CSRF token verification failed as admin user directly after initial setup

Infos:

  • Used Zammad version: zammad-6.4.0-1732190867.d3a57bc5.centos9.x86_64
  • Used Zammad installation type: package
  • Operating system: AlmaLinux 9.4 (Seafoam Ocelot)
  • Browser + version: Edge for Business Version 131.0.2903.70 (Offizielles Build) (64-Bit)

Expected behavior:

  • Login to happen

Actual behavior:

  • CSRF token verification failed

Steps to reproduce the behavior:

Fresh installed Alma Linux

  • Setting up timezone and ntp:
    • timedatectl set-timezone Europe/Berlin
    • timedatectl set-ntp true

Following the instructions of package installation for CentOS

Shortened from now on as this was really just copy paste now, except when noticed

  • Set up Zammad
  • Following the Elasticsearch instructions
    • echo -e "\nexport ELASTIC_PASSWORD="`echo -e “Y\r” |
    • /usr/share/elasticsearch/bin/elasticsearch-reset-password -s -u elastic`"" \
    • >> .bashrc
  • Set Up Apache with zammad.conf
  • running certbot
  • Finished installation
  • Call website
  • Create admin user
  • Login as admin
  • Install cert of Elasticsearch
  • Logout

No errors or warnings during the whole process

After that, no login was possible. I reset the password on the console because I thought I mistyped somewhere, but that was not the case.

The only thing I found in the production log was, that there might be a possible cause with a conflict between the servers fqdn and the vhost fqnd. Well, for both it is the same domain.

There is one more thing I notice, as long as I was logged into the system: it was completely in English even when it was set system wide and in my profile to German. At that point I wanted to try to relogin and then the end.

By the way, I am a complete ruby and Zammad newbie but not a Linux newbie, so please be patient.
As a Unix admin I can follow instructions :wink: and add additional information but in terms of Zammad I am completely blank.

As for the production log or configuration files, I wrote quite a lot now so I do not want to add a lot (more) unnecessary stuff, so, if you need some specific information, I will provide them.

Thanks for your help

I noticed in your instructions that you ran Certbot for the SSL certificate. Did you also copy the zammad-le-ssl.conf file over the default zammad.conf file? It’s a simple mistake that I made, also being new to Zammad.

Are you using HTTPS or HTTP?
Have you changed the config file to include;
RequestHeader set X-FORWARDED-PROTO ‘https’
RequestHeader set X-Forwarded-Ssl on

certbot-generated

<IfModule mod_ssl.c>
<VirtualHost ticket.[domainname].community:443>
    ServerAdmin it@[domainname].community
    DocumentRoot /srv/www/vhosts/ticket.[domainname].community/docroot/http
    ErrorLog /var/log/httpd/vhosts/ticket.[domainname].community/error.log
    CustomLog /var/log/httpd/vhosts/ticket.[domainname].community/access.log combined

ServerName ticket.[domainname].community
SSLCertificateFile /etc/letsencrypt/live/forum.[domainname].community/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/forum.[domainname].community/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

zammad-mixin

[mei@gosio conf.vhosts.d]$ diff zammad_ssl.conf.orig ticket-le-ssl.conf | \
sed s/xxxxxxxxxxxx/\[domainname\]/
10,12c10,12
< <VirtualHost *:80>
<   ServerName example.com
<   Redirect permanent / https://example.com/
---
> <VirtualHost ticket.[domainname].community:80>
>   ServerName ticket.[domainname].community
>   Redirect permanent / https://ticket.[domainname].community
15c15
< <VirtualHost *:443>
---
> <VirtualHost ticket.[domainname].community:443>
19,21c19,27
<   SSLEngine on
<   SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
<   SSLCipherSuite          [zammad-cypher]
---
>     ServerAdmin it@[domainname].community
>     DocumentRoot /srv/www/vhosts/ticket.[domainname].community/docroot/http
>     ErrorLog /var/log/httpd/vhosts/ticket.[domainname].community/error.log
>     CustomLog /var/log/httpd/vhosts/ticket.[domainname].community/access.log combined
>
> ServerName ticket.[domainname].community
>
>
> SSLEngine on
25,28c31,34
<   SSLCertificateFile /etc/ssl/certs/example.com.pem
<   SSLCertificateKeyFile /etc/ssl/private/example.com.key
<   SSLCertificateChainFile /etc/ssl/certs/root-ca-plus-intermediates.pem
<   SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem
---
>   SSLCertificateFile /etc/letsencrypt/live/forum.[domainname].community/fullchain.pem
>   SSLCertificateKeyFile /etc/letsencrypt/live/forum.[domainname].community/privkey.pem
>
>   Include /etc/letsencrypt/options-ssl-apache.conf
30,31d35
<   # replace 'localhost' with your fqdn if you want to use zammad from remote
<   ServerName localhost

options-ssl-apache.conf

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          [certbot-cipher]
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

In short, I replaced some Zammad config with certbot config.

Somehow the production-log-entries are a lot shorter today, so I post them too, now. Here is the specific one of the login attempt:

I, [2024-11-28T08:37:18.131767#101844-187580]  INFO -- :   Parameters: {"username"=>" mimmmmi@[domainname].bayern", "password"=>"[FILTERED]", "fingerprint"=>"-[fingerprint]"}
I, [2024-11-28T08:37:18.138328#101844-187580]  INFO -- : CSRF token verification failed
I, [2024-11-28T08:37:18.138607#101844-187580]  INFO -- : CSRF token verification failed! (Exceptions::NotAuthorized)
app/controllers/application_controller/prevents_csrf.rb:36:in `verify_csrf_token'
app/controllers/application_controller/has_download.rb:17:in `block (4 levels) in <module:HasDownload>'
app/controllers/application_controller/has_download.rb:16:in `block (3 levels) in <module:HasDownload>'
app/controllers/application_controller/has_download.rb:15:in `block (2 levels) in <module:HasDownload>'
app/controllers/application_controller/handles_transitions.rb:16:in `handle_transaction'
I, [2024-11-28T08:37:18.140443#101844-187580]  INFO -- : Completed 401 Unauthorized in 8ms (Views: 0.2ms | ActiveRecord: 1.6ms | Allocations: 2127)

My production log shows the same entries.

I wonder if there is a “debug” switch to have more log entries. But till now I haven’t found one in the docs.

I found a fix for mine. Maybe it will work for you to:

Solution 1: rename the file /etc/apache2/sites-available/zammad-le-ssl.conf to not be a .conf (mine is called zammad-le-ssl.bak). Restart zammad and reload your webserver. Then try to login.