Infos:
Used Zammad version: zammad-6.4.0-1732190867.d3a57bc5.centos9.x86_64
Used Zammad installation type: package
Operating system: AlmaLinux 9.4 (Seafoam Ocelot)
Browser + version: Edge for Business Version 131.0.2903.70 (Offizielles Build) (64-Bit)
Expected behavior:
Actual behavior:
CSRF token verification failed
Steps to reproduce the behavior:
Fresh installed Alma Linux
Setting up timezone and ntp:
timedatectl set-timezone Europe/Berlin
Following the instructions of package installation for CentOS
Set up repositories:
cat </etc/yum.repos.d/elasticsearch.repo
name=Elasticsearch repository for 8.x packages
wget -O /etc/yum.repos.d/zammad.repo \
dnf install -y epel-release
Install packages:
dnf install -y firewalld dovecot postfix wget httpd \
certbot python3-certbot-apache ruby
dnf install -y elasticsearch
Firewall
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
systemctl --now enable elasticsearch httpd
Shortened from now on as this was really just copy paste now, except when noticed
Set up Zammad
Following the Elasticsearch instructions
echo -e "\nexport ELASTIC_PASSWORD="`echo -e “Y\r” |
/usr/share/elasticsearch/bin/elasticsearch-reset-password -s -u elastic`"" \
Set Up Apache with zammad.conf
running certbot
Finished installation
Call website
Create admin user
Login as admin
Install cert of Elasticsearch
Logout
No errors or warnings during the whole process
After that, no login was possible. I reset the password on the console because I thought I mistyped somewhere, but that was not the case.
The only thing I found in the production log was, that there might be a possible cause with a conflict between the servers fqdn and the vhost fqnd. Well, for both it is the same domain.
There is one more thing I notice, as long as I was logged into the system: it was completely in English even when it was set system wide and in my profile to German. At that point I wanted to try to relogin and then the end.
By the way, I am a complete ruby and Zammad newbie but not a Linux newbie, so please be patient.
As a Unix admin I can follow instructions and add additional information but in terms of Zammad I am completely blank.
As for the production log or configuration files, I wrote quite a lot now so I do not want to add a lot (more) unnecessary stuff, so, if you need some specific information, I will provide them.
Thanks for your help
I noticed in your instructions that you ran Certbot for the SSL certificate. Did you also copy the zammad-le-ssl.conf file over the default zammad.conf file? It’s a simple mistake that I made, also being new to Zammad.
Are you using HTTPS or HTTP?
Have you changed the config file to include;
RequestHeader set X-FORWARDED-PROTO ‘https’
RequestHeader set X-Forwarded-Ssl on
certbot-generated
<IfModule mod_ssl.c>
<VirtualHost ticket.[domainname].community:443>
ServerAdmin it@[domainname].community
DocumentRoot /srv/www/vhosts/ticket.[domainname].community/docroot/http
ErrorLog /var/log/httpd/vhosts/ticket.[domainname].community/error.log
CustomLog /var/log/httpd/vhosts/ticket.[domainname].community/access.log combined
ServerName ticket.[domainname].community
SSLCertificateFile /etc/letsencrypt/live/forum.[domainname].community/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/forum.[domainname].community/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
zammad-mixin
[mei@gosio conf.vhosts.d]$ diff zammad_ssl.conf.orig ticket-le-ssl.conf | \
sed s/xxxxxxxxxxxx/\[domainname\]/
10,12c10,12
< <VirtualHost *:80>
< ServerName example.com
< Redirect permanent / https://example.com/
---
> <VirtualHost ticket.[domainname].community:80>
> ServerName ticket.[domainname].community
> Redirect permanent / https://ticket.[domainname].community
15c15
< <VirtualHost *:443>
---
> <VirtualHost ticket.[domainname].community:443>
19,21c19,27
< SSLEngine on
< SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
< SSLCipherSuite [zammad-cypher]
---
> ServerAdmin it@[domainname].community
> DocumentRoot /srv/www/vhosts/ticket.[domainname].community/docroot/http
> ErrorLog /var/log/httpd/vhosts/ticket.[domainname].community/error.log
> CustomLog /var/log/httpd/vhosts/ticket.[domainname].community/access.log combined
>
> ServerName ticket.[domainname].community
>
>
> SSLEngine on
25,28c31,34
< SSLCertificateFile /etc/ssl/certs/example.com.pem
< SSLCertificateKeyFile /etc/ssl/private/example.com.key
< SSLCertificateChainFile /etc/ssl/certs/root-ca-plus-intermediates.pem
< SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem
---
> SSLCertificateFile /etc/letsencrypt/live/forum.[domainname].community/fullchain.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/forum.[domainname].community/privkey.pem
>
> Include /etc/letsencrypt/options-ssl-apache.conf
30,31d35
< # replace 'localhost' with your fqdn if you want to use zammad from remote
< ServerName localhost
options-ssl-apache.conf
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite [certbot-cipher]
SSLHonorCipherOrder off
SSLSessionTickets off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
In short, I replaced some Zammad config with certbot config.
Somehow the production-log-entries are a lot shorter today, so I post them too, now. Here is the specific one of the login attempt:
I, [2024-11-28T08:37:18.131767#101844-187580] INFO -- : Parameters: {"username"=>" mimmmmi@[domainname].bayern", "password"=>"[FILTERED]", "fingerprint"=>"-[fingerprint]"}
I, [2024-11-28T08:37:18.138328#101844-187580] INFO -- : CSRF token verification failed
I, [2024-11-28T08:37:18.138607#101844-187580] INFO -- : CSRF token verification failed! (Exceptions::NotAuthorized)
app/controllers/application_controller/prevents_csrf.rb:36:in `verify_csrf_token'
app/controllers/application_controller/has_download.rb:17:in `block (4 levels) in <module:HasDownload>'
app/controllers/application_controller/has_download.rb:16:in `block (3 levels) in <module:HasDownload>'
app/controllers/application_controller/has_download.rb:15:in `block (2 levels) in <module:HasDownload>'
app/controllers/application_controller/handles_transitions.rb:16:in `handle_transaction'
I, [2024-11-28T08:37:18.140443#101844-187580] INFO -- : Completed 401 Unauthorized in 8ms (Views: 0.2ms | ActiveRecord: 1.6ms | Allocations: 2127)
My production log shows the same entries.
I wonder if there is a “debug” switch to have more log entries. But till now I haven’t found one in the docs.
meijrena:
ord: 1
I found a fix for mine. Maybe it will work for you to:
Symptoms: Right after a fresh installation of Zammad you implement Let’s Encrypt and you are unable to login to your Zammad portal due to the following error. CSRF token verification failed! Cause: When you install Zammad, it’ll automatically create...
Est. reading time: 4 minutes
Solution 1: rename the file /etc/apache2/sites-available/zammad-le-ssl.conf to not be a .conf (mine is called zammad-le-ssl.bak). Restart zammad and reload your webserver. Then try to login.