I'm running Ruby 2.5.1 and Rails 5.2.0. I ran rails s -e production, and it gives this error:
/home/roy/.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/activesupport-5.2.0/lib/active_support/message_encryptor.rb:206:in `rescue in_decrypt': ActiveSupport::MessageEncryptor::InvalidMessage
(ActiveSupport::MessageEncryptor::InvalidMessage)
How do I do this properly?
EDIT:
The same error appears whenever I try to edit the credentials file using
EDITOR="nano --wait" bin/rails credentials:edit
Also I realized that I didn't create a production database yet so I tried that using
RAILS_ENV=production bundle exec rails db:reset
(I know db:reset is a bit redundant but it should work trying to create, migrate and seed a server)
Sadly I get the same kind of error (InvalidMessage error)
Unsupported rails environment for compass
rake aborted!
ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage
/home/roy/apps/myappname/config/environment.rb:5:in `<main>'
/home/roy/.rbenv/versions/2.5.1/bin/bundle:23:in `load'
/home/roy/.rbenv/versions/2.5.1/bin/bundle:23:in `<main>'
Caused by:
OpenSSL::Cipher::CipherError:
/home/roy/apps/myappname/config/environment.rb:5:in `<main>'
/home/roy/.rbenv/versions/2.5.1/bin/bundle:23:in `load'
/home/roy/.rbenv/versions/2.5.1/bin/bundle:23:in `<main>'
Tasks: TOP => db:create => db:load_config => environment
Okay I got it working finally.
I simply deleted my master.key and credentials.yml.enc files and then ran
bin/rails credentials:edit
Which created new files. After that everything worked fine.
I don't really understand why it works though. Can anyone give a good explanation for this?
It appears your solution of removing the master.key and credentials.yml.enc indicates you are running Rails 5.2. This setup changed from a similar encrypted secrets.yml.enc file used in Rails 5.1.
The goal is to allow committing secret keys (AWS, Rails' secrect_key_base) to a project's code repository. These would typically be set with ENV variables. Now collaborators need only share the master.key that was generated to decrypt and modify or read the contents of credentials.yml.enc.
When you removed both the master.key and credentials.yml.enc files, rails generated a new pair, now you were able to decrypt credentials.yml.enc and this file was initialized with a new Rails secret_key_base value needed to avoid the ActiveSupport::MessageEncryptor::InvalidMessage. If you track down the source of that message, it's likely referencing the Rails credentials secret key base: Rails.application.credentials.secret_key_base.
These are nice write ups on the topic:
https://medium.com/cedarcode/rails-5-2-credentials-9b3324851336
https://www.engineyard.com/blog/rails-encrypted-credentials-on-rails-5.2
For Rails 6, I had a multi-environment credentials setup.
One for development, staging, and production.
The master.key works for the main credentials.yml file
The other environments have there own key, so for staging we used the production.key in place of the RAILS_MASTER_KEY config envs on heroku and that fixed it for me.
I had this similar issue when working with a Rails 5 application in production, royketelaar's answer and gib's answer
Just to add a few things:
After deleting the credentials.yml.enc and master.key files,
And running the command below to generate a new secret_key_base, credentials.yml.enc and master.key files (my editor is VS Code and not Nano):
EDITOR="code --wait" bin/rails credentials:edit
Ensure that uncomment the following configuration in your config/environments/production.rb file:
config.require_master_key = true
For your production environment, since the master.key file containing the master key which is used for decrypting the credentials.yml.enc is not recommended to be committed to version system control, save the master key in a RAILS_MASTER_KEY environment variable using the figaro gem.
That's all.
I hope this helps
You need to ask for the master key to you project leader / team leader / coworkers.
With that long key like 63y4gh47373h3733jj474 you copy it and paste it the master.key file under config folder.
That solve the issue.
