I am storing my secret key in environment and /config/environments/production.rb has config.require_master_key = true uncommented
config.require_master_key = true
When running
RAILS_ENV=production bundle exec rake assets:precompile
I get the error
/Users/something/Development/wwwroot/trivial/config/environment.rb:5:in `<main>'
/Users/something/.rbenv/versions/2.5.1/bin/bundle:23:in `load'
/Users/something/.rbenv/versions/2.5.1/bin/bundle:23:in `<main>'
Caused by:
ArgumentError: key must be 16 bytes
/Users/something/Development/wwwroot/trivial/config/environment.rb:5:in `<main>'
/Users/something/.rbenv/versions/2.5.1/bin/bundle:23:in `load'
/Users/something/.rbenv/versions/2.5.1/bin/bundle:23:in `<main>'
Tasks: TOP => environment
any ideas on how to fix this error? What else can I do?
Your problem is that the key you generated is longer of what rails expects https://github.com/rails/rails/issues/33528#issuecomment-412677795
Solution
You can recreate a new one by deleting your master.key and credentials.yml.enc and run
rails credentials:edit
I faced the same issue while setting up a Rails 6.0 application on Ubuntu in production.
I was using the figaro gem for my environment variables.
The issue was that I was copying the content of the secret_key_base instead of the master_key
Here's how I solved it
Delete the previous master.key and the credentials.yml.enc file
Recreate a new master.key and credentials.yml.enc:
rails credentials:edit
OR
EDITOR="code --wait" bin/rails credentials:edit # If you want to use VS Code as your editor
Copy the contents of the master.key, which is of this format:
34d3cc7c5305dde06865acfa473716cd
Replace my RAILS_MASTER_KEY value with the master_key in production:
RAILS_MASTER_KEY: "34d3cc7c5305dde06865acfa473716cd"
And then save it.
Note: You could also experience this issue if you set/specify a wrong RAILS_MASTER_KEY environment variable in your .env files (.env, .env.development, .env.test, .env.production). Say you just want to use it as a placeholder temporarily. This may also throw an error key=': key must be 16 bytes (ArgumentError) if you try to generate new master.key and the credentials.yml.enc files using rails credentials:edit or EDITOR="code --wait" bin/rails credentials:edit
What you have to do is to either provide the right RAILS_MASTER_KEY environment variable in the .env file(s) or comment out the RAILS_MASTER_KEY environment variable if you are not using it.
That's it.
I hope this helps
For me I had to ensure I remove the quotes around the key in my .env file.
It seems my server(AWS ECS Fargate) was counting the "" as part of the key. Locally it was all fine.
Before
RAILS_MASTER_KEY="12345"
After
RAILS_MASTER_KEY=12345
You can run this in your terminal
heroku config:set RAILS_MASTER_KEY=`cat config/master.key`
You can follow the tutorial here
Related
I have to deploy a Rails API to AWS EC2.
I'm following this tutorial: https://gorails.com/deploy/ubuntu/18.04#ruby
But I'm getting stuck on:
01 $HOME/.rbenv/bin/rbenv exec rake db:migrate
01 rake aborted!
01 ArgumentError: Missing secret_key_base for 'production' environment, set this string with rails credentials:edit
when cap production deploy
How should I generate the key?
Where should I put it?
What I do I have to config to this get working?
Need details that I not finding anywhere.
Thanks in advance!
Solved by rails new app
Copying master.key and credentials.yml.enc to my app
Commiting to repo
Added this line to config/deploy.rb:
set :linked_files, %w{config/master.key}
copy manualy the key to my ec2 on path/to/app/shared/config/master.key
And this problem was solved
I have migrated my Ruby on Rails application from Rails 5.1.2 to Rails 5.2.0 to use the encrypted secrets. Application is successfully deployed to Digital Ocean Ubuntu Server. But when I go in browser to access, it shows the following log.
ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/message_encryptor.rb:206:in `rescue in _decrypt'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/message_encryptor.rb:184:in `_decrypt'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/message_encryptor.rb:157:in `decrypt_and_verify'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/messages/rotator.rb:21:in `decrypt_and_verify'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/encrypted_file.rb:79:in `decrypt'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/encrypted_file.rb:42:in `read'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/encrypted_configuration.rb:21:in `read'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/encrypted_configuration.rb:33:in `config'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/encrypted_configuration.rb:38:in `options'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/core_ext/module/delegation.rb:271:in `method_missing'
(erb):12:in `<main>'
I have added encrypted secrets using rails credentials:edit, which creates config/credentials.yml.enc and master.key.
