InvalidJwtKey for page editor RCE
939 views
Skip to first unread message
joe hobson
Jun 8, 2023, 5:06:26 PM6/8/23
to Canvas LMS Users
I'm working on testing an upgrade of our self-hosted Canvas LMS from the 2022-11-23 release to 2023-05-24, along with upgrading from Ruby 2.7.7 to 3.1.4 and Ubuntu 18 LTS to 20 LTS. Everything seemed to go smoothly, except the Rich Content Editor (RCE) which still holds the crown as the most annoying final boss in the Canvas LMS game.
When loading a course page to edit in Canvas, the following error is thrown on the server
[CANVAS_ERRORS] EXCEPTION LOG
CanvasSecurity::InvalidJwtKey (CanvasSecurity::InvalidJwtKey):
/var/canvas/releases/20230524/gems/canvas_security/lib/canvas_security.rb:231:in `create_encrypted_jwt'
/var/canvas/releases/20230524/gems/canvas_security/lib/canvas_security/services_jwt.rb:79:in `generate'
/var/canvas/releases/20230524/gems/canvas_security/lib/canvas_security/services_jwt.rb:112:in `for_user'
/var/canvas/releases/20230524/lib/services/rich_content.rb:26:in `env_for'
/var/canvas/releases/20230524/app/controllers/application_controller.rb:422:in `rce_js_env_base'
/var/canvas/releases/20230524/app/controllers/application_controller.rb:431:in `rce_js_env'
My understanding is that the JWT is created from the encryption-secret and signing-secret in config/dynamic_settings.yml. We have not changed those configurations and they're working properly with the older release. Even though config/dynamic_settings.yml.example does not show those values (and doesn't seem like it ever has), the RCE-API readme still shows them setup the same as before, so I assumed that hasn't changed. I've also verified that our rce/.env has the proper values, but I get this error before even trying to load the RCE data so it appears to be on the Canvas side.
I don't really understand why RCE is so poorly documented and supported, but would really love some help getting this last bit working
When loading a course page to edit in Canvas, the following error is thrown on the server
[CANVAS_ERRORS] EXCEPTION LOG
CanvasSecurity::InvalidJwtKey (CanvasSecurity::InvalidJwtKey):
/var/canvas/releases/20230524/gems/canvas_security/lib/canvas_security.rb:231:in `create_encrypted_jwt'
/var/canvas/releases/20230524/gems/canvas_security/lib/canvas_security/services_jwt.rb:79:in `generate'
/var/canvas/releases/20230524/gems/canvas_security/lib/canvas_security/services_jwt.rb:112:in `for_user'
/var/canvas/releases/20230524/lib/services/rich_content.rb:26:in `env_for'
/var/canvas/releases/20230524/app/controllers/application_controller.rb:422:in `rce_js_env_base'
/var/canvas/releases/20230524/app/controllers/application_controller.rb:431:in `rce_js_env'
My understanding is that the JWT is created from the encryption-secret and signing-secret in config/dynamic_settings.yml. We have not changed those configurations and they're working properly with the older release. Even though config/dynamic_settings.yml.example does not show those values (and doesn't seem like it ever has), the RCE-API readme still shows them setup the same as before, so I assumed that hasn't changed. I've also verified that our rce/.env has the proper values, but I get this error before even trying to load the RCE data so it appears to be on the Canvas side.
I don't really understand why RCE is so poorly documented and supported, but would really love some help getting this last bit working
Marco Ramos
Jun 9, 2023, 11:57:10 AM6/9/23
to Canvas LMS Users
I'm facing the same issue.
I thought that the problem would be in the RCE. But the JWT is not being correctly generated on the Canvas side.
RCE is always the main problem while trying to configure the self-hosted Canvas. :(
Graham Ballantyne
Jun 9, 2023, 12:15:02 PM6/9/23
to canvas-l...@googlegroups.com
We ran into this issue as well. The location of the keys in the config has changed:
 |
|
|
|
--
---
You received this message because you are subscribed to the Google Groups "Canvas LMS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to canvas-lms-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/canvas-lms-users/3a34f46d-22e5-46e3-b2b8-62b117a15856n%40googlegroups.com.
joe hobson
Jun 9, 2023, 1:29:17 PM6/9/23
to Canvas LMS Users
That worked for me. Many thanks. I have added an issue to the RCE project to get the ReadMe updated there
Marco Ramos
Jun 11, 2023, 7:52:08 PM6/11/23
to Canvas LMS Users
I'm not being successful on this journey.
I even started a brand-new installation, but I'm getting the same errors.
Could you guys help me with this? Is something wrong with my configuration?
Here are my config files:
I even started a brand-new installation, but I'm getting the same errors.
Could you guys help me with this? Is something wrong with my configuration?
