Openproject 8.1.0 422 error

Apps & App Center
#1

I have an error after update openproject, I have a message 422 after login that says: Unable to verify Cross-Site Request Forgery token. Did you try to submit data on multiple browsers or tabs? Please close all tabs and try again. The OpenProject cookie is missing. Please ensure that cookies are enabled, as this application will not properly function without.

#2

Hello @alopez

did it look like this?

Bildschirmfoto%20vom%202018-11-15%2011-49-48

In another thread, a work around is provided.

Does it work for you?

Best regards,
Nico

#3

Hello - I have this same issue after an upgrade from 7.3 --> 8.1 but I cant login to OP to change it from https, where it was left before update. My admin accoun tgets the same error. Is there a default admin in 8.1 I can use to login and change it from http back to https?

#4

Hello @mediadev,

in a fresh setup OpenProject there is the admin user with the password admin. When you login the first time with this local OpenProject user, you are requested to change the default password. This user is independent from the LDAP authentication.

Best regards,
Nico

#5

Ok - I still get the same error : Unable to verify Cross-Site Request Forgery token. Did you try to submit data on multiple browsers or tabs? Please close all tabs and try again. It wont let any account log in that was active before in v7.3

#6

Hello @mediadev,

yes, this whole thing is very annoying and the vendor is informed about it. In my tests, when I configured OpenProject to use HTTPS, it only worked in two cases, which was more than before:

  • Login with https://hostname.domain/openproject/ → SUCCESS
  • Login with https://hostname.domain/openproject/login → SUCCESS

Once HTTPS is selected, you should only access the OpenProject page with HTTPS.

Does that help?

Best regards,
Nico

#7

I tried adding
RequestHeader set “X-Forwarded-Proto” expr=%{REQUEST_SCHEME}
RequestHeader set “X-Forwarded-SSL” expr=%{HTTPS}

into my apache conf but the error is still there.

Unable to verify Cross-Site Request Forgery token. Did you try to submit data on multiple browsers or tabs? Please close all tabs and try again.

#8

Hello @mediadev,

can you please elaborate the steps you made to access OpenProject?

I worked with the recent App Appliance and after I configured the workaround, HTTPS worked. A fix for the problem is work in progress and planned for the next update.

  1. Setup OpenProject
  2. Connect to the instance: https://hostname.domain/openproject/login/ and login with admin and password admin. This will redirect to http://hostname.domain/openproject/login. Alternatively, you could use and user in the UCS directory that has been granted administration rights for OpenProject.
  3. Manually change the URL in your browser to https://hostname.domain/openproject/ and you should see you are logged in. You will be requested to change the password for admin.
  4. Go to Administration → System settings → General → Protocol and set it to HTTPS. Save the changes. Logout.
  5. Go to https://hostname.domain/openproject/ or https://hostname.domain/openproject/login/ and login again. It should be working. HTTP connections won’t log you in though.

That’s the way how I worked around this login issue.

Best regards,
Nico

Can not login OpenProject
#9

Thank you Gulden, for taking a look. I have tried this route but it seems like it didnt reset back to default users, as it doesnt see default user admin - password admin, but it does seem to see the original users I had built in from v7.3, as well as the original admin account I had renamed with a different password. I can tell it sees those because it doesnt give an invalid password error, but instead when it is a valid user from the previous setup, it responds with the error: 422 - “Unable to verify Cross-Site Request Forgery token. Did you try to submit data on multiple browsers or tabs? Please close all tabs and try again.” My URL looks like this: https://www.rightdomain.com/openproject/login

Now, the UCS config is set to force SSL, and we use Lets Encrypt for the domain and subdomain - I tried to just enter the http with the correct URL to try and force it to use just the http: but it just redirects to https. I did add the RequestHeader set “X-Forwarded-Proto” and restarted apache2, but still there. So I am unable to even get in to the administration panel inside of OP to reset it to https from http, if that is what happened. I am loathe to stop forcing SSL in UCS as I also have owncloud and wordpress using it. Do you think it would break anything if I deselected “force SSL” in the Univention Management Console? Is that perhaps what I need to do to login again, and then set the OP administration to https from within the app itself, or can I do that from the CLI or the UMC?

