4

So on Ubuntu server I am getting this in my logs:

#<RuntimeError: Missing `secret_key_base` for 'production' 
       environment, set this value in `config/secrets.yml`>
      /home/deploy/apps/project/shared/bundle/ruby/2.4.0/gems/railties-5.1.4/lib/rails/application.rb:510:in `validate_secret_key_config!'
      /home/deploy/apps/project/shared/bundle/ruby/2.4.0/gems/railties-5.1.4/lib/rails/application.rb:247:in `env_config'```

My Browser:

An unhandled lowlevel error occurred. The application logs may have details.

My secrets.yml (in deploy/apps/project/current/config & deploy/apps/project/shared/config):

production:
      secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

deploy.rb

...
namespace :deploy do
    desc 'Rails Secrets'
    task :secret do
      on roles(:app) do
        execute "export SECRET_KEY_BASE=`bundle exec rake secret`"
      end
    end
    before :finishing,  :secret
    ...
end

I have also tried manually adding the SECRET_KEY_BASE in /etc/profile. It is present when I type this command: printenv (because I manually added it), but when logging out of root it is not present anymore in printenv.

The ENV variable is not present in the printenv command. After I carry out a deployment (cap production deploy:initial).

How do I resolve this error?

ihtishaam ahmed
  • 409
  • 4
  • 12
  • Have you added it in `/etc/profile` as a `root` user? If not you will have to add `export SECRET_KEY_BASE=` to your `~/.bash_profile` (or whatever config file you use). Maybe this gist will be helpful for you - https://gist.github.com/pablosalgadom/4d75f30517edc6230a67 . – radoAngelov May 30 '18 at 11:56

2 Answers2

2

Seems like the user that you are logged in is not the same user that you've used to add the secret key base. You are logged as root but I don't think you are deploying nor starting the server with root, right?

If you are a deploying with a user called deploy so to say, you should log in as deploy and add the env var to deploy's context (e.g. ~/.bashrc). I'm not 100% sure that /etc/profile will work here. Also, remember to restart the rails server after add the var

Luiz E.
  • 6,769
  • 10
  • 58
  • 98
  • I think you're correct - the shell isn't interactive so only .bashrc is picked up. [Here's a concise blog post](http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/) with a bit more info on this. Another note, it's always a good practice to [have a dedicated user run the application.](https://medium.com/@rdsubhas/ruby-in-production-lessons-learned-36d7ab726d99) – kfrz May 30 '18 at 12:00
  • @luiz-e This how you restart the server (`sudo systemctl restart unicorn`), right? – ihtishaam ahmed May 30 '18 at 13:23
  • @luize-e If so I'm still getting the same error in my logs, even though I've added the following to `~/.bashrc`: `export SECRET_KEY_BASE=` – ihtishaam ahmed May 30 '18 at 13:30
  • again, did you check for `root` and your `deploy` user? which user is capistrano using for deploy? – Luiz E. May 30 '18 at 13:32
  • @luiz-e I used `deploy` user. – ihtishaam ahmed May 30 '18 at 13:47
  • try to redeploy then...and remove `execute "export SECRET_KEY_BASE=`bundle exec rake secret`"` – Luiz E. May 30 '18 at 13:50
  • is `root` user maybe starting your server? probably, because you are using `sudo`...so you are still under `root` which will not work I think – Luiz E. May 30 '18 at 14:21
  • I've given `deploy` sudo access. – ihtishaam ahmed May 30 '18 at 14:23
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/172087/discussion-between-ihtishaam-ahmed-and-luiz-e). – ihtishaam ahmed May 30 '18 at 14:42
2

How do I resolve this error?

The first thing I notice is 

secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

I suspect you don't need the ERB template invocation.

secret_key_base: ENV["SECRET_KEY_BASE"]

The ENV variable is not present in the printenv command. After I carry out a deployment

Secondly, I wonder if a new shell is forked in your chain. If so, then the shell set variables will not be available because the new forked shell naturally doesn't have it. So, the only way around is by setting the things in eg. $HOME/.profile or your shells profile.

Thirdly, I would opt to use some kind of helper gem to deal with this. There are some such as eg. Figaro and here is a simple article showing you how to use it.

I have also tried manually adding the SECRET_KEY_BASE in /etc/profile

Adding things to /etc/profile is a bad idea. It is used to set system wide environmental variables on users shells. What you want is probably $HOME/.profile.

when logging out of root

I would strongly advise against running things under root as it defeats the entire GNU/Linux security setup. If you must pretend to run things as root, use a vanilla user account with eg. fakeroot.

execute "export SECRET_KEY_BASE=bundle exec rake secret"

Handling secrets this way is a bit clunky, not very secure nor convenient. Arguably the gold standard currently is Hashicorp's Vault which also has a nice Rails adapter.

This kind of system has specifically been designed with security in mind. Maybe overkill for your current situation, but I thought it worth mentioning.

Good luck and hope this writeup helps!

Bjoern Rennhak
  • 6,766
  • 1
  • 16
  • 21