Latest update Broke the Login Page
Closed this issue ยท 24 comments
Latest update 23.06 broke the login page.
Deprecated
: explode(): Passing null to parameter #2 ($string) of type string is deprecated in
/var/www/bookstack/app/Config/saml2.php
on line
17
- Are you passing in a
.envfile to the container? - In a passed
.envfile and/or via docker env options, do you have any options defined starting withSAML2_?
- Are you passing in a
.envfile to the container?- In a passed
.envfile and/or via docker env options, do you have any options defined starting withSAML2_?
Never used this option in the env file v23.05.2
Should I have to add a new environment?
I just want to mention this is a fresh installation.
No issue with this version: https://github.com/solidnerd/docker-bookstack/releases/tag/23.5.2
The issue started with this version: https://github.com/solidnerd/docker-bookstack/releases/tag/23.6.0
My compose is here at STEP 20: https://mariushosting.com/how-to-install-bookstack-on-your-synology-nas/
No SAML2_ environment.
I've got the same with my Kubernetes hosted installation. Environment as follows:
# Configure DB settings:
- name: DB_HOST
# Service exposed in-cluster
value: mariadb
- name: DB_DATABASE
value: bookstack
- name: DB_USERNAME
value: bookstack
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-database-credentials
key: mariadb-password
- name: APP_KEY
value: <redacted>
# Where the app is expected to run, no trailing slash
- name: APP_URL
value: https://bookstack.rickhenry.uk
- name: STORAGE_TYPE
value: s3
- name: STORAGE_S3_KEY
valueFrom:
secretKeyRef:
name: bookstack-minio-credentials
key: access-key
- name: STORAGE_S3_SECRET
valueFrom:
secretKeyRef:
name: bookstack-minio-credentials
key: secret-key
- name: STORAGE_S3_BUCKET
value: <redacted>
- name: STORAGE_S3_REGION
value: irrelevant_in_minio
- name: STORAGE_S3_ENDPOINT
value: <redacted>
- name: STORAGE_URL
value: >-
<redacted>
# Configure OIDC
- name: AUTH_METHOD
value: oidc
# Automagically log in with OIDC instead of requiring a clicky button
- name: AUTH_AUTO_INITIATE
value: "true"
# Only used in display
- name: OIDC_NAME
value: Keycloak
- name: OIDC_CLIENT_ID
value: bookstack
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: sso-credentials
key: sso-password
- name: OIDC_ISSUER
value: <redacted, hosted Keycloak instance>
# Autodiscover URLs for issuer. Requires
# ${OIDC_ISSUER}/.well-known/openid-configuration to exist and return
# usable JSON
- name: OIDC_ISSUER_DISCOVER
value: "true"
# Groups are allocated from Keycloak's client roles
- name: OIDC_GROUPS_CLAIM
value: "resource_access.bookstack.roles"
- name: OIDC_USER_TO_GROUPS
value: "true"
- name: OIDC_REMOVE_FROM_GROUPS
value: "true"No SAML2_ environment variables set, but I am using OAuth2.
Checking in the running pod shows nothing SAML-y in the environment (as in env output) and all SAML-y values in the .env file show either null or false.
# SAML2 Settings; AUTH_MODE=saml2
SAML2_NAME=null
SAML2_EMAIL_ATTRIBUTE=null
SAML2_EXTERNAL_ID_ATTRIBUTE=null
SAML2_USER_TO_GROUPS=false
SAML2_GROUP_ATTRIBUTE=null
SAML2_DISPLAY_NAME_ATTRIBUTES=null
SAML2_IDP_ENTITYID=null
SAML2_AUTOLOAD_METADATA=false
SAML2_IDP_SSO=null
SAML2_IDP_SLO=null
SAML2_IDP_x509=null
SAML2_IDP_AUTHNCONTEXT=false
SAML2_SP_x509=null
SAML2_SP_x509_KEY=null
SAML2_DUMP_USER_DETAILS=false
SAML2_ONELOGIN_OVERRIDES=null
SAML2_REMOVE_FROM_GROUPS=false
There's nothing in the stdout logs, and the storage/logs/ directory is empty - I'll see if I can get some debug logs from there.
I'd guess this is due to this line:
docker-bookstack/docker-entrypoint.sh
Line 83 in 52bcd12
Which sets a default (null) value that we don't expect on the BookStack side of things.
Was merged in on the 25th of May.
