Error while update to Mastodon 4.3
-
-
The
OTP_SECRET
is set during first installation in/app/data/env.production
https://git.cloudron.io/cloudron/mastodon-app/-/blob/master/start.sh?ref_type=heads#L65Is this correctly set in your backup or was it changed manually? I guess it is only relevant also if any user uses 2fa already and does it work before the update?
-
and if you update the app (maybe into a clone), does that OTP_SECRET change? If so this may be a packaging bug we then have to investigate. Otherwise this seems like an upstream mastodon issue, maybe wrongly reporting
-
I checked the OTP_SECRET value - it is the same before and after the update. Still the same error:
Oct 22 00:56:25 ==> Configuring mastodon Oct 22 00:56:25 ==> Migrating database Oct 22 00:56:25 ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=************* Oct 22 00:56:25 ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=************ Oct 22 00:56:25 ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=************** Oct 22 00:56:28 I, [2024-10-21T22:56:28.524715 #15] INFO -- : [dotenv] Loaded .env.production Oct 22 00:56:29 2024-10-21T22:56:29.000Z Oct 22 00:56:29 2024-10-21T22:56:29.000Z Oct 22 00:56:29 2024-10-21T22:56:29.000Z Oct 22 00:56:29 2024-10-21T22:56:29.000Z Oct 22 00:56:29 2024-10-21T22:56:29.000Z Oct 22 00:56:29 == 20240307180905 MigrateDeviseTwoFactorSecrets: migrating ==================== Oct 22 00:56:29 ERROR: Unable to decrypt OTP secret for user 1. Oct 22 00:56:29 I, [2024-10-21T22:56:29.274159 #15] INFO -- : Migrating to MigrateDeviseTwoFactorSecrets (20240307180905) Oct 22 00:56:29 In this case, their OTP secret had already been lost with the change to `OTP_SECRET`, and Oct 22 00:56:29 Migration aborted. Oct 22 00:56:29 Please double-check that you have not accidentally changed `OTP_SECRET` just for this Oct 22 00:56:29 This is most likely because you have changed the value of `OTP_SECRET` at some point in Oct 22 00:56:29 migration, and re-run the migration with `MIGRATION_IGNORE_INVALID_OTP_SECRET=true`. Oct 22 00:56:29 proceeding with this migration will not make the situation worse. Oct 22 00:56:29 time after the user configured 2FA.
-
-
This is coming from https://github.com/mastodon/mastodon/blob/bb0532530666d877cae6345ce6a11c041b01fc7b/db/post_migrate/20240307180905_migrate_devise_two_factor_secrets.rb
So this tries to migrate from the global OTP_SECRET to a user based one. Anyways since the value as such didn't change, this just reveals an issue which was already there.
@itbeard can you try to put the app in recovery mode then open a webterminal into the app and run:
MIGRATION_IGNORE_INVALID_OTP_SECRET=true /app/pkg/start.sh
-
-
@nebulon Thanks, all done!
Your solution withMIGRATION_IGNORE_INVALID_OTP_SECRET=true /app/pkg/start.sh
works perfectly.Steps:
- Update to 4.3.0 (don’t forget to enable back up!)
- Enable Recovery Mode in Cauldron's app admin panel
- Run the command above (as suggested by @nebulon)
- Disable Recovery Mode.
2FA also works after migration; I tested it on several older accounts.
Thanks a lot! -
9/10