I'm working with ruby 2.5.5 and I'm starting the server like so:
RAILS_MASTER_KEY=[MY_KEY] RAILS_ENV=staging MY_DATABASE_PASSWORD=[MY_PW] bin/rails server -b 0.0.0.0
that works, now I want to generate migrations like so:
RAILS_MASTER_KEY=[MY_KEY] RAILS_ENV=staging MY_DATABASE_PASSWORD=[MY_PW] bin/rails generate migration CreateJoinTableMyTable column1 foreignKey
And I get the following error:
/path/to/.rvm/gems/ruby-2.5.5/gems/activesupport-5.2.3/lib/active_support/encrypted_file.rb:96:in `handle_missing_key': Missing encryption key to decrypt file with. Ask your team for your master key and write it to /Users/BaxterStockman/empiric/hyperion-backend-webapp/config/master.key or put it in the ENV['RAILS_MASTER_KEY']. (ActiveSupport::EncryptedFile::MissingKeyError)
I also wrote the RAILS_MASTER_KEY into ~/.bashrc and reload the profile but that didn't do anything.
Anyone an idea why this error gets thrown?
What's the rails version? It shows you the error that you should have a file config/master.key in app folder. It's required to decrypt the credentials.yml.enc.
Just add that file by asking your colleagues or if you don't have one, generate via
EDITOR="code --wait" rails credentials:edit
You might google which EDITOR= instead of code you'd use as I don't know that. Just make sure the editor won't be closed immediately, that's why for VSCode I had to use --wait argument.
Afterwards, you might place RAILS_MASTER_KEY in credentials.yml.enc.
Since Rails 5.2 credentials file appeared, so you don't need to store keys in operating system's ENV variables.
Related
Rails 7
I am running into some issues using [Rails.env.to_sym]. Some config files understand it, and some do not.
Doing some research, it seems as if I can generate different credentials files, for each runtime environment. For instance:
rails credentials:edit --environment development
rails credentials:edit --environment test
Does this mean that Rails will pick the appropriate credentials file, based on the rails environment setting (test, development, etc.)?
That’s correct — the main credentials file (credentials.yml.enc) is overwritten by environment-specific files.
If you run bin/rails credentials:edit -h from the command line, you’ll see this:
=== Environment Specific Credentials
The `credentials` command supports passing an `--environment` option to create an environment specific override. That override will take precedence over the global `config/credentials.yml.enc` file when running in that environment. So:
bin/rails credentials:edit --environment development
will create `config/credentials/development.yml.enc` with the corresponding encryption key in `config/credentials/development.key` if the credentials file doesn't exist.
One tiny gotcha for me — I ran into an error trying to generate environment-specific credentials file (part of error below):
`binwrite': No such file or directory # rb_sysopen - config/credentials/test.yml.enc.tmp
My fix was creating the empty folder first (config/credentials) and then re-running command (e.g., bin/rails credentials:edit --environment test)
When I open the file this way:
EDITOR="atom --wait" bin/rails credentials:edit
I get a brand new file that is assigned a new name (a number.credentials.yml) and reports "New credentials encrypted and saved," and I am not given the opportunity to edit the file.
Then I type:
bin/rails credentials:show
and I get the default aws: 123 etc....
So I delete both the credentials.yml.enc and the master key and start over, with the same results. the new credentials.yml.enc is created with the default verbage, but I cannot edit it.
I am using ruby 2.5.3 and rails 5.2.2. Ubuntu 18.04 if that matters. I have followed all the recommendations given elsewhere on this exact topic, but nothing works for me.
With rails credentials:show, you cannot edit your credentials.yml. You have to use EDITOR="atom --wait" rails credentials:edit to edit your credentails.yml.
Delete your master.key than you need to run the command EDITOR="atom --wait" rails credentials:edit which it won't find the master.key and creates new one with crendetials.yml.enc. After that, add some stuffs and close that file with CTRL + W. Now you can see the result with rails credentials:show.
I was having the exact same issue. It appears the issue is the quotes surrounding the specified text editor. (Note: I am running MacOS, not Ubuntu):
Doesn't work as intended
EDITOR=“vim” rails credentials:edit
New credentials encrypted and saved.
But I didn't want to create new credentials. I wanted to edit my existing credentials.yml.enc file.
