search

LycheeOrg / Lychee-Docker

Docker image for Lychee
https://lycheeorg.github.io/
168 stars 55 forks source link

Lychee stops working after restart - Unsupported cipher or incorrect key length #211

Closed D4VID0x2 closed 25 minutes ago

D4VID0x2 commented 3 hours ago

I set up a lychee instance and I can finish the installation successfully and it works just fine but when I restart the server it stops working and just returns

500
HttpException
Unsupported cipher or incorrect key length. Supported ciphers are: aes-128-cbc, aes-256-cbc, aes-128-gcm, aes-256-gcm.

It is behind a reverse proxy which I have specified in the env file.

Docker compose:

#-------------------------------------------
#  Docker Compose
# @RobLandry
# Repo : https://github.com/LycheeOrg/Lychee-Docker
#-------------------------------------------

services:
  lychee_db:
    container_name: lychee_db
    image: mariadb:11
    env_file: db.env
    expose:
      - 3306
    volumes:
      - mysql:/var/lib/mysql
    networks:
      - lychee
    restart: unless-stopped

  lychee:
    image: lycheeorg/lychee:latest
    container_name: lychee
    ports:
      - 8181:80
    volumes:
      - /srv/lychee/conf:/conf
      - /srv/lychee/uploads:/uploads
      - /srv/lychee/sym:/sym
      - /srv/lychee/logs:/logs
      - /srv/lychee/tmp:/lychee-tmp
    networks:
      - lychee
    env_file: lychee.env
    restart: unless-stopped
    depends_on:
      - lychee_db

networks:
  lychee:

volumes:
  mysql:

lychee.env:

APP_NAME=Lychee
APP_ENV=production
APP_KEY=
APP_DEBUG=false
# This MUST contain the host name up to the Top Level Domain (tld) e.g. .com, .org etc.
APP_URL=https://[host]
APP_FORCE_HTTPS=true

# If using Lychee in a sub folder, specify the path after the tld here.
# For example for https://lychee.test/path/to/lychee
# Set APP_URL=https://lychee.test
# and APP_DIR=/path/to/lychee
# We (LycheeOrg) do not recommend the use of APP_DIR.
# APP_DIR=

# enable or disable debug bar. By default it is disabled.
# Do note that this disable CSP!!
DEBUGBAR_ENABLED=false

# enable or disable the v5 layout.
LIVEWIRE_ENABLED=true

# enable or disable log viewer. By default it is enabled.
LOG_VIEWER_ENABLED=true

# enable s3 bucket (required in addition to needing AWS_ACCESS_KEY_ID)
# S3_ENABLED=true

# If you spread old links of to your albums in your Lychee instance starting with
# https://lychee.text/#albumID/PhotoId
# Set this value to true to enable redirection.
LEGACY_V4_REDIRECT=false

##############################################################################
# IMPORTANT: To migrate from Lychee v3 you *MUST* use the same MySQL/MariaDB #
#            server as v3.                                                   #
##############################################################################

# Table prefix (e.g. lychee_) of a Lychee v3 instance for migration
DB_OLD_LYCHEE_PREFIX=

# DB_CONNECTION can be sqlite, mysql or pgsql. For sqlite the other entries are
# not required, but an existing sqlite3 database may be specified if desired. In
# this case, please use an absolute path. DB_DATABASE may be omitted but should
# *not* be left blank.
DB_CONNECTION=mysql
DB_HOST=lychee_db
DB_PORT=3306
DB_DATABASE=lychee
DB_USERNAME=lychee
DB_PASSWORD="[db password]"
DB_LOG_SQL=false
DB_LOG_SQL_EXPLAIN=false #only for MySQL

# List foreign keys in diagnostic page
DB_LIST_FOREIGN_KEYS=false

# Application timezone. If not specified, the server's default timezone is used.
# Requires a named timezone identifier.
# See https://www.php.net/manual/en/timezones.php for the list of supported timezones.
# Don't use a timezone offset (like +01:00) or a timezone abbreviation (like CEST)
TIMEZONE=[timezone]

# Visibility of directories and (media) files in LYCHEE_UPLOADS
# Possible values are:
#
#  - private: world group has neither read nor write access
#  - public: world group has read access but no write access (the default)
#  - world: world group has read and write access
#
# The default should suffice for most installations.
# For improved security, change this setting to "private".
# Some rare setups may require directories and files to be world writeable.
# In this case, use "world" here.
# USE WITH PRECAUTIONS: world writeable files and folders may be a SECURITY RISK.
LYCHEE_IMAGE_VISIBILITY=private

# folders in which the files will be stored
# LYCHEE_UPLOADS="/var/www/html/Lychee-Laravel/public/uploads/"
# LYCHEE_DIST="/var/www/html/Lychee-Laravel/public/dist/"
# LYCHEE_SYM="/var/www/html/Lychee-Laravel/public/sym/"
# url to access those files
# LYCHEE_UPLOADS_URL="uploads/"
# LYCHEE_DIST_URL="dist/"
# LYCHEE_SYM_URL="sym/"