#10

Is there a way to directly access the config file for openproject from the Univention CLI - I cannot find it in there with WinSCP or Putty - I am never sure where the config files are in Univention, it seems to keep them in weird places.

#12

Well I have tried everything, even uninstalled and reinstalled all for it to come back to the exact same error - ‘422 - Unable to verify Cross-Site Request Forgery token. Did you try to submit data on multiple browsers or tabs? Please close all tabs and try again.’

I added all the extra code into Apache for –
RequestHeader set “X-Forwarded-Proto” expr=%{REQUEST_SCHEME}
RequestHeader set “X-Forwarded-SSL” expr=%{HTTPS}

It does nothing.

It is a real shame to have sunk this much time into getting it up and running just to have it crap out almost immediately after I convinced PMs to start using it. If I end up DOA on this I will be making strong, very strong recommendations for all to avoid this software as a time and $$ suck. We will never pay them one red cent for any support after this fail

#13

Hello @mediadev

I’m sorry to hear that it took you so much time.

Those settings are already made by the app itself. A bugfix is being worked on and it is planned to be released with the next app update.

Best regards,
Nico

#14

Hello,

today the OpenProject 8.2.0 has been released. It also includes a fix for the login problem and allows only a login via HTTPS.

FYI: @mediadev, @Mark_Lanigan

Best regards,
Nico

#15

Hello - I have updated both UCS ( UCS Version4.3-3 errata398 (Neustadt)UMC Version10.0.6-17A~4.3.0.201812181814) and the new Open Project to 8.2 released yesterday but the problem has not changed. Do I need to completely remove Open Project and delete any files in UCS and reinstall? I have checked the conf files and show:

000-default.conf:

Warning: This file is auto-generated and might be overwritten by

univention-config-registry.

Please edit the following file(s) instead:

Warnung: Diese Datei wurde automatisch generiert und kann durch

univention-config-registry ueberschrieben werden.

Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):

/etc/univention/templates/files/etc/apache2/sites-available/000-default.d/00start

/etc/univention/templates/files/etc/apache2/sites-available/000-default.d/10univention-appcenter

/etc/univention/templates/files/etc/apache2/sites-available/000-default.d/99end

<VirtualHost :80>
IncludeOptional /etc/apache2/ucs-sites.conf.d/.conf

ProxyPass /bluespice http://127.0.0.1:40005/bluespice retry=0
ProxyPassReverse /bluespice http://127.0.0.1:40005/bluespice


ProxyPass /openproject/ http://127.0.0.1:40006/openproject/ retry=0
ProxyPassReverse /openproject/ http://127.0.0.1:40006/openproject/


ProxyPass /owncloud http://127.0.0.1:40000/owncloud retry=0
ProxyPassReverse /owncloud http://127.0.0.1:40000/owncloud


ProxyPass /wordpress http://127.0.0.1:40002/wordpress retry=0
ProxyPassReverse /wordpress http://127.0.0.1:40002/wordpress

default-ssl.conf

Warning: This file is auto-generated and might be overwritten by

univention-config-registry.

Please edit the following file(s) instead:

Warnung: Diese Datei wurde automatisch generiert und kann durch

univention-config-registry ueberschrieben werden.

Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):

/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start

/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10hsts

/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/10univention-appcenter

/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/99end

<VirtualHost :443>
IncludeOptional /etc/apache2/ucs-sites.conf.d/.conf
SSLEngine on
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key
SSLCACertificateFile /etc/univention/letsencrypt/intermediate.pem

#SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

### To enable special log format for HTTPS-access
# LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %p" combinedssl
# CustomLog /var/log/apache2/access.log combinedssl	## with port number



ProxyPass /bluespice http://127.0.0.1:40005/bluespice retry=0
ProxyPassReverse /bluespice http://127.0.0.1:40005/bluespice


ProxyPass /openproject/ http://127.0.0.1:40006/openproject/ retry=0
ProxyPassReverse /openproject/ http://127.0.0.1:40006/openproject/


ProxyPass /owncloud https://127.0.0.1:40001/owncloud retry=0
ProxyPassReverse /owncloud https://127.0.0.1:40001/owncloud


