Error while update to Mastodon 4.3

itbeard

Hey folks,
After updating I was permanently getting errors of migration like on the screenshot below:

In the end, I just restored the backup.
Any ideas on how to fix it?

nebulon

The OTP_SECRET is set during first installation in /app/data/env.production https://git.cloudron.io/cloudron/mastodon-app/-/blob/master/start.sh?ref_type=heads#L65

Is this correctly set in your backup or was it changed manually? I guess it is only relevant also if any user uses 2fa already and does it work before the update?

itbeard

@nebulon Hello,
OTP_SECRET was set two years ago and has not changed since then. Some users successfully use 2FA (including me)

nebulon

and if you update the app (maybe into a clone), does that OTP_SECRET change? If so this may be a packaging bug we then have to investigate. Otherwise this seems like an upstream mastodon issue, maybe wrongly reporting

itbeard

I checked the OTP_SECRET value - it is the same before and after the update. Still the same error:

Oct 22 00:56:25 ==> Configuring mastodon
Oct 22 00:56:25 ==> Migrating database
Oct 22 00:56:25 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=*************
Oct 22 00:56:25 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=************
Oct 22 00:56:25 ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=**************
Oct 22 00:56:28 I, [2024-10-21T22:56:28.524715 #15] INFO -- : [dotenv] Loaded .env.production
Oct 22 00:56:29 2024-10-21T22:56:29.000Z
Oct 22 00:56:29 2024-10-21T22:56:29.000Z
Oct 22 00:56:29 2024-10-21T22:56:29.000Z
Oct 22 00:56:29 2024-10-21T22:56:29.000Z
Oct 22 00:56:29 2024-10-21T22:56:29.000Z
Oct 22 00:56:29 == 20240307180905 MigrateDeviseTwoFactorSecrets: migrating ====================
Oct 22 00:56:29 ERROR: Unable to decrypt OTP secret for user 1.
Oct 22 00:56:29 I, [2024-10-21T22:56:29.274159 #15] INFO -- : Migrating to MigrateDeviseTwoFactorSecrets (20240307180905)
Oct 22 00:56:29 In this case, their OTP secret had already been lost with the change to `OTP_SECRET`, and
Oct 22 00:56:29 Migration aborted.
Oct 22 00:56:29 Please double-check that you have not accidentally changed `OTP_SECRET` just for this
Oct 22 00:56:29 This is most likely because you have changed the value of `OTP_SECRET` at some point in
Oct 22 00:56:29 migration, and re-run the migration with `MIGRATION_IGNORE_INVALID_OTP_SECRET=true`.
Oct 22 00:56:29 proceeding with this migration will not make the situation worse.
Oct 22 00:56:29 time after the user configured 2FA.

nebulon

This is coming from https://github.com/mastodon/mastodon/blob/bb0532530666d877cae6345ce6a11c041b01fc7b/db/post_migrate/20240307180905_migrate_devise_two_factor_secrets.rb

So this tries to migrate from the global OTP_SECRET to a user based one. Anyways since the value as such didn't change, this just reveals an issue which was already there.

@itbeard can you try to put the app in recovery mode then open a webterminal into the app and run:

MIGRATION_IGNORE_INVALID_OTP_SECRET=true /app/pkg/start.sh

itbeard

@nebulon Thanks, all done!
Your solution with MIGRATION_IGNORE_INVALID_OTP_SECRET=true /app/pkg/start.sh works perfectly.

Steps:

• Update to 4.3.0 (don’t forget to enable back up!)
• Enable Recovery Mode in Cauldron's app admin panel
• Run the command above (as suggested by @nebulon)
• Disable Recovery Mode.

2FA also works after migration; I tested it on several older accounts.
Thanks a lot!

nebulon

Thanks for letting us know. I wonder if this came from some very old Mastodon installation, where the OTP_SECRET variable was not yet set in our package?

itbeard

@nebulon I definitely did not set it manually.

nebulon

right I meant more like the app was maybe installed from a package, where the OTP_SECRET was not yet set properly. This was then a packaging bug not a user error.