Works as intended
EDITOR=vim rails credentials:edit
This does what I expect: opens up the credentials.yml.enc file in vim in an unencrypted format.
You need install vim for ubuntu, use this commmand:
sudo apt-get install vim
I had the same problem and solutioned with that. ;)
I've just created a new Rails project, and it came with this credentials.yml.enc file.
Is it safe to commit it publicly?
What David Heinemeier Hansson said here:
These secrets are not supposed to withstand any sort of attack in test or development.
As far I understood you should not keep damn secret credentials here, and then it's good to publish in public.
It's only in production (and derivative environments, like exposed betas) where the secret actually needs to be secret. So we can simply insert this secret into the new flat credentials.yml.enc file.
And at the end he mentioned:
Note: We should just keep Rails.secrets and friends around. The Rails.credentials setup would be a new, concurrent approach. All new apps would use it, but we wouldn't need to screw existing apps.
Hope it would help. For more, follow this.
I finally understood it.
Read this https://blog.saeloun.com/2019/10/10/rails-6-adds-support-for-multi-environment-credentials.html first.
For test and development env, you can simply remove the master.key and you will find that rails s works well.
You can run rails console, then run Rails.application.credentials.config to see that the value.
But if you have a wrong master.key there and run rails s, you will get an error.
But if you removed master.key, you will find that rails s -e production doesn't work.
If you have the correct value of master.key, you can run EDITOR=vim rails credentials:edit to edit it.
If you don't have the correct value of master.key, when you run EDITOR=vim rails credentials:edit,
it will generate a new master.key for you but unfortunately that master.key is a wrong one.
This is reasonable because it makes the credentials.yml.enc unable to be decrypt unless you have already got a correct master.key.
So you can remove the credentials.yml.enc and master.key and run EDITOR=vim rails credentials:edit to generate a new pair.
But before you do that, you should remove master.key and run rails console, then run Rails.application.credentials.config to
understand what values you need to set when running EDITOR=vim rails credentials:edit.
All the Rails instance in production env should have the same credentials.yml.enc and master.key.
So you should keep credentials.yml.enc in your sources code.
credentials.yml.enc why not? This is encrypted file and it doesn't have any information without a key.
But master.key you must keep in secret!!! It may decrypt your file.
You can push the credentials.yml.enc file to production. Just remove the master.key. They are meant to be pushed to production. However, if you are skeptical about this then save it to some local server, and when you are deploying make code to pull the file and master.key. This can be done using Capistrano tasks if you prefer this.
So I am trying to get my rails app to deploy in production mode, but I get the error: Missing secret_token and secret_key_base for 'production' environment, set these values in config/secrets.yml
My secrets.yml file is as expected:
development:
secret_key_base: xxxxxxx
test:
secret_key_base: xxxxxxx
production:
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
But even after google and research, I have no idea what to do with the production secret key base. Most of the info out there assumes I have certain background knowledge, but the reality is that I'm a noob.
Can anyone explain to me how to set my secret key and get this to work in production mode?
You can generate the key by using following commands
$ irb
>> require 'securerandom'
=> true
>> SecureRandom.hex(64)
=> "3fe397575565365108556c3e5549f139e8078a8ec8fd2675a83de96289b30550a266ac04488d7086322efbe573738e7b3ae005b2e3d9afd718aa337fa5e329cf"
>> exit
The errors you are getting just indicate that the environment variable for secret_key_base are not properly set on the server.
You can use various scripts like capistrano that automate the process of setting these before the application is run.
As for a quick fix try this:
export SECRET_KEY_BASE=YOUR SECRET BASE
Validate the environment variables and check if these have been set.
Command:
env | grep -E "SECRET_TOKEN|SECRET_KEY_BASE"
If your values pop up then these are set on the production server.
Also it is best practice to use ENV.fetch(SECRET_KEY) as this will raise an exception before the app even tries to start.