I also have added the master.key file on /app_name/shared/config/ on my ubuntu server, also placed an env variable RAILS_MASTER_KEY. But still getting this error, I don't know what I am missing here.
Solution A and B are different solutions. Just choose which is good for you.
a. Deploy from Continous Integration
1. Edit deploy.rb
set :default_env, {
"RAILS_ENV" => "production",
"RAILS_MASTER_KEY" => ENV["RAILS_MASTER_KEY"]
}
2. Add RAILS_MASTER_KEY as a variable
Travis CI
GitLab CI
b. Usage of master.key
1. Edit deploy.rb
append :linked_files, "config/master.key"
2. Upload master.key with :linked_files
Let's assume our application's root path is /home/deploy/awesome-project. All we need to do is upload the key file to /home/deploy/awesome-project/shared/config/master.key.
I faced the same problem, when deploying for the first time on my DigitalOcean Droplet, every time I ran RAILS_ENV=production cap production deploy:initial it failed complaining this error - ActiveSupport::MessageEncryptor::InvalidMessage
I tried below options which all failed -
removing master.key and credential.yml.enc file and then deploying again.
adding both files again and deploying.
Finally one solution worked, i just added master.key, removing credentials.yml.enc file, committed it and redeployed, and it worked without changing my deploy.rb file
I'm running Ruby 2.5.1 and Rails 5.2.0. I ran rails s -e production, and it gives this error:
/home/roy/.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/activesupport-5.2.0/lib/active_support/message_encryptor.rb:206:in `rescue in_decrypt': ActiveSupport::MessageEncryptor::InvalidMessage
(ActiveSupport::MessageEncryptor::InvalidMessage)
How do I do this properly?
EDIT:
The same error appears whenever I try to edit the credentials file using
EDITOR="nano --wait" bin/rails credentials:edit
Also I realized that I didn't create a production database yet so I tried that using
RAILS_ENV=production bundle exec rails db:reset
(I know db:reset is a bit redundant but it should work trying to create, migrate and seed a server)
Sadly I get the same kind of error (InvalidMessage error)
Unsupported rails environment for compass
rake aborted!
ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage
/home/roy/apps/myappname/config/environment.rb:5:in `<main>'
/home/roy/.rbenv/versions/2.5.1/bin/bundle:23:in `load'
/home/roy/.rbenv/versions/2.5.1/bin/bundle:23:in `<main>'
Caused by:
OpenSSL::Cipher::CipherError:
/home/roy/apps/myappname/config/environment.rb:5:in `<main>'
/home/roy/.rbenv/versions/2.5.1/bin/bundle:23:in `load'
/home/roy/.rbenv/versions/2.5.1/bin/bundle:23:in `<main>'
Tasks: TOP => db:create => db:load_config => environment
Okay I got it working finally.
I simply deleted my master.key and credentials.yml.enc files and then ran
bin/rails credentials:edit
Which created new files. After that everything worked fine.
I don't really understand why it works though. Can anyone give a good explanation for this?
It appears your solution of removing the master.key and credentials.yml.enc indicates you are running Rails 5.2. This setup changed from a similar encrypted secrets.yml.enc file used in Rails 5.1.
The goal is to allow committing secret keys (AWS, Rails' secrect_key_base) to a project's code repository. These would typically be set with ENV variables. Now collaborators need only share the master.key that was generated to decrypt and modify or read the contents of credentials.yml.enc.
When you removed both the master.key and credentials.yml.enc files, rails generated a new pair, now you were able to decrypt credentials.yml.enc and this file was initialized with a new Rails secret_key_base value needed to avoid the ActiveSupport::MessageEncryptor::InvalidMessage. If you track down the source of that message, it's likely referencing the Rails credentials secret key base: Rails.application.credentials.secret_key_base.
These are nice write ups on the topic:
https://medium.com/cedarcode/rails-5-2-credentials-9b3324851336
https://www.engineyard.com/blog/rails-encrypted-credentials-on-rails-5.2
For Rails 6, I had a multi-environment credentials setup.
One for development, staging, and production.
The master.key works for the main credentials.yml file
The other environments have there own key, so for staging we used the production.key in place of the RAILS_MASTER_KEY config envs on heroku and that fixed it for me.