Related
I am storing my secret key in environment and /config/environments/production.rb has config.require_master_key = true uncommented
config.require_master_key = true
When running
RAILS_ENV=production bundle exec rake assets:precompile
I get the error
/Users/something/Development/wwwroot/trivial/config/environment.rb:5:in `<main>'
/Users/something/.rbenv/versions/2.5.1/bin/bundle:23:in `load'
/Users/something/.rbenv/versions/2.5.1/bin/bundle:23:in `<main>'
Caused by:
ArgumentError: key must be 16 bytes
/Users/something/Development/wwwroot/trivial/config/environment.rb:5:in `<main>'
/Users/something/.rbenv/versions/2.5.1/bin/bundle:23:in `load'
/Users/something/.rbenv/versions/2.5.1/bin/bundle:23:in `<main>'
Tasks: TOP => environment
any ideas on how to fix this error? What else can I do?
Your problem is that the key you generated is longer of what rails expects https://github.com/rails/rails/issues/33528#issuecomment-412677795
Solution
You can recreate a new one by deleting your master.key and credentials.yml.enc and run
rails credentials:edit
I faced the same issue while setting up a Rails 6.0 application on Ubuntu in production.
I was using the figaro gem for my environment variables.
The issue was that I was copying the content of the secret_key_base instead of the master_key
Here's how I solved it
Delete the previous master.key and the credentials.yml.enc file
Recreate a new master.key and credentials.yml.enc:
rails credentials:edit
OR
EDITOR="code --wait" bin/rails credentials:edit # If you want to use VS Code as your editor
Copy the contents of the master.key, which is of this format:
34d3cc7c5305dde06865acfa473716cd
Replace my RAILS_MASTER_KEY value with the master_key in production:
RAILS_MASTER_KEY: "34d3cc7c5305dde06865acfa473716cd"
And then save it.
Note: You could also experience this issue if you set/specify a wrong RAILS_MASTER_KEY environment variable in your .env files (.env, .env.development, .env.test, .env.production). Say you just want to use it as a placeholder temporarily. This may also throw an error key=': key must be 16 bytes (ArgumentError) if you try to generate new master.key and the credentials.yml.enc files using rails credentials:edit or EDITOR="code --wait" bin/rails credentials:edit
What you have to do is to either provide the right RAILS_MASTER_KEY environment variable in the .env file(s) or comment out the RAILS_MASTER_KEY environment variable if you are not using it.
That's it.
I hope this helps
For me I had to ensure I remove the quotes around the key in my .env file.
It seems my server(AWS ECS Fargate) was counting the "" as part of the key. Locally it was all fine.
Before
RAILS_MASTER_KEY="12345"
After
RAILS_MASTER_KEY=12345
You can run this in your terminal
heroku config:set RAILS_MASTER_KEY=`cat config/master.key`
You can follow the tutorial here
I have created the new Rails app with the version of 5.2. Rails 5.2 introduced the encryption feature for the secrets.
I have configured the secret key in devise.rb file
config.secret_key = Rails.application.credentials[Rails.env.to_sym][:secret_key_base]
and also added the secret_key's for all environments using
EDITOR=vim rails credentials:edit
development:
secret_key_base: absdss
test:
secret_key_base: 123232
production:
secret_key_base: 123456
after the saving the credentials i can able to get the secret_key's in the rails console in local
Output in rails console:
Running via Spring preloader in process 44308
Loading development environment (Rails 5.2.0)
2.5.1 :001 > Rails.application.credentials.development[:secret_key_base]
=> "absdss"
The credentials are not working on production server, we are using CI/CD in gitlab for deployment stages, when i run the
rails db:create db:migrate
i am getting the following error
> rails db:create db:migrate
---> Running in 1563453ddf2a
rails aborted!