This answer helped me a lot. He indicates you how to config the secrets.yml file in production and how to read it from the environment:
original link:
https://stackoverflow.com/a/26172408/4962760
I had the same problem and I solved it by creating an environment
variable to be loaded every time that I logged in to the production
server and made a mini guide of the steps to configure it:
https://gist.github.com/pablosalgadom/4d75f30517edc6230a67
I was using Rails 4.1 with Unicorn v4.8.2, when I tried to deploy my
app it didn't start properly and in the unicorn.log file I found this
error message:
"app error: Missing secret_key_base for 'production' environment, set
this value in config/secrets.yml (RuntimeError)"
After some research I found out that Rails 4.1 changed the way to
manage the secret_key, so if you read the secrets.yml file located at
[exampleRailsProject]/config/secrets.yml you'll find something like
this:
Do not keep production secrets in the repository,
instead read values from the environment. production: secret_key_base: <%= ENV["SECRET_KEY_BASE"] %> This means that rails
recommends you to use an environment variable for the secret_key_base
in your production server, in order to solve this error you should
follow this steps to create an environment variable for Linux (in my
case Ubuntu) in your production server:
1.- In the terminal of your production server execute the next command:
$ RAILS_ENV=production rake secret This returns a large string with
letters and numbers, copy that (we will refer to that code as
GENERATED_CODE).
2.1- Login as root user to your server, find this file and edit it: $ vi /etc/profile
Go to the bottom of the file ("SHIFT + G" for capital G in VI)
Write your environment variable with the GENERATED_CODE (Press "i" key
to write in VI), be sure to be in a new line at the end of the file:
export SECRET_KEY_BASE=GENERATED_CODE Save the changes and close the
file (we push "ESC" key and then write ":x" and "ENTER" key for save
and exit in VI)
2.2 But if you login as normal user, lets call it example_user for this gist, you will need to find one of this other files:
$ vi ~/.bash_profile $ vi ~/.bash_login $ vi ~/.profile These files
are in order of importance, that means that if you have the first
file, then you wouldn't need to write in the others. So if you found
this 2 files in your directory "~/.bash_profile" and "~/.profile" you
only will have to write in the first one "~/.bash_profile", because
Linux will read only this one and the other will be ignored.
Then we go to the bottom of the file ("SHIFT + G" for capital G in VI)
And we will write our environment variable with our GENERATED_CODE
(Press "i" key to write in VI), be sure to be in a new line at the end
of the file:
export SECRET_KEY_BASE=GENERATED_CODE Having written the code, save
the changes and close the file (we push "ESC" key and then write ":x"
and "ENTER" key for save and exit in VI)
3.- You can verify that our environment variable is properly set in Linux with this command:
$ printenv | grep SECRET_KEY_BASE or with:
$ echo $SECRET_KEY_BASE When you execute this command, if everything
went ok, it will show you the GENERATED_CODE from before. Finally with
all the configuration done you should be able to deploy without
problems your Rails app with Unicorn or other.
When you close your shell terminal and login again to the production
server you will have this environment variable set and ready to use
it.
And thats it!! I hope this mini guide help you to solve this error.
Disclaimer: I'm not a Linux or Rails guru, so if you find something
wrong or any error I will be glad to fix it!
nowadays (rails 6) rails generate a secret key base in tmp/development_secret.txt for you.
and in production environment the best is having SECRET_KEY_BASE as en env variable, it will get picked up by rails.
you can check with Rails.application.secret_key_base.
should give you a long string of numbers and characters from 'a' to 'f' (a 128 chars long hexadecimal encoded string)
As you can see, there is a hardcoded value for the development and test environments, but the one for production comes from a variable. First of all, why this way? It is a security feature. This way, if you check this file into version control such as git or svn, the development and test values get shared, which is fine, but the production one (the one that would be used on a real website) isn't, so no one can look at the source to get that secret.
As for the variable used, ENV["SECRET_KEY_BASE"], this is an environment variable from the environment Rails is run in (not to be confused with the Rails "environment", such as development, test, and production). These environment variables come from the shell. As mentioned in JensD's post, you can set this environment variable temporarily with:
export SECRET_TOKEN=YOUR SECRET TOKEN
export SECRET_KEY_TOKEN=YOUR SECRET BASE
To generate a new secret token, use the rake secret command in the command line.
That is temporary, however, and not a good final solution. For a final solution, check out this article which has a quick bit near the end on implementing dotenv to load configuration secrets. Remember, if you use version control, be sure to exclude your .env file from being checked in!
Setting dotenv up takes a little bit of work, but I highly recommend it over trying to manually configure these environment variables.