I had this similar issue when working with a Rails 5 application in production, royketelaar's answer and gib's answer
Just to add a few things:
After deleting the credentials.yml.enc and master.key files,
And running the command below to generate a new secret_key_base, credentials.yml.enc and master.key files (my editor is VS Code and not Nano):
EDITOR="code --wait" bin/rails credentials:edit
Ensure that uncomment the following configuration in your config/environments/production.rb file:
config.require_master_key = true
For your production environment, since the master.key file containing the master key which is used for decrypting the credentials.yml.enc is not recommended to be committed to version system control, save the master key in a RAILS_MASTER_KEY environment variable using the figaro gem.
That's all.
I hope this helps
You need to ask for the master key to you project leader / team leader / coworkers.
With that long key like 63y4gh47373h3733jj474 you copy it and paste it the master.key file under config folder.
That solve the issue.
I am unable to set secret_key_base for the production environment in Ruby on Rails 4.1.4 application running on Heroku.
Here are the steps that I've tried to do:
Run rake secret and copy the secret key to the clipboard
Run heroku config:set SECRET_KEY_BASE=%SECRET_KEY%
It returns success and Heroku lists this environment variable in the dashboard on the site, but the application still thinks that the secret key was not provided:
Missing secret_key_base for 'production' environment, set this value
in config/secrets.yml
Why? What am I doing wrong? How can I fix it?
Thanks in advance.
Add config/secrets.yml to version control and deploy again. You might need to remove a line from .gitignore so that you can commit the file.
.gitignore Github created for my Rails application included config/secrets.yml
OR
Follow this steps:
$ heroku config (run this command in your terminal)
Copy value from SECRET_KEY_BASE
paste value to secrets.yml file in place of <%= ENV["SECRET_KEY_BASE"] %> (without any quote)
e.g
production:
secret_key_base: b1de60dd9e00816d0569c5ce3f8dbaa3c8ea4a7606120dc66cXXXXXXXXXXXXXXXXXXXXXX
re-deploy
Note: Actually this is not safe but in-case you just wanted to run your app temporary in production mode for testing or in emergency condition
I hope it works for you...
What is in your config/secrets.yml? For production it should contain the lines:
production:
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
I get this error, when running "heroku open"
"Internal Server Error
You must set config.secret_key_base in your app's config."
I've tried everything in this thread:
Heroku Config Secret Key Base Error
Set MyApp::Application.config.secret_token = ENV['SECRET_TOKEN'] in config/initializers/secret_token.rb
Created a .env file with the contents SECRET_TOKEN=NKUd7gisd7fueAISDfg....
Updated my .gitignore file to look like below
What else I have tried:
I added: DemoApp::Application.config.secret_key_base = ENV['SECRET_TOKEN'] to secret_token.rb file
Used figaro to create a application.yml file and pasted SECRET_TOKEN: 9489b3eee4eccf317ed77407553e8adc97baca7c74dc7ee33cd93e4c8b69477eea66eaedeb18af0be2679887c7c69c0a28c0fded0a71ea472a8c4abf3f0a19cb with my own SECRET_TOKEN
ran rake figaro:heroku
I still get the internal server error. Apologies if this is a total nub question, but this is my first try with the "heroku open" command.
Thanks,
David
Ok from heroku staff help turns out that my config/initializers folder was not pushing up to git.
Then these two posts solved it:
Config/initializers not pushing to repo
No submodule mapping found in .gitmodules for path
Best of luck
To set environment variables on Heroku, you need to use the Heroku Toolbelt from on local machine:
heroku config:set SECRET_TOKEN=f489b3eee4eccf317ed77407553e8adc97baca7c74dc7ee33cd93e4c8b69477eea66eaedeb18af0be2679887c7c69c0a28c0fded0a71ea472a8c4abf3f0a19ca
(Obviously, replace the token above with your own)
Then just make sure that you have MyApp::Application.config.secret_token = ENV['SECRET_TOKEN'] in your config/initializers/secret_token.rb file.
See Setting up config vars for a deployed application for further info.
Also make sure that you've added a secret_key_base entry for the production environment in your config/secrets.yml file:
production:
secret_key_base: 527dacc0390e10df59278f1a18aa8ad14e429fa6ce522e5fb3b7ac358007dff4
Don't use the key posted here. You can generate a new one with a rake task and paste it into your config/secrets.yml file
bundle exec rake secrets