The antiforgery token could not be decrypted. .net core with Dokku - keys mismatch

May 24, 2018 1.3k views
Dokku Docker Applications Ubuntu 16.04

I'm deploying my .net core 2.0 app on digital ocean using Dokku droplet. The app is starting up without problem, but when I open on browser for the first time, I see this error in logs:

2018-05-24T15:01:23.926430569Z app[web.1]: warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
2018-05-24T15:01:23.926487523Z app[web.1]:       No XML encryptor configured. Key {f4e564e3-5da2-47cd-a06f-8d39bddb01a6} may be persisted to storage in unencrypted form.
2018-05-24T15:01:24.197307356Z app[web.1]: Hosting environment: Production
2018-05-24T15:01:24.197345362Z app[web.1]: Content root path: /app
2018-05-24T15:01:24.197443256Z app[web.1]: Now listening on: http://[::]:80
2018-05-24T15:01:24.197454955Z app[web.1]: Application started. Press Ctrl+C to shut down.
2018-05-24T15:02:10.745668563Z app[web.1]: fail: Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery[7]
2018-05-24T15:02:10.745704071Z app[web.1]:       An exception was thrown while deserializing the token.
2018-05-24T15:02:10.745708502Z app[web.1]: System.InvalidOperationException: The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The key {d19cfc13-383c-4cbd-a212-2642c0be6ce0} was not found in the key ring.
2018-05-24T15:02:10.745712311Z app[web.1]:    at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
2018-05-24T15:02:10.745715900Z app[web.1]:    at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
2018-05-24T15:02:10.745719643Z app[web.1]:    at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
2018-05-24T15:02:10.745722936Z app[web.1]:    at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
2018-05-24T15:02:10.745725892Z app[web.1]:    --- End of inner exception stack trace ---
2018-05-24T15:02:10.745728801Z app[web.1]:    at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
2018-05-24T15:02:10.745731780Z app[web.1]:    at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)
2018-05-24T15:02:10.747046137Z app[web.1]: fail: Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery[7]
2018-05-24T15:02:10.747067863Z app[web.1]:       An exception was thrown while deserializing the token.
2018-05-24T15:02:10.747136022Z app[web.1]: System.InvalidOperationException: The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The key {d19cfc13-383c-4cbd-a212-2642c0be6ce0} was not found in the key ring.
2018-05-24T15:02:10.747201004Z app[web.1]:    at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
2018-05-24T15:02:10.747207847Z app[web.1]:    at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
2018-05-24T15:02:10.747255786Z app[web.1]:    at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
2018-05-24T15:02:10.747272491Z app[web.1]:    at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
2018-05-24T15:02:10.747385466Z app[web.1]:    --- End of inner exception stack trace ---
2018-05-24T15:02:10.747399727Z app[web.1]:    at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
2018-05-24T15:02:10.747403575Z app[web.1]:    at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)

When I try posting a login form, I get 400 Bad request. It took me hours to try different ways, for example lastly I tried the following in Startup.cs

services.AddDataProtection()
    .SetApplicationName("myapp-web")
    .PersistKeysToFileSystem(new System.IO.DirectoryInfo(@"./"));

I also tried .DisableAutomaticKeyGeneration() and deploying the key file with app with no success. I tried adding RUN chmod 777 /app to the DockerFile, with an idea about permissions. Nothing works.

I can clearly see that the keyfile is being generated with name key-f4e564e3-5da2-47cd-a06f-8d39bddb01a6.xml but later as you can see in logs above, it's looking for another key: The key {d19cfc13-383c-4cbd-a212-2642c0be6ce0} was not found in the key ring.

I tried cleaning browser cache and cookies, doesn't work. Is this a bug of .net core? Why is it looking for a key which is different than what was generated on app start? It's working great on local and other platforms though. This app was working on ubuntu before (without docker). So I can't get an idea why such a behaviour popped up.

1 Answer

This turned out that the error 400 is a very general error and still could not figured out why. I created a new dotnet 2.0 project and deployed on dokku. Check this: http://206.189.55.62/

You can see textbox and test button in the middle. Just type anything n click test, the page returns 400. This has nothing to do with antiforgery i think, any form that I post with a parameter returns 400. Help please

Have another answer? Share your knowledge.