ProxyPass /wordpress https://127.0.0.1:40004/wordpress retry=0
ProxyPassReverse /wordpress https://127.0.0.1:40004/wordpress


and this is the custom apache Virtual Host file I use:

ServerName mydomain.com ServerAlias www.mydomain.com 
    IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
    
	
SSLEngine on
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/univention/letsencrypt/signed_chain.crt
SSLCertificateKeyFile /etc/univention/letsencrypt/domain.key
SSLCACertificateFile /etc/univention/letsencrypt/intermediate.pem


ErrorLog ${APACHE_LOG_DIR}/proxy-error.log
CustomLog ${APACHE_LOG_DIR}/proxy-access.log combined


ProxyPass /openproject/ http://127.0.0.1:40006/openproject/ retry=0
ProxyPassReverse /openproject/ http://127.0.0.1:40006/openproject/


ProxyPass /owncloud https://127.0.0.1:40001/owncloud retry=0
ProxyPassReverse /owncloud https://127.0.0.1:40001/owncloud


ProxyPass /wordpress https://127.0.0.1:40004/wordpress retry=0
ProxyPassReverse /wordpress https://127.0.0.1:40004/wordpress

    ProxyPass /bluespice http://127.0.0.1:40005/bluespice retry=0
ProxyPassReverse /bluespice http://127.0.0.1:40005/bluespice  
    ProxyPreserveHost On
    ProxyRequests Off

Any help is appreciated. The error is the same, it made no change doing all this upgrading. Perhaps it is something I added, I am just not sure what has happened here to our install of OP. It just doesnt seem to be a functioning piece of software at this point. We cant login, even admin accounts. The error is still: 422 - Unable to verify Cross-Site Request Forgery token. Did you try to submit data on multiple browsers or tabs? Please close all tabs and try again.

Furthermore if I try and add a new account it says I have exceeded my limit of accounts. There was something about being limited to only 10 logins, but if it is tied to our LDAP, then there would be more than that from our last version at 7.3.

It is curious that in the UCS UMC Open Project settings, there is only a port 80 set and not a 443 like the other apps running on SSL in UCS!

err422

Any word on UCS support Open Project version 8.0+? `X-Forwarded-Proto` header issue - error 422
#16

Thanks guys, not sure why the problem persisting, maybe I have something wrong? I removed the RequestHeader set “X-Forwarded-Proto” expr=%{REQUEST_SCHEME}
RequestHeader set “X-Forwarded-SSL” expr=%{HTTPS}
additions from apache conf files as OP should be including it now in v8.2, I tried both ways and cant get it running

#17

Ok all - I did a complete uninstall and manually deleted all references to Open Project from the UMC and then used univention-app to install from the SSH Putty cli, and I can now login with no more 422 error!

It should be noted this upgrade (OP 8.0+) is to the Enterprise Edition, and will limit your seats to only 10. This was not very clear from within the UCS console, or the program itself. THIS IS NOT THE COMMUNITY EDITION, THE WATER IS A BIT MUDDY HERE

#18

Hello @Mark_Lanigan,

good to hear that the login problem has been solved and it is working for you now. Thanks for the feedback.

No, indeed it is not. And the app’s description tells so very clearly. You can find it in the app catalog, as well as in UCS itself:

This app contains the Open Project Enterprise Edition. In addition to premium functions, the Enterprise Edition also includes professional support for use in business-critical projects. The provided app already contains an Enterprise License, which is unlimited in time and already contains 10 users. You can buy more comprehensive Enterprise licenses in the App Center. Further information can be found in the price overview.

The app provider of OpenProject decided to provide the Enterprise Edition in the App Center starting with version 8.1. I believe, this is a fair offering and it is the vendor’s freedom to do so. If you are unhappy with the business model, you are free to use something else.

Best regards,
Nico

#19

All worked out well - thanks for your help - OP did offer us a reduced price so all good

1 Like
#20

Hello @Mark_Lanigan,

thanks for your feedback and I’m glad to hear it is working for you now. I’m really sorry for the inconvenience you had at all and I hope OpenProject on UCS is helping you with the challenges you want to solve using those products.

Best regards,
Nico

1 Like
Mastodon