@rjhenry As per my comment in #388, I don't really advise setting container-level config defaults, like added there, since they end up overriding any BookStack level defaults (like has occured here) and just provides more to maintain within this project, while I don't think having them as part of entrypoint script provides any specific benefit.
That looks right to me, @ssddanbrown - thanks. I'll create an issue to remove the entrypoint-set values entirely in the not-too-distant future, and in the meantime I'll revert that particular set of changes (and retag).
Edit to add: Removing the .env file and reloading Apache in the container sorts this issue.
So those who use the solidnerd/bookstack image have to wait for an update? Currently those who have upgraded to this 23.6 version have lost access to their bookstack.
@mariushosting Currently, the master version (https://hub.docker.com/layers/solidnerd/bookstack/master/images/sha256-171dd8f30e8d7b0a4040276fcad58d875555e4f8eb510b5ed5a054f14928886e) will restore access and I'm working on a new release as I write this.
I can confirm :master is working now @rjhenry no more login issue.
But there is a new issue with email TLS is not working anymore for sending email. only SSL is working on solidnerd image now. But the author @ssddanbrown says the ssl support has been dropped but TLS is not working anymore on the solidnerd image if you using TLS. Right now I have tested and only SSL is supported a contradiction with this statement:
Look at this: Email Configuration - If you've configured mail with MAIL_ENCRYPTION=ssl it's advised to test sending (via the button in "Settings > Maintenance") after updating to v23.06 since support for SSL has been dropped for email sending, but we instead now force TLS to be required when this option is set.
@mariushosting It's a bit confusing, since SSL has been dropped, (was actually dropped a few releases ago) but the underlying libraries still refer to SSL when using TLS.
This is likely not something for the solidnerd team at all, but more likely something for me to consider in regard to how I'm forcing TLS for SSL users, Can you try setting MAIL_PORT to 465?
@mariushosting It's a bit confusing, since SSL has been dropped, (was actually dropped a few releases ago) but the underlying libraries still refer to SSL when using TLS.
This is likely not something for the solidnerd team at all, but more likely something for me to consider in regard to how I'm forcing TLS for SSL users, Can you try setting
MAIL_PORTto465?
Check my screenshot above. 465 ssl is correctly working 587 ssl is not working anymore.
@mariushosting Ah, beat me to it. You could set MAIL_ENCRYPTION=tls instead of MAIL_ENCRYPTION=ssl. No functional difference, but avoids using deprecated options.
I'll open a seperate issue on the BookStack side of things to look at TLS/SSL handling there.
@mariushosting Ah, beat me to it. You could set
MAIL_ENCRYPTION=tlsinstead ofMAIL_ENCRYPTION=ssl. No functional difference, but avoids using deprecated options.I'll open a seperate issue on the BookStack side of things to look at TLS/SSL handling there.
The issue is this: MAIL_ENCRYPTION=tls is not working. only MAIL_ENCRYPTION=ssl is working
@mariushosting Even with:
MAIL_ENCRYPTION=tls MAIL_PORT=465?
Yep with this combination works. hehe
@mariushosting There is now a released version (23.6.0-1) that resolves the login issues. I'll close this issue off now, many thanks for raising it.
Glad to hear you've got your mail issues sorted too.
So there is anything to change?
@mariushosting Even with:
MAIL_ENCRYPTION=tls MAIL_PORT=465?
So does it remain set that way from now on or will there be a further change?
Thanks @rjhenry for all your speedy efforts!
@mariushosting Nothing remaining to change for you (and no further change for this container project), Port 465 with forced TLS is the generally recommended approach for email these days. Some investigation for me to do, now open/tracked via this issue to provide a smoother update path for others that may run into this.
Thanks @rjhenry for all your speedy efforts!
@mariushosting Nothing remaining to change for you (and no further change for this container project), Port
465with forced TLS is the generally recommended approach for email these days. Some investigation for me to do, now open/tracked via this issue to provide a smoother update path for others that may run into this.
Thank you Dan! I'm going to update the compose on my website!
Thank you @rjhenry for the quick response to the issue!
Hi all,
Sorry for reopening, i'm planning to use bookstack in our company, is oauth (keycloak) enabled again on the latest version?
Hi all, Sorry for reopening, i'm planning to use bookstack in our company, is oauth (keycloak) enabled again on the latest version?
Yes, from 23.6.0-1, the current release is 23.6.2.
@mariushosting There is now a released version (23.6.0-1) that resolves the login issues. I'll close this issue off now, many thanks for raising it. Glad to hear you've got your mail issues sorted too.