The antiforgery token could not be decrypted. .net core with Dokku - keys mismatch

May 24, 2018 251 views
Dokku Docker Applications Ubuntu 16.04
douser1
By:
douser1

I'm deploying my .net core 2.0 app on digital ocean using Dokku droplet. The app is starting up without problem, but when I open on browser for the first time, I see this error in logs:

2018-05-24T15:01:23.926430569Z app[web.1]: warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
2018-05-24T15:01:23.926487523Z app[web.1]:       No XML encryptor configured. Key {f4e564e3-5da2-47cd-a06f-8d39bddb01a6} may be persisted to storage in unencrypted form.
2018-05-24T15:01:24.197307356Z app[web.1]: Hosting environment: Production
2018-05-24T15:01:24.197345362Z app[web.1]: Content root path: /app
2018-05-24T15:01:24.197443256Z app[web.1]: Now listening on: http://[::]:80
2018-05-24T15:01:24.197454955Z app[web.1]: Application started. Press Ctrl+C to shut down.
2018-05-24T15:02:10.745668563Z app[web.1]: fail: Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery[7]
2018-05-24T15:02:10.745704071Z app[web.1]:       An exception was thrown while deserializing the token.
2018-05-24T15:02:10.745708502Z app[web.1]: System.InvalidOperationException: The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The key {d19cfc13-383c-4cbd-a212-2642c0be6ce0} was not found in the key ring.
2018-05-24T15:02:10.745712311Z app[web.1]:    at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
2018-05-24T15:02:10.745715900Z app[web.1]:    at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
2018-05-24T15:02:10.745719643Z app[web.1]:    at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
2018-05-24T15:02:10.745722936Z app[web.1]:    at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
2018-05-24T15:02:10.745725892Z app[web.1]:    --- End of inner exception stack trace ---
2018-05-24T15:02:10.745728801Z app[web.1]:    at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
2018-05-24T15:02:10.745731780Z app[web.1]:    at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)
2018-05-24T15:02:10.747046137Z app[web.1]: fail: Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery[7]
2018-05-24T15:02:10.747067863Z app[web.1]:       An exception was thrown while deserializing the token.
2018-05-24T15:02:10.747136022Z app[web.1]: System.InvalidOperationException: The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The key {d19cfc13-383c-4cbd-a212-2642c0be6ce0} was not found in the key ring.
2018-05-24T15:02:10.747201004Z app[web.1]:    at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
2018-05-24T15:02:10.747207847Z app[web.1]:    at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
2018-05-24T15:02:10.747255786Z app[web.1]:    at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
2018-05-24T15:02:10.747272491Z app[web.1]:    at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
2018-05-24T15:02:10.747385466Z app[web.1]:    --- End of inner exception stack trace ---
2018-05-24T15:02:10.747399727Z app[web.1]:    at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
2018-05-24T15:02:10.747403575Z app[web.1]:    at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)

When I try posting a login form, I get 400 Bad request. It took me hours to try different ways, for example lastly I tried the following in Startup.cs

services.AddDataProtection()
    .SetApplicationName("myapp-web")
    .PersistKeysToFileSystem(new System.IO.DirectoryInfo(@"./"));

I also tried .DisableAutomaticKeyGeneration() and deploying the key file with app with no success. I tried adding RUN chmod 777 /app to the DockerFile, with an idea about permissions. Nothing works.

I can clearly see that the keyfile is being generated with name key-f4e564e3-5da2-47cd-a06f-8d39bddb01a6.xml but later as you can see in logs above, it's looking for another key: The key {d19cfc13-383c-4cbd-a212-2642c0be6ce0} was not found in the key ring.

I tried cleaning browser cache and cookies, doesn't work. Is this a bug of .net core? Why is it looking for a key which is different than what was generated on app start? It's working great on local and other platforms though. This app was working on ubuntu before (without docker). So I can't get an idea why such a behaviour popped up.

1 Answer

This turned out that the error 400 is a very general error and still could not figured out why. I created a new dotnet 2.0 project and deployed on dokku. Check this: http://206.189.55.62/

You can see textbox and test button in the middle. Just type anything n click test, the page returns 400. This has nothing to do with antiforgery i think, any form that I post with a parameter returns 400. Help please

Have another answer? Share your knowledge.