhost]

TASK [dns_encryption : dnscrypt-proxy configured] ******************************
ok: [localhost]

TASK [dns_encryption : dnscrypt-proxy enabled and started] *********************
ok: [localhost]
changed: [localhost -> localhost] => (item=private)
changed: [localhost -> localhost] => (item=public)

TASK [wireguard : Ensure the required directories exist] ***********************

TASK [wireguard : Include tasks for Ubuntu] ************************************
included: /root/algo-master/roles/wireguard/tasks/ubuntu.yml for localhost

TASK [wireguard : WireGuard repository configured] *****************************
ok: [localhost]

TASK [wireguard : WireGuard installed] *****************************************
ok: [localhost]

TASK [wireguard : WireGuard reload-module-on-update] ***************************
changed: [localhost]

TASK [wireguard : Configure unattended-upgrades] *******************************
ok: [localhost]

TASK [wireguard : set_fact] ****************************************************
ok: [localhost]
ok: [localhost] => (item=phone)
ok: [localhost] => (item=laptop)
ok: [localhost] => (item=desktop)
changed: [localhost] => (item=1.2.3.4)

TASK [wireguard : Generate private keys] ***************************************
changed: [localhost] => (item=None)
changed: [localhost] => (item=phone)
changed: [localhost] => (item=laptop)
changed: [localhost] => (item=desktop)
changed: [localhost] => (item=1.2.3.4)

TASK [wireguard : Touch the lock file] *****************************************
 [WARNING]: Unable to find 'configs/1.2.3.4/wireguard//.pki//private/phone' in
expected paths (use -vvvvv to see paths)


TASK [wireguard : Generate public keys] ****************************************
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: configs/1.2.3.4/wireguard//.pki//private/phone"}

PLAY RECAP *********************************************************************
localhost                  : ok=68   changed=12   unreachable=0    failed=1   

[jackivanov]

It's covered in the troubleshooting guide