CSRF token verification failed as admin user directly after initial setup

meijrena · November 27, 2024, 10:02am

Infos:

Used Zammad version: zammad-6.4.0-1732190867.d3a57bc5.centos9.x86_64
Used Zammad installation type: package
Operating system: AlmaLinux 9.4 (Seafoam Ocelot)
Browser + version: Edge for Business Version 131.0.2903.70 (Offizielles Build) (64-Bit)

Expected behavior:

Login to happen

Actual behavior:

CSRF token verification failed

Steps to reproduce the behavior:

Fresh installed Alma Linux

Setting up timezone and ntp:
- timedatectl set-timezone Europe/Berlin
- timedatectl set-ntp true

Following the instructions of package installation for CentOS

Set up repositories:
- cat </etc/yum.repos.d/elasticsearch.repo
- [elasticsearch]
- name=Elasticsearch repository for 8.x packages
- baseurl=https://artifacts.elastic.co/packages/8.x/yum
- gpgcheck=1
- gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
- enabled=1
- autorefresh=1
- type=rpm-md
- EOF
- rpm --import https://dl.packager.io/srv/zammad/zammad/key
- wget -O /etc/yum.repos.d/zammad.repo \
- https://dl.packager.io/srv/zammad/zammad/stable/installer/el/9.repo
- dnf install -y epel-release
Install packages:
- dnf install -y firewalld dovecot postfix wget httpd \
- https://rpms.remirepo.net/enterprise/remi-release-9.rpm php-fpm expect \
- certbot python3-certbot-apache ruby
- dnf install -y elasticsearch
Firewall
- firewall-cmd --permanent --add-service=http
- firewall-cmd --permanent --add-service=https
- firewall-cmd --reload
- systemctl daemon-reload
- systemctl --now enable elasticsearch httpd

Shortened from now on as this was really just copy paste now, except when noticed

Set up Zammad
Following the Elasticsearch instructions
- echo -e "\nexport ELASTIC_PASSWORD="`echo -e “Y\r” |
- /usr/share/elasticsearch/bin/elasticsearch-reset-password -s -u elastic`"" \
- >> .bashrc
Set Up Apache with zammad.conf
running certbot
Finished installation
Call website
Create admin user
Login as admin
Install cert of Elasticsearch
Logout

No errors or warnings during the whole process

After that, no login was possible. I reset the password on the console because I thought I mistyped somewhere, but that was not the case.

The only thing I found in the production log was, that there might be a possible cause with a conflict between the servers fqdn and the vhost fqnd. Well, for both it is the same domain.

There is one more thing I notice, as long as I was logged into the system: it was completely in English even when it was set system wide and in my profile to German. At that point I wanted to try to relogin and then the end.

By the way, I am a complete ruby and Zammad newbie but not a Linux newbie, so please be patient.
As a Unix admin I can follow instructions and add additional information but in terms of Zammad I am completely blank.

As for the production log or configuration files, I wrote quite a lot now so I do not want to add a lot (more) unnecessary stuff, so, if you need some specific information, I will provide them.

Thanks for your help

dalbaugh · November 27, 2024, 10:08pm

I noticed in your instructions that you ran Certbot for the SSL certificate. Did you also copy the zammad-le-ssl.conf file over the default zammad.conf file? It’s a simple mistake that I made, also being new to Zammad.

Are you using HTTPS or HTTP?
Have you changed the config file to include;
RequestHeader set X-FORWARDED-PROTO ‘https’
RequestHeader set X-Forwarded-Ssl on

meijrena · November 28, 2024, 7:45am

certbot-generated

<IfModule mod_ssl.c>
<VirtualHost ticket.[domainname].community:443>
    ServerAdmin it@[domainname].community
    DocumentRoot /srv/www/vhosts/ticket.[domainname].community/docroot/http
    ErrorLog /var/log/httpd/vhosts/ticket.[domainname].community/error.log
    CustomLog /var/log/httpd/vhosts/ticket.[domainname].community/access.log combined

ServerName ticket.[domainname].community
SSLCertificateFile /etc/letsencrypt/live/forum.[domainname].community/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/forum.[domainname].community/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

zammad-mixin

[mei@gosio conf.vhosts.d]$ diff zammad_ssl.conf.orig ticket-le-ssl.conf | \
sed s/xxxxxxxxxxxx/\[domainname\]/
10,12c10,12
< <VirtualHost *:80>
<   ServerName example.com
<   Redirect permanent / https://example.com/
---
> <VirtualHost ticket.[domainname].community:80>
>   ServerName ticket.[domainname].community
>   Redirect permanent / https://ticket.[domainname].community
15c15
< <VirtualHost *:443>
---
> <VirtualHost ticket.[domainname].community:443>
19,21c19,27
<   SSLEngine on
<   SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
<   SSLCipherSuite          [zammad-cypher]
---
>     ServerAdmin it@[domainname].community
>     DocumentRoot /srv/www/vhosts/ticket.[domainname].community/docroot/http
>     ErrorLog /var/log/httpd/vhosts/ticket.[domainname].community/error.log
>     CustomLog /var/log/httpd/vhosts/ticket.[domainname].community/access.log combined
>
> ServerName ticket.[domainname].community
>
>
> SSLEngine on
25,28c31,34
<   SSLCertificateFile /etc/ssl/certs/example.com.pem
<   SSLCertificateKeyFile /etc/ssl/private/example.com.key
<   SSLCertificateChainFile /etc/ssl/certs/root-ca-plus-intermediates.pem
<   SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem
---
>   SSLCertificateFile /etc/letsencrypt/live/forum.[domainname].community/fullchain.pem
>   SSLCertificateKeyFile /etc/letsencrypt/live/forum.[domainname].community/privkey.pem
>
>   Include /etc/letsencrypt/options-ssl-apache.conf
30,31d35
<   # replace 'localhost' with your fqdn if you want to use zammad from remote
<   ServerName localhost

options-ssl-apache.conf

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          [certbot-cipher]
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

In short, I replaced some Zammad config with certbot config.

Somehow the production-log-entries are a lot shorter today, so I post them too, now. Here is the specific one of the login attempt:

I, [2024-11-28T08:37:18.131767#101844-187580]  INFO -- :   Parameters: {"username"=>" mimmmmi@[domainname].bayern", "password"=>"[FILTERED]", "fingerprint"=>"-[fingerprint]"}
I, [2024-11-28T08:37:18.138328#101844-187580]  INFO -- : CSRF token verification failed
I, [2024-11-28T08:37:18.138607#101844-187580]  INFO -- : CSRF token verification failed! (Exceptions::NotAuthorized)
app/controllers/application_controller/prevents_csrf.rb:36:in `verify_csrf_token'
app/controllers/application_controller/has_download.rb:17:in `block (4 levels) in <module:HasDownload>'
app/controllers/application_controller/has_download.rb:16:in `block (3 levels) in <module:HasDownload>'
app/controllers/application_controller/has_download.rb:15:in `block (2 levels) in <module:HasDownload>'
app/controllers/application_controller/handles_transitions.rb:16:in `handle_transaction'
I, [2024-11-28T08:37:18.140443#101844-187580]  INFO -- : Completed 401 Unauthorized in 8ms (Views: 0.2ms | ActiveRecord: 1.6ms | Allocations: 2127)

dalbaugh · November 29, 2024, 3:27pm

My production log shows the same entries.