Open sandeep-npg opened 1 year ago
Hi @sandeep-npg Can you share an example of the settings you are using? Please redact any passwords or PII.
Hi @justindbaur -
I may have just figured this out. This happens when I try to connect to a restarted container. It appears that the container dynamically generates the key used to encrypt the antiforgery token/cookie and loses it (understandably) upon restart. Is a mapped volume (at /etc/bitwarden) necessary in addition to a database (I'm using MySQL) or is it possible to save all required state to the database?
===Settings=========== BW_DOMAIN passwordsdev.napierparkglobal.com BW_DB_PROVIDER mysql BW_DB_SERVER sharedmysqldev.napierparkglobal.com BW_DB_DATABASE bitwarden BW_DB_USERNAME bitwarden BW_DB_PASSWORD ** BW_INSTALLATION_ID ** BW_INSTALLATION_KEY ** BW_ENABLE_SSO TRUE adminSettingsadmins sandeep.singh@napierparkglobal.com globalSettingsmailreplyToEmail sandeep.singh@napierparkglobal.com globalSettingsmailsmtphost email-smtp.us-east-1.amazonaws.com globalSettingsmailsmtpport 587 globalSettingsmailsmtpssl TRUE globalSettingsmailsmtpusername ** globalSettingsmailsmtppassword **
Yes, a volume mapped to /etc/bitwarden
is necessary. That is where the key will be saved and if it's not there it will generate a new one each startup. It was not as required once upon a time but we now encrypt certain DB columns with that key so it's a requirement for it to be mapped somewhere.
We don't currently, or plan to support persisting that key to the database.
ok - thank you!
I'm seeing another issue after crossing that one. When trying to send out email using AWS SES I'm getting the error below - essentially MailKit fails to authenticate the SMTP server over SSL/TLS
I do not get this in my local dev environment (with a mapped volume). I am able to successfully login to "/admin" and get the email sent out using the same SES credentials. Is this also related to the mapped volume?
It appears the certificate of your server isn't valid. You can override that check with adding globalSettings__mail__smtp__trustServer=true
to your settings file. As shown here this is not recommended for production and would be better to get a trusted cert.
I have the same issue with mailing.
The server's SSL certificate could not be validated for the following reasons:
• The server certificate has the following errors:
• unable to get certificate CRL
• unable to get certificate CRL
• An intermediate certificate has the following errors:
• unable to get certificate CRL
• unable to get certificate CRL
The certificates in the chain are all valid, they just do not include a CRL endpoint.
Steps To Reproduce
Goto/admin
Expected Result
Log in to /admin console
Actual Result
The page does not load for a long time and eventually times out. logs show an error "Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted."
Screenshots or Videos
No response
Additional Context
Error in the logs
2023-05-17T12:27:04.902-04:00 [41m[30mfail[39m[22m[49m: Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery[7] 2023-05-17T12:27:04.902-04:00 => SpanId:0d294eb19f860334, TraceId:6ebc560d8a5b80d2b6070fb09acb5e8f, ParentId:0000000000000000 => ConnectionId:0HMQMUE6H33RK => RequestPath:/admin/login RequestId:0HMQMUE6H33RK:00000002 => Bit.Admin.Auth.Controllers.LoginController.Index (Admin) 2023-05-17T12:27:04.902-04:00 An exception was thrown while deserializing the token. 2023-05-17T12:27:04.902-04:00 Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted. 2023-05-17T12:27:04.902-04:00 ---> System.Security.Cryptography.CryptographicException: The key {0942ed38-9689-44bb-a91b-c96fbebe279e} was not found in the key ring. For more information go to http://aka.ms/dataprotectionwarning 2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) 2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) 2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) 2023-05-17T12:27:04.902-04:00 --- End of inner exception stack trace --- 2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) 2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)
Githash Version
8d9ca424-dirty
Environment Details
Database Image
mysql: 8.0.28
Issue-Link
https://github.com/bitwarden/server/issues/2480
Issue Tracking Info