So I am trying to deploy my rails app in production. When I go to the page I get a 500 error. When I go to my error logs I get the following error:
Exception RuntimeError in Rack application object (Missing `secret_key_base` for 'production' environment, set this value in `config/secrets.yml`)
I am running Rails 4.1 and my config/secrets.yml looks like this:
development:
secret_key_base: <development key>
test:
secret_key_base: <test key>
# Do not keep production secrets in the repository,
# instead read values from the environment.
production:
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
I ran rake secret to get the key and put the export in my bash_profile and sourced it. I ran rake assets:precompile successfully. Yet I still keep getting this error. Any ideas?
Update: I tried to update the error message provided to give slightly better information....and the message didn't update. I then tried adding the key directly to the yml file instead of using an environment variable and still no dice. Im running on hostmonster so I can't restart the server.....but something is telling me thats what needs to be done...
Update 2: After sleeping through the night it seems that this issue is no longer an issue. It must have been some sort of caching. Now my issue is that its trying to use an old config that i changed days ago for my database. If I figure out how to nullify the cache I will post it here and mark it as an answer. If someone else knows how to do it please let me know and I will mark it as an answer. I am using HostMonster as my hosting and followed the steps they have on their site for hosting my rails app.
I had the same problem and I solved creating an environment variable to be loaded every time that I login to the production server and made a mini guide of the steps to configure it by your self:
So I was using Rails 4.1 with Unicorn v4.8.2 and when I tried to deploy my app it doesn't start properly and into the unicorn.log file i found this error message:
app error: Missing secret_key_base for 'production' environment, set this value in config/secrets.yml (RuntimeError)
After a little research I found that Rails 4.1 change the way to manage the secret_key, so if we read the secrets.yml file located at exampleRailsProject/config/secrets.yml (you need to replace "exampleRailsProject" for your project name) you will find something like this:
# Do not keep production secrets in the repository,
# instead read values from the environment.
production:
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
This means that rails recommends you to use an environment variable for the secret_key_base in our production server, so in order to solve this error you will need to follow this steps to create an environment variable for linux (in my case it is Ubuntu) in our production server:
1.- In the terminal of our production server you will execute the next command:
$ RAILS_ENV=production rake secret
This will give a large string with letters and numbers, this is what you need, so copy that (we will refer to that code as GENERATED_CODE).
2.1- Now if we login as root user to our server we will need to find this file and open it:
$ vi /etc/profile
Then we go to the bottom of the file ("SHIFT + G" for capital G in VI)
And we will write our environment variable with our GENERATED_CODE (Press "i" key to write in VI), be sure to be in a new line at the end of the file:
export SECRET_KEY_BASE=GENERATED_CODE
Having written the code we save the changes and close the file (we push "ESC" key and then write ":x" and "ENTER" key for save and exit in VI)
2.2 But if we login as normal user, lets call it example_user for this gist, we will need to find one of this other files:
$ vi ~/.bash_profile
$ vi ~/.bash_login
$ vi ~/.profile
These files are in order of importance, that means that if you have the first file, then you wouldn't need to write in the others. So if you found this 2 files in your directory "~/.bash_profile" and "~/.profile" you only will have to write in the first one "~/.bash_profile", because linux will read only this one and the other will be ignored.
Then we go to the bottom of the file ("SHIFT + G" for capital G in VI)
And we will write our environment variable with our GENERATED_CODE (Press "i" key to write in VI), be sure to be in a new line at the end of the file:
export SECRET_KEY_BASE=GENERATED_CODE
Having written the code we save the changes and close the file (we push "ESC" key and then write ":x" and "ENTER" key for save and exit in VI)
3.-We can verify that our environment variable is properly set in linux with this command:
$ printenv | grep SECRET_KEY_BASE
or with:
$ echo $SECRET_KEY_BASE
When you execute this command, if everything went ok, it will show you the GENERATED_CODE that we generated before. Finally with all the configuration done you can deploy without problems your Rails app with Unicorn or other.
Now when you close your shell terminal and login again to the production server you will have this environment variable set and ready to use it.
And Thats it!! I hope this mini guide help you to solve this error.
You need to restart your server, because after YourAppName::Application.initialize! called in config/environment.rb you can not change your settings.
Checkout your yml markup, probably there some errors
Probably something wrong in your config/initializers/secret_token.rb
The problem is not with ENV pseudo-hash. secret_key_base will be nil if in ENV no such a key.