Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException in AWS Fargate #2944

Open
1 task
Tracked by #2480
sandeep-npg opened this issue May 18, 2023 · 6 comments
Open
1 task
Tracked by #2480
Labels
bug bw-unified-deploy An Issue related to Bitwarden unified deployment

Comments

@sandeep-npg
Copy link

Steps To Reproduce

Goto /admin

Expected Result

Log in to /admin console

Actual Result

The page does not load for a long time and eventually times out. logs show an error "Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted."

Screenshots or Videos

No response

Additional Context

Error in the logs

2023-05-17T12:27:04.902-04:00 �[41m�[30mfail�[39m�[22m�[49m: Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery[7]
2023-05-17T12:27:04.902-04:00 => SpanId:0d294eb19f860334, TraceId:6ebc560d8a5b80d2b6070fb09acb5e8f, ParentId:0000000000000000 => ConnectionId:0HMQMUE6H33RK => RequestPath:/admin/login RequestId:0HMQMUE6H33RK:00000002 => Bit.Admin.Auth.Controllers.LoginController.Index (Admin)
2023-05-17T12:27:04.902-04:00 An exception was thrown while deserializing the token.
2023-05-17T12:27:04.902-04:00 Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted.
2023-05-17T12:27:04.902-04:00 ---> System.Security.Cryptography.CryptographicException: The key {0942ed38-9689-44bb-a91b-c96fbebe279e} was not found in the key ring. For more information go to http://aka.ms/dataprotectionwarning
2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
2023-05-17T12:27:04.902-04:00 --- End of inner exception stack trace ---
2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
2023-05-17T12:27:04.902-04:00 at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)

Githash Version

8d9ca42-dirty

Environment Details

  • Linux
  • AWS ECS Fargate
  • 1vCPU / 2GB

Database Image

mysql: 8.0.28

Issue-Link

#2480

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@sandeep-npg sandeep-npg added bug bw-unified-deploy An Issue related to Bitwarden unified deployment labels May 18, 2023
@justindbaur
Copy link
Member

Hi @sandeep-npg Can you share an example of the settings you are using? Please redact any passwords or PII.

@sandeep-npg
Copy link
Author

Hi @justindbaur -

I may have just figured this out. This happens when I try to connect to a restarted container. It appears that the container dynamically generates the key used to encrypt the antiforgery token/cookie and loses it (understandably) upon restart. Is a mapped volume (at /etc/bitwarden) necessary in addition to a database (I'm using MySQL) or is it possible to save all required state to the database?

  • rgds

===Settings===========
BW_DOMAIN passwordsdev.napierparkglobal.com
BW_DB_PROVIDER mysql
BW_DB_SERVER sharedmysqldev.napierparkglobal.com
BW_DB_DATABASE bitwarden
BW_DB_USERNAME bitwarden
BW_DB_PASSWORD ******************
BW_INSTALLATION_ID ******************
BW_INSTALLATION_KEY ******************
BW_ENABLE_SSO TRUE
adminSettings__admins [email protected]
globalSettings__mail__replyToEmail [email protected]
globalSettings__mail__smtp__host email-smtp.us-east-1.amazonaws.com
globalSettings__mail__smtp__port 587
globalSettings__mail__smtp__ssl TRUE
globalSettings__mail__smtp__username ******************
globalSettings__mail__smtp__password ******************

@justindbaur
Copy link
Member

Yes, a volume mapped to /etc/bitwarden is necessary. That is where the key will be saved and if it's not there it will generate a new one each startup. It was not as required once upon a time but we now encrypt certain DB columns with that key so it's a requirement for it to be mapped somewhere.

We don't currently, or plan to support persisting that key to the database.

@sandeep-npg
Copy link
Author

ok - thank you!

I'm seeing another issue after crossing that one. When trying to send out email using AWS SES I'm getting the error below - essentially MailKit fails to authenticate the SMTP server over SSL/TLS

I do not get this in my local dev environment (with a mapped volume). I am able to successfully login to "/admin" and get the email sent out using the same SES credentials. Is this also related to the mapped volume?

  • rgds
    =============
    2023-05-26T14:11:29.589-04:00 | The server's SSL certificate could not be validated for the following reasons:
    2023-05-26T14:11:29.589-04:00 | • The server certificate has the following errors:
    2023-05-26T14:11:29.589-04:00 | • unable to get certificate CRL
    2023-05-26T14:11:29.589-04:00 | • unable to get certificate CRL
    2023-05-26T14:11:29.589-04:00 | ---> System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
    2023-05-26T14:11:29.589-04:00 | at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
    2023-05-26T14:11:29.589-04:00 | at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
    2023-05-26T14:11:29.589-04:00 | at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm)
    2023-05-26T14:11:29.589-04:00 | at MailKit.Net.Smtp.SmtpClient.ConnectAsync(String host, Int32 port, SecureSocketOptions options, Boolean doAsync, CancellationToken cancellationToken)
    ===========

@justindbaur
Copy link
Member

It appears the certificate of your server isn't valid. You can override that check with adding globalSettings__mail__smtp__trustServer=true to your settings file. As shown here this is not recommended for production and would be better to get a trusted cert.

@crinjes
Copy link

crinjes commented Aug 8, 2023

I have the same issue with mailing.

      The server's SSL certificate could not be validated for the following reasons:
      • The server certificate has the following errors:
        • unable to get certificate CRL
        • unable to get certificate CRL
      • An intermediate certificate has the following errors:
        • unable to get certificate CRL
        • unable to get certificate CRL

The certificates in the chain are all valid, they just do not include a CRL endpoint.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug bw-unified-deploy An Issue related to Bitwarden unified deployment
Projects
None yet
Development

No branches or pull requests

3 participants