[4.x]: cookieValidationKey must be configured with a secret key.

[loqus]

What happened?

Description

I moved a server from CentOS to Ubuntu 22 and I got this error in my logs.

An Error occurred while handling another error:
yii\base\InvalidConfigException: craft\web\Request::cookieValidationKey must be configured with a secret key. in /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/web/Request.php:1723
Stack trace:
#0 /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/web/Request.php(1705): yii\web\Request->loadCookies()
#1 /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/web/User.php(546): yii\web\Request->getCookies()
#2 /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/web/User.php(729): yii\web\User->renewIdentityCookie()
#3 /var/www/vhosts/example.com/httpdocs/vendor/craftcms/cms/src/web/User.php(500): yii\web\User->renewAuthStatus()
#4 /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/web/User.php(199): craft\web\User->renewAuthStatus()
#5 /var/www/vhosts/example.com/httpdocs/vendor/craftcms/cms/src/web/ErrorHandler.php(273): yii\web\User->getIdentity()
#6 /var/www/vhosts/example.com/httpdocs/vendor/craftcms/cms/src/web/ErrorHandler.php(187): craft\web\ErrorHandler->showExceptionDetails()
#7 /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/base/ErrorHandler.php(152): craft\web\ErrorHandler->renderException()
#8 /var/www/vhosts/example.com/httpdocs/vendor/craftcms/cms/src/web/ErrorHandler.php(66): yii\base\ErrorHandler->handleException()
#9 [internal function]: craft\web\ErrorHandler->handleException()
#10 {main}
Previous exception:
yii\base\InvalidConfigException: craft\web\Request::cookieValidationKey must be configured with a secret key. in /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/web/Request.php:1723
Stack trace:
#0 /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/web/Request.php(1705): yii\web\Request->loadCookies()
#1 /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/web/User.php(546): yii\web\Request->getCookies()
#2 /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/web/User.php(729): yii\web\User->renewIdentityCookie()
#3 /var/www/vhosts/example.com/httpdocs/vendor/craftcms/cms/src/web/User.php(500): yii\web\User->renewAuthStatus()
#4 /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/web/User.php(199): craft\web\User->renewAuthStatus()
#5 /var/www/vhosts/example.com/httpdocs/vendor/craftcms/cms/src/web/Application.php(436): yii\web\User->getIdentity()
#6 /var/www/vhosts/example.com/httpdocs/vendor/craftcms/cms/src/web/Application.php(112): craft\web\Application->debugBootstrap()
#7 /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/base/BaseObject.php(109): craft\web\Application->init()
#8 /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/base/Application.php(204): yii\base\BaseObject->__construct()
#9 [internal function]: yii\base\Application->__construct()
#10 /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/di/Container.php(419): ReflectionClass->newInstanceArgs()
#11 /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/di/Container.php(170): yii\di\Container->build()
#12 /var/www/vhosts/example.com/httpdocs/vendor/yiisoft/yii2/BaseYii.php(365): yii\di\Container->get()
#13 /var/www/vhosts/example.com/httpdocs/vendor/craftcms/cms/src/Craft.php(59): yii\BaseYii::createObject()
#14 /var/www/vhosts/example.com/httpdocs/vendor/craftcms/cms/bootstrap/bootstrap.php(264): Craft::createObject()
#15 /var/www/vhosts/example.com/httpdocs/vendor/craftcms/cms/bootstrap/web.php(40): require('...')
#16 /var/www/vhosts/example.com/httpdocs/web/index.php(233): require('...')
#17 {main}

It seems to be related to yii\web\User or getting the cookies At first an error was shown to come from Blitz (CacheRequestService.php $user = Craft::$app->getUser()->getIdentity();) but after commenting those parts out it resulted in the above ^^

The security key is set in the .env and in general.php it's set like this:

'securityKey' => getenv('SECURITY_KEY'),

I found one possible solution to edit the php.ini and set the variables_order = "GPCS" to variables_order = "EGPCS" In order to load the env first, but that didn't work out.

I also tried to set the cookieValidationKey manually as key in Helpers/App.php, but that also didn't work

I'm a bit clueless in how to solve this. The site operates as normally in devmode and Blitz cache enabled except for the pages that are not found

Craft CMS version

Pro 4.9.7

PHP version

8.2.20

Operating system and version

Ubuntu 22

Database type and version

MariaDB 10.6.16

Image driver and version

Imagick 3.7.0 (ImageMagick 6.9.11-60)

Installed plugins and versions

-Blitz

[michtio]

First of all I would not use getenv() to fetch the ENV variables, but use Craft's built in helper:

use craft\helpers\App;

App::env('SECURITY_KEY')

This error mainly stems from the fact your security couldn't be read, or is invalid. Have you tried out dumping to see if getenv() actually returns the correct value in your config? Normally you shouldn't need to touch variables_order.

Are you sure securityKey => is loaded in all environments, and not on a specific one?

[loqus]

Thanks for your feedback. getenv('SECURITY_KEY') returns the right value, but I've replaced it with your suggestion. 'securityKey' => App::env('SECURITY_KEY'),

This is loaded in the return [ // Global settings '*' => [ ..... 'securityKey' => App::env('SECURITY_KEY'), ...... ] ] The error remains in the logs

[loqus]

Ps this error only shows in the phperrors log when devmode is false and the url does not exists. All found urls and routes just work fine.

[brandonkelly]

Is a SECURITY_KEY environment variable actually defined? You can be 100% sure by going to Utilities → PHP Info and searching for SECURITY_KEY.

Craft 4+ installs will have CRAFT_SECURITY_KEY by convention, so check if that’s what’s actually getting defined. If you have that, you will be able to safely remove the securityKey config setting from general/config.php as CRAFT_* environment variables will get set to their corresponding config settings automatically – see Environment Overrides.

[loqus]

Yes the environment value can be found in Utilities->PHP Info (as environment $_SERVER and $_ENV variable). I've added the CRAFT_SECURITY_KEY and the error has dissappeared. I think it might be related coming from V2 all the way to almost V5 and missing some steps between versions. Thanks for guiding me.