NoMethodError: undefined method `[]' for nil:NilClass
/usr/src/app/config/initializers/devise.rb:12:in `block in <main>'
/usr/local/bundle/gems/devise-4.4.3/lib/devise.rb:307:in `setup'
/usr/src/app/config/initializers/devise.rb:5:in `<main>'
/usr/local/bundle/gems/bootsnap-1.3.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:50:in `load'
Now the question is how to set the RAILS_MASTER_KEY to production server?
Im sharing few points which may help you
Encrypted credentials offer a few advantages over plaintext credentials or environment variables
Rails 5.1 introduced encrypted secrets
config/secrets.yml.key
config/secrets.yml.enc
Rails 5.2 replaces both secrets with encrypted credentials
config/credentials.yml.enc
config/master.key
config/master.key file is created while creating a rails project
Encryption key(master.key) is git ignored
In production
config/environments/production.rb
config.require_master_key = true
Can’t decrypt your credentials without the key
Managing the Key
a. scp or sftp the file
b. If you need to give a developer a copy of the key then You can use a password manager because they use encryption.
c. I used last pass for managing the master key file
The key used to encrypt credentials is different from the secret key base.
The key on master.key is used to encrypt and decrypt all credentials. It does not replace the secret key base.
The secret key base is required by Rails. If you want to generate a new secret key base run,
bin/rails secret
and add that to your credentials by running bin/rails credentials:edit.
You can put your master key as MASTER_KEY secret variable in Gitlab CI/CD Settings and then put
echo "$MASTER_KEY" > config/master.key
in before_script section of your .gitlab-ci.yml file.
Rails.application.credentials.development&.dig(:secret_key_base)
try this instead.
I have migrated my Ruby on Rails application from Rails 5.1.2 to Rails 5.2.0 to use the encrypted secrets. Application is successfully deployed to Digital Ocean Ubuntu Server. But when I go in browser to access, it shows the following log.
ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/message_encryptor.rb:206:in `rescue in _decrypt'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/message_encryptor.rb:184:in `_decrypt'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/message_encryptor.rb:157:in `decrypt_and_verify'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/messages/rotator.rb:21:in `decrypt_and_verify'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/encrypted_file.rb:79:in `decrypt'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/encrypted_file.rb:42:in `read'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/encrypted_configuration.rb:21:in `read'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/encrypted_configuration.rb:33:in `config'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/encrypted_configuration.rb:38:in `options'
/home/deploy/apps/GeekyCricket/shared/bundle/ruby/2.4.0/gems/activesupport-5.2.0/lib/active_support/core_ext/module/delegation.rb:271:in `method_missing'
(erb):12:in `<main>'
I have added encrypted secrets using rails credentials:edit, which creates config/credentials.yml.enc and master.key.
I also have added the master.key file on /app_name/shared/config/ on my ubuntu server, also placed an env variable RAILS_MASTER_KEY. But still getting this error, I don't know what I am missing here.
Solution A and B are different solutions. Just choose which is good for you.
a. Deploy from Continous Integration
1. Edit deploy.rb
set :default_env, {
"RAILS_ENV" => "production",
"RAILS_MASTER_KEY" => ENV["RAILS_MASTER_KEY"]
}
2. Add RAILS_MASTER_KEY as a variable
Travis CI
GitLab CI
b. Usage of master.key
1. Edit deploy.rb
append :linked_files, "config/master.key"
2. Upload master.key with :linked_files
Let's assume our application's root path is /home/deploy/awesome-project. All we need to do is upload the key file to /home/deploy/awesome-project/shared/config/master.key.
I faced the same problem, when deploying for the first time on my DigitalOcean Droplet, every time I ran RAILS_ENV=production cap production deploy:initial it failed complaining this error - ActiveSupport::MessageEncryptor::InvalidMessage
I tried below options which all failed -
removing master.key and credential.yml.enc file and then deploying again.
adding both files again and deploying.
Finally one solution worked, i just added master.key, removing credentials.yml.enc file, committed it and redeployed, and it worked without changing my deploy.rb file
I get this error, when running "heroku open"
"Internal Server Error
You must set config.secret_key_base in your app's config."