# Support for token based authentication used by API requests. Enabled by default.
# ENABLE_TOKEN_AUTH=true

CACHE_DRIVER=file
SESSION_DRIVER=file
SESSION_LIFETIME=120
# `sync` if jobs needs to be executed live (default) or `database` if they can be defered.
QUEUE_CONNECTION=sync

SECURITY_HEADER_HSTS_ENABLE=false
SECURITY_HEADER_CSP_CONNECT_SRC=
SECURITY_HEADER_SCRIPT_SRC_ALLOW=
SESSION_SECURE_COOKIE=false

# REDIS_HOST=127.0.0.1
# REDIS_PASSWORD=null
# REDIS_PORT=6379

# MAIL_DRIVER=smtp
# MAIL_HOST=
# MAIL_PORT=
# MAIL_USERNAME=
# MAIL_PASSWORD=
# MAIL_ENCRYPTION=
# MAIL_FROM_NAME=
# MAIL_FROM_ADDRESS=

# The trusted proxies if Lychee is behind a reverse proxy
# Accepted values:
#  - `null`: no proxy
#  - `*`: any proxy
#  - <ip address>[,<ip address>]: a comma-seperated list of IP addresses
TRUSTED_PROXIES=[proxy ip]

# Comma-separated list of class names of diagnostics checks that should be skipped.
#SKIP_DIAGNOSTICS_CHECKS=

# VITE_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
# VITE_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"

# Oauth token data
# XXX_REDIRECT_URI should be left as default unless you know exactly what you do.

# AMAZON_SIGNIN_CLIENT_ID=
# AMAZON_SIGNIN_SECRET=
# AMAZON_SIGNIN_REDIRECT_URI=/auth/amazon/redirect

# https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple
# Note: the client secret used for "Sign In with Apple" is a JWT token that can have a maximum lifetime of 6 months.
# The article above explains how to generate the client secret on demand and you'll need to update this every 6 months.
# To generate the client secret for each request, see Generating A Client Secret For Sign In With Apple On Each Request.
# https://bannister.me/blog/generating-a-client-secret-for-sign-in-with-apple-on-each-request
# APPLE_CLIENT_ID=
# APPLE_CLIENT_SECRET=
# APPLE_REDIRECT_URI=/auth/apple/redirect

# FACEBOOK_CLIENT_ID=
# FACEBOOK_CLIENT_SECRET=
# FACEBOOK_REDIRECT_URI=/auth/facebook/redirect

# GITHUB_CLIENT_ID=
# GITHUB_CLIENT_SECRET=
# GITHUB_REDIRECT_URI=/auth/github/redirect

# GOOGLE_CLIENT_ID=
# GOOGLE_CLIENT_SECRET=
# GOOGLE_REDIRECT_URI=/auth/google/redirect

# MASTODON_DOMAIN=https://mastodon.social
# MASTODON_ID=
# MASTODON_SECRET=
# MASTODON_REDIRECT_URI=/auth/mastodon/redirect

# MICROSOFT_CLIENT_ID=
# MICROSOFT_CLIENT_SECRET=
# MICROSOFT_REDIRECT_URI=/auth/microsoft/redirect

# NEXTCLOUD_CLIENT_ID=
# NEXTCLOUD_CLIENT_SECRET=
# NEXTCLOUD_REDIRECT_URI=/auth/nextcloud/redirect
# NEXTCLOUD_BASE_URI=

# KEYCLOAK_CLIENT_ID=
# KEYCLOAK_CLIENT_SECRET=
# KEYCLOAK_REDIRECT_URI=/auth/keycloak/redirect
# KEYCLOAK_BASE_URL=
# KEYCLOAK_REALM=

# AWS support data

# AWS_ACCESS_KEY_ID=
# AWS_SECRET_ACCESS_KEY=
# AWS_DEFAULT_REGION=
# AWS_BUCKET=
# AWS_URL=
# AWS_ENDPOINT=
# AWS_IMAGE_VISIBILITY=
# AWS_USE_PATH_STYLE_ENDPOINT=
ildyria commented 2 hours ago

Option 1: look in the .env in your conf/ what is the value and that is matches as expected. Option 2: run docker exec lychee hp artisan key:generate

Also remove that line from your lychee.env as this is messing up with your config.

D4VID0x2 commented 1 hour ago

Option 1: look in the .env in your conf/ what is the value and that is matches as expected. Option 2: run docker exec lychee hp artisan key:generate Also remove that line from your lychee.env as this is messing up with your config.

Thank you for the quick reply.
What line should I remove?
I took the env file from the setup tutorial on the website.

ildyria commented 31 minutes ago

Yes but that is not the way docker is working. You are setting env_file: lychee.env which means that the environment variables of .env are loaded into docker. But that does not mean that they are used in Lychee. In our case we are injecting those into the conf/.env. Now if you restart your server and that installation has been run, it will assume that conf/.env is properly populated however it will still be updating with the values provided by docker.

In your case you should remove the APP_KEY= from your lychee.env

This is also why we provide a docker compose file directly: https://github.com/LycheeOrg/Lychee-Docker/blob/master/docker-compose.yml with only the minimum values needed to run lychee.

D4VID0x2 commented 25 minutes ago

Okay, thank you.