8

This topic has a SOLUTION embeded at the end.

PROBLEM

I'm deploying for the first time a Rails app on a VPS on Ubuntu 18.04. with Nginx. I followed the good tutorial of Gorails "Deploy Ruby on Rails To Production in 2019". Everything worked, until I had the "Incomplete response received from application" page.

I checked the nginx logs on /var/log/nginx/error.logand saw the typical message "Missing secret_key_base for 'production' environment, set this string with rails credentials:edit"

As the method of Gorails didn't seems to work (after a bundle exec rails secret on his console app-side, he add a file /my_website/.rbenv-vars with a SECRET_KEY_BASE line, filled with the generated secret key), I decided to follow the multiples topics answering to this question. Here is the thing, I'm not sure if the followings steps are the goods one.

  1. I run bundle exec rails secreton my console, server-side, as deploy user. So I have my GENERATED_KEY_1
  2. I add to ~/.bashrc : export SECRET_KEY_BASE="GENERATED_KEY_1"
  3. I source ~/.bashrc
  4. I check my key with echo $SECRET_KEY_BASE, and I have the good key displayed (GENERATED_KEY_1)
  5. I edited my credential file as
development:
  secret_key_base: ORIGINAL_KEY

test:
  secret_key_base: ORIGINAL_KEY

production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

and added Dotenv to my Gemfile, required it in application.rb

But none of this worked, after restarted nginx server. So I restarted the previous step, with the root-user.

But again, it failed. My questions are:

  • what I am missing ?
  • How can I know, if it's searching the key in the good place, as I have always the same error message ?
  • Which key am I suppose to generate ? App-side ? Server-side ? As root or deploy user ?
  • Do I have something else to configure in /etc/nginx/sites-available/default ? (I saw on this topic that this guys changed a rails_env production; to rails_env development; but I haven't any rails line)

Thank you, I'm a little bit desperate ^^

SOLUTION

During my many tests, I logged with the root user, and run EDITOR="vim" rails credentials:edit. This command had generated a master.key, which doesn't exist on your Github repo.

But first, I didn't modified it. I think that was the main problem, as the application use it to decrypt your credentials.yml.enc file. When I understood it, I edited the master.key with the content of the master.key on my computer app.

Even after editing credentials.yml.encwith <%= ENV["SECRET_KEY_BASE"] %>, this solution works. This corresponds to the answer of Lyzard Kyng, even if it's a bit different.

I can't run EDITOR="vim" rails credentials:editwith the deploy user, it doesn't work.

Community
  • 1
  • 1
OBrooks
  • 343
  • 1
  • 3
  • 7
  • 1
    Nginx has its own shell environment, it doesn't read your profile's `~/.bashrc`. So if you're using Dotenv you should put `SECRET_KEY_BASE="GENERATED_KEY_1"` to `.env.production` file under your app's root. – Lyzard Kyng Jul 31 '19 at 13:04

5 Answers5

8

Rails 5.2 and later uses encrypted credentials for storing sensitive app's information, which includes secret_key_base by default. These credentials are encrypted with the key stored in master.key file. Git repository, generated by default Rails application setup, includes credentials.yml.enc but ignores master.key. After the deployment, which usually involves git push, Rails production environment should be augmented with this key some way.

So you have two options. You can securely upload master.key to production host via scp or sftp. Or you can establish shell environment variable RAILS_MASTER_KEY within the context of a user that runs rails server process. The former option is preferred, but as you have dotenv-rails gem installed, you'd create .env.production file under app's root and put there a line

RAILS_MASTER_KEY="your_master-key_content"

Don't forget to ensure that gem dotenv-rails isn't restricted within Gemfile by development and test Rails environments.

By the way since passenger module ver. 5.0.0 you can set shell environment variables right from nginx.conf

Lyzard Kyng
  • 1,518
  • 1
  • 9
  • 14
  • Hi, thank you for your answer ! Before your answer, I tried to run ```EDITOR="vim" rails credentials:edit ``` with the root user, which created a master.key. That was maybe the main problem. I came back on this 1 hour after, and edited the file with the master.key of my application on my computer. Seems that it solved the problem, as even after edited the credentials.yml.enc file, I can't no more have the same issue. But I'll keep your 2nd answer for the next time ! Thank you again – OBrooks Aug 07 '19 at 06:54
6

run rake secret in your local machine and this will generate a key for you

make config/secrets.yml file

add the generated secret key here

production:
 secret_key_base: asdja1234sdbjah1234sdbjhasdbj1234ahds…

and redeploy the application after commiting

i had the same issue and resolved by this method.

Abhishek Aravindan
  • 1,432
  • 6
  • 23
2

It would be more secure to generate your key on the server and use it there, rather than push it to your repo from a local machine.

Instead of ~/.bashrc do this for using environment variables;

  1. As root user, navigate to the # directory (can probably just use cd ..)
  2. Enter nano home/<yourAppUser>/.bash_profile to navigate to (and create) the file to store the ENV
  3. As you have already, just write this in the file: export SECRET_KEY_BASE="GENERATED_KEY_1"

You can store your database password here as well.

Jake
  • 1,086
  • 12
  • 38
  • 1
    Hi, thank you for your answer. I tried a different solution, as related to my edit, with a master.key created on the server. Even after edit my credentials.yml.enc in ```<%= ENV["SECRET_KEY_BASE"] %>```, I can't have the same issue anymore, I don't know why. But I'll keep the try on your solution for the next time ! Thank you again – OBrooks Aug 07 '19 at 06:53
1

1_ Set credentials with

rails credentials:edit

2_ Upload master.key file to your production server.

If deploy with capistrano, copy master.key to shared folder (shared_path) and then add this to deploy.rb:

namespace :config do
   task :symlink do
      on roles(:app) do
        execute :ln, "-s #{shared_path}/master.key #{release_path}/config/master.key"
      end
   end
end

after 'deploy:symlink:shared', 'config:symlink'
Abel
  • 3,989
  • 32
  • 31
  • Step 1 is unclear. *Where* do I run this command; my computer or the server. If on the server, what directory? I get `rails: command not found` when running it in the `$HOME` directory. – Brad West Mar 20 '23 at 15:24
0

In my case, on rails credentials:edit, the file indentation were not accurate which gave the error on deployment. So make sure the indentation is correct on your local before deploying.

Shishir
  • 77
  • 2
  • 11
  • can you be more specific about how the indentation should look? – Leland Reardon Mar 03 '23 at 06:06
  • 1
    This answer was from a long time ago. I don't remember much, but I believe I was talking about the indentation on your YAML file. You should be really careful with the indentation on YAML file. @LelandReardon – Shishir Mar 08 '23 at 04:29