I've tried everything in this thread:
Heroku Config Secret Key Base Error
Set MyApp::Application.config.secret_token = ENV['SECRET_TOKEN'] in config/initializers/secret_token.rb
Created a .env file with the contents SECRET_TOKEN=NKUd7gisd7fueAISDfg....
Updated my .gitignore file to look like below
What else I have tried:
I added: DemoApp::Application.config.secret_key_base = ENV['SECRET_TOKEN'] to secret_token.rb file
Used figaro to create a application.yml file and pasted SECRET_TOKEN: 9489b3eee4eccf317ed77407553e8adc97baca7c74dc7ee33cd93e4c8b69477eea66eaedeb18af0be2679887c7c69c0a28c0fded0a71ea472a8c4abf3f0a19cb with my own SECRET_TOKEN
ran rake figaro:heroku
I still get the internal server error. Apologies if this is a total nub question, but this is my first try with the "heroku open" command.
Thanks,
David
Ok from heroku staff help turns out that my config/initializers folder was not pushing up to git.
Then these two posts solved it:
Config/initializers not pushing to repo
No submodule mapping found in .gitmodules for path
Best of luck
To set environment variables on Heroku, you need to use the Heroku Toolbelt from on local machine:
heroku config:set SECRET_TOKEN=f489b3eee4eccf317ed77407553e8adc97baca7c74dc7ee33cd93e4c8b69477eea66eaedeb18af0be2679887c7c69c0a28c0fded0a71ea472a8c4abf3f0a19ca
(Obviously, replace the token above with your own)
Then just make sure that you have MyApp::Application.config.secret_token = ENV['SECRET_TOKEN'] in your config/initializers/secret_token.rb file.
See Setting up config vars for a deployed application for further info.
Also make sure that you've added a secret_key_base entry for the production environment in your config/secrets.yml file:
production:
secret_key_base: 527dacc0390e10df59278f1a18aa8ad14e429fa6ce522e5fb3b7ac358007dff4
Don't use the key posted here. You can generate a new one with a rake task and paste it into your config/secrets.yml file
bundle exec rake secrets
Rails 4.1.0.beta1 and Devise.
I'm trying to remove all of my keys from version control and I've upgraded to Rails 4.1 to give this new secrets.yml a shot
Trying to push Devise's config.secret_key to heroku but it's failing after assets:precompile
Preparing app for Rails asset pipeline
Running: rake assets:precompile
rake aborted!
Devise.secret_key was not set. Please add the following to your Devise initializer:
config.secret_key = 'EXAMPLE_KEY_HERE'
Please ensure you restarted your application after installing Devise or setting the key.
Here are my changes, the old code I'll leave in comments. (it works)
devise.rb
# config.secret_key = 'THIS_IS_A_FAKE_KEY' #<---this_is_commented_out
config.secret_key = Rails.application.secrets.devise_secret_key
secrets.yml
production:
devise_secret_key: 'THIS_IS_A_FAKE_KEY'
then ran heroku labs:enable user-env-compile -a myapp (not sure if that's necessary)
and then when I push to my forked heroku envionment git push forked master I get the above error.
I also noticed some discussion on this in this Devise repo so I figured I'd update my gem alongside the source repo, no difference. Here's part of that discussion (here).
You've likely got secrets.yml added to your .gitignore. Which makes sense, since you put secret keys in it -- but since Heroku deployment uses git, it never sees your secrets.yml.
One solution is to use the heroku_secrets gem - See https://stackoverflow.com/a/22458102/2831572 .
Another solution is to add secrets.yml to git (i.e. remove it from .gitignore) after replacing all sensitive keys with references to environment variables.
So:
production:
devise_secret_key: <%= ENV['DEVISE_KEY'] %>
then run heroku config:set DEVISE_KEY='7658699e0f765e8whatever'