Ubuntu 18.04 服务器（Rails 6.0）上的“生产”环境缺少“secret_key_base”，尝试了多个主题

Question

This topic has a SOLUTION embeded at the end.

PROBLEM

I'm deploying for the first time a Rails app on a VPS on Ubuntu 18.04. with Nginx. I followed the good tutorial of Gorails "Deploy Ruby on Rails To Production in 2019". Everything worked, until I had the "Incomplete response received from application" page.

I checked the nginx logs on /var/log/nginx/error.log and saw the typical message "Missing secret_key_base for 'production' environment, set this string with rails credentials:edit "

As the method of Gorails didn't seems to work (after a bundle exec rails secret on his console app-side, he add a file /my_website/.rbenv-vars with a SECRET_KEY_BASE line, filled with the generated secret key), I decided to follow the multiples topics answering to this question. Here is the thing, I'm not sure if the followings steps are the goods one.

1. I run bundle exec rails secret on my console, server-side, as deploy user. So I have my GENERATED_KEY_1
2. I add to ~/.bashrc : export SECRET_KEY_BASE="GENERATED_KEY_1"
3. I source ~/.bashrc
4. I check my key with echo $SECRET_KEY_BASE , and I have the good key displayed (GENERATED_KEY_1)
5. I edited my credential file as

development:
  secret_key_base: ORIGINAL_KEY

test:
  secret_key_base: ORIGINAL_KEY

production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

and added Dotenv to my Gemfile, required it in application.rb

But none of this worked, after restarted nginx server. So I restarted the previous step, with the root-user.

But again, it failed. My questions are:

• what I am missing ?
• How can I know, if it's searching the key in the good place, as I have always the same error message ?
• Which key am I suppose to generate ? App-side ? Server-side ? As root or deploy user ?
• Do I have something else to configure in /etc/nginx/sites-available/default ? (I saw on this topic that this guys changed a rails_env production; to rails_env development; but I haven't any rails line)

Thank you, I'm a little bit desperate ^^

SOLUTION

During my many tests, I logged with the root user, and run EDITOR="vim" rails credentials:edit . This command had generated a master.key , which doesn't exist on your Github repo.

But first, I didn't modified it. I think that was the main problem, as the application use it to decrypt your credentials.yml.enc file. When I understood it, I edited the master.key with the content of the master.key on my computer app.

Even after editing credentials.yml.enc with <%= ENV["SECRET_KEY_BASE"] %> , this solution works. This corresponds to the answer of Lyzard Kyng , even if it's a bit different.

I can't run EDITOR="vim" rails credentials:edit with the deploy user, it doesn't work.

Answer 1

Rails 5.2 and later uses encrypted credentials for storing sensitive app's information, which includes secret_key_base by default. These credentials are encrypted with the key stored in master.key file. Git repository, generated by default Rails application setup, includes credentials.yml.enc but ignores master.key . After the deployment, which usually involves git push , Rails production environment should be augmented with this key some way.

So you have two options. You can securely upload master.key to production host via scp or sftp . Or you can establish shell environment variable RAILS_MASTER_KEY within the context of a user that runs rails server process. The former option is preferred, but as you have dotenv-rails gem installed, you'd create .env.production file under app's root and put there a line

RAILS_MASTER_KEY="your_master-key_content"

Don't forget to ensure that gem dotenv-rails isn't restricted within Gemfile by development and test Rails environments.

By the way since passenger module ver. 5.0.0 you can set shell environment variables right from nginx.conf

Answer 2

run rake secret in your local machine and this will generate a key for you

make config/secrets.yml file

add the generated secret key here

production:
 secret_key_base: asdja1234sdbjah1234sdbjhasdbj1234ahds…

and redeploy the application after commiting

i had the same issue and resolved by this method.

Answer 3

It would be more secure to generate your key on the server and use it there, rather than push it to your repo from a local machine.

Instead of ~/.bashrc do this for using environment variables;

1. As root user, navigate to the # directory (can probably just use cd .. )
2. Enter nano home/<yourAppUser>/.bash_profile to navigate to (and create) the file to store the ENV
3. As you have already, just write this in the file: export SECRET_KEY_BASE="GENERATED_KEY_1"

You can store your database password here as well.

Answer 4

1_ Set credentials with

rails credentials:edit

2_ Upload master.key file to your production server.

If deploy with capistrano, copy master.key to shared folder (shared_path) and then add this to deploy.rb :

namespace :config do
   task :symlink do
      on roles(:app) do
        execute :ln, "-s #{shared_path}/master.key #{release_path}/config/master.key"
      end
   end
end

after 'deploy:symlink:shared', 'config:symlink'

Answer 5

In my case, on rails credentials:edit , the file indentation were not accurate which gave the error on deployment. So make sure the indentation is correct on your local before deploying.