I followed these instructions: https://github.com/instructure/canvas-lms/blob/master/packages/canvas-rce/DEVELOPMENT.md#canvas-rce-api
Here are my config files:
dynamic_settings.yml
vault.yml
production:
addr: file
token: file
addr: file
token: file
vault_contents.yml
production:
'app-canvas/data/secrets':
data
canvas_security:
encryption-secret: "astringthatisactually32byteslong"
signing-secret: "astringthatisactually32byteslong"
'app-canvas/data/secrets':
data
canvas_security:
encryption-secret: "astringthatisactually32byteslong"
signing-secret: "astringthatisactually32byteslong"
Apache log error:
/var/log/apache2/error.log
App 32629 output: Error: The application encountered the following error: uninitialized constant Canvas::Errors
App 32629 output:
App 32629 output: Canvas::Errors.capture_exception(:vault, e)
App 32629 output: ^^^^^^^^
App 32629 output: Did you mean? Errno (NameError)
App 32629 output: /var/canvas/lib/base/canvas/vault.rb:58:in `rescue in read'
App 32629 output: /var/canvas/lib/base/canvas/vault.rb:27:in `read'
App 32629 output: /var/canvas/lib/base/canvas/credentials.rb:53:in `vault_secrets'
App 32629 output: /var/canvas/lib/base/canvas/credentials.rb:36:in `config'
App 32629 output: /var/canvas/config/application.rb:346:in `block in <class:Application>'
App 32629 output: /var/canvas/vendor/bundle/ruby/3.1.0/gems/railties-7.0.4.3/lib/rails/initializable.rb:32:in `instance_exec'
App 32629 output: /var/canvas/vendor/bundle/ruby/3.1.0/gems/railties-7.0.4.3/lib/rails/initializable.rb:32:in `run'
App 32629 output: /var/canvas/vendor/bundle/ruby/3.1.0/gems/railties-7.0.4.3/lib/rails/initializable.rb:61:in `block in run_initializers'
App 32629 output:
App 32629 output: Canvas::Errors.capture_exception(:vault, e)
App 32629 output: ^^^^^^^^
App 32629 output: Did you mean? Errno (NameError)
App 32629 output: /var/canvas/lib/base/canvas/vault.rb:58:in `rescue in read'
App 32629 output: /var/canvas/lib/base/canvas/vault.rb:27:in `read'
App 32629 output: /var/canvas/lib/base/canvas/credentials.rb:53:in `vault_secrets'
App 32629 output: /var/canvas/lib/base/canvas/credentials.rb:36:in `config'
App 32629 output: /var/canvas/config/application.rb:346:in `block in <class:Application>'
App 32629 output: /var/canvas/vendor/bundle/ruby/3.1.0/gems/railties-7.0.4.3/lib/rails/initializable.rb:32:in `instance_exec'
App 32629 output: /var/canvas/vendor/bundle/ruby/3.1.0/gems/railties-7.0.4.3/lib/rails/initializable.rb:32:in `run'
App 32629 output: /var/canvas/vendor/bundle/ruby/3.1.0/gems/railties-7.0.4.3/lib/rails/initializable.rb:61:in `block in run_initializers'
Marco Ramos
Jun 13, 2023, 9:57:31 AM6/13/23
to Canvas LMS Users
Ok, my bad.
I was missing the colons on the vault_contents.yml config, on data stack.
Now the system is running but I'm still getting the "Authorization: Bearer InvalidJwtKey" parameter on the headers.
Now the system is running but I'm still getting the "Authorization: Bearer InvalidJwtKey" parameter on the headers.
Message has been deleted
Andrey Gangan
Jun 13, 2023, 10:39:23 AM6/13/23
to Canvas LMS Users
pay attention!!!
it was
encryption-secret: "astringthatisactually32byteslong"
signing-secret: "astringthatisactually32byteslong"
signing-secret: "astringthatisactually32byteslong"
now iuse undescore instead of dash
encryption_secret: "astringthatisactually32byteslong"
signing_secret: "astringthatisactually32byteslong"
signing_secret: "astringthatisactually32byteslong"
вторник, 13 июня 2023 г. в 17:29:54 UTC+3, Andrey Gangan:
same to me.do not get it workingвторник, 13 июня 2023 г. в 16:57:31 UTC+3, Marco Ramos:
Marco Ramos
Jun 13, 2023, 11:34:22 AM6/13/23
to Canvas LMS Users
Oh, man! I'm feeling so dumb right now.
Thank you, guys. That was all my mistake.
Thank you, guys. That was all my mistake.
Andrey Gangan
Jun 13, 2023, 11:35:57 AM6/13/23
to Canvas LMS Users
i was same feeling when found it :)
вторник, 13 июня 2023 г. в 18:34:22 UTC+3, Marco Ramos:
Adeel - eLearning evolve
Aug 13, 2023, 10:09:12 AM8/13/23
to Canvas LMS Users
This is so messed up that a breaking change 3 months ago has not been reflected in the doc. It's not even updated after the issue has been raised on the forum. Landed into the same problem and wasted many hours before ending up on this solution.
Jim Foscue
Jan 2, 2024, 9:09:22 PM1/2/24
to Canvas LMS Users
I am having problem like this. We are not using vault so I setup the following files:
dynamic_settings.yml
rich-content-service:
app-host: "https://rce.xyz.com"
vault.yml
production:
addr: file
token: file
production:
'app-canvas/data/secrets':
data:
canvas_security:
encryption_secret: "astringthatisactually32byteslong"
signing_secret: "astringthatisactually32byteslong"
I'm getting a Uunauthorized, Access Denied when on the page for the videos.
Can someone help with this?
Reply all
Reply to author
Forward
0 new messages