Hi Robert,

what does your setup look like? Do you terminate SSL/TLS on the apache server? Could you share your /etc/openproject/installer.dat contents (remove any passwords within).

Best,

Oliver

Thanks Oliver.

UPDATE: If I don't use the pull-down login area, but rather force the [site]/login page by pasting a locked-down project URL into the browser, then I can log in fine in Chrome. Very odd.

UPDATE:  Email is odd, not sending from the application for forgotten password. New users get notification just fine.

I suspect it may be SSL issue as well but I don't know what the root cause is.

A check on this site returns good marks from what I can tell (overall A rating). The one thing it calls out has to do with SNI.

https://www.ssllabs.com/ssltest/analyze.html

I've checked the site on Firefox and it works well without this issue. Safari has the same issue that Chrome has.

/etc/openproject/installer.dat

postgres/retry ignore

[there are many empty carriage returns here that I've removed...]

postgres/autoinstall reuse

postgres/db_host localhost

postgres/db_port 5432

postgres/db_username [redacted]

postgres/db_password [redacted]

postgres/db_name openproject

server/autoinstall skip

smtp/autoinstall smtp

smtp/authentication login

smtp/host smtp.gmail.com

smtp/port 587

smtp/username [redacted]@gmail.com

smtp/password [redacted]

smtp/domain gmail.com

smtp/admin_email [redacted]@gmail.com

memcached/autoinstall install

server/hostname projects.landartgenerator.org

server/ssl yes

Hi

We are trying to run Docker with external Postgres DB and we are encountering this

Unable to verify Cross-Site Request Forgery token. Did you try to submit data on multiple browsers or tabs? Please close all tabs and try again.

OpenProject version: 10.4.1 (we tried new version also)

docker run -it -p 9092:80 -e DATABASE_URL="postgresql://userName:Password@ServerHostName:5432/openproject" openproject/community:10.4.1

I am running into the exact same symptoms as the original poster (Robert), on my self-installed instance of openproject. I am able to login with firefox (from any machine), but not chrome.

When logging in via chrome, I get the same error as the other posters: ([Error 422] Unable to verify Cross-Site Request Forgery token. Did you try to submit data on multiple browsers or tabs? Please close all tabs and try again.)   If, while logged in on the same machine via a firefox browser, I copy and paste the url of a project page from my firefox browser to my chrome browser, chrome suddenly acts as if I have successfully logged in (the page just works, there is not prompt to log in).  If I log out from my firefox browser, all is well with chrome, until, of course, I log out (of the chrome instance) and then try to log back in.

A little about my installation:

openproject v11.0.0

server os: ubuntu server 20.04.1 LTS

I am running openproject with ssl (and am terminating ssl at the Apache server).

apache2 server

While installing openproject to my server,  I manually configured it for apache. I did not let the install wizard setup apache, as I could never (after a long bout of troubleshooting) get openproject's auto apache configuration to not mess up my nextcloud installation on the same server (never figured out what was making nextcloud unhappy - but that's a separate issue).

UPDATE

Figured it out. : ) : ) : )

SSL is terminating (being decrypted) by my Apache server.   I am a novice and was confused by openproject's setup guide https://docs.openproject.org/installation-and-operations/installation/packaged/#step-2-apache2-web-server  Under the External SSL/TLS termination heading of the guide (towards the bottom of the instructions), there is a highlighted section stating: "If you terminate SSL externally before the request hits the OpenProject server, you need to follow the following instructions to avoid errors in routing. If you want to use SSL on the server running OpenProject, skip this section."   As a noob, I misunderstood this section to be intended for special situations (like a setup that uses an external SSL load balancer or some other peace of external hardware) and did not realize that this applied to my setup (it did not occur to me, that "externaly" still meant within the same physical machine/server, i.e. that the "external server" was simply my Apache server).   Had I been able to use openproject's installation wizard to configure Apache, it would have handled setting all of this for me but, as mentioned in the first part of my post, that was not an option for me. I configured Apache and the proxy passthroughs manually.

In doing so, I missed two steps (there is more to getting openproject to work with SSL, but these are the two steps that I had not completed):

1. In my Apache vhost file (mine lives here: /etc/apache2/sites-available/openproject.conf), I had to add the following line (I believe it can live anywhere under the  <VirtualHost *:443> section.) :

RequestHeader set X-Forwarded-Proto "https"    See my vhost config file, below, for reference.

After adding that line, I then restarted apache.

In my case, I had one last step to complete (it was actually in troubleshooting the next step, as part of a separate issue, that I ultimately came across the answer to this whole problem. When setting up the server via the web portal, I had continuously encountered and error when trying to set the sites protocol to https via my amin settings page in the web browser. Whenever I set the protocol to https, I was getting a warning message plastered at the bottom of my web browser telling me that my system was listening for https but was getting http requests instead - adding the RequestHeader set X-Forwarded-Proto "https" to my openproject apache vhost file made this warning go away).

2.  I had to login to openproject through a web browser using my admin account.  Under Administration > Settings > General (you can also find this page by adding "/settings/general" to your base url - i.e. yourdomain.com/settings/general), there is a setting called "protocol."  This needs to be set to https.

After that, I was able to login with Chrome and Safari.

For more information, also read https://docs.openproject.org/installation-and-operations/configuration/ssl/

For any other novices, like myself, here, for reference, is my apache vhost file for openproject that is working with my current (manually configured) Apache2 server, running with SSL (of course, you would replace all instances of enter.yourdomain.com with your own server's url. Also, at the bottom, my SSL certificates were created by lets encrypt, as described in https://docs.openproject.org/installation-and-operations/configuration/ssl/. Your situation/setup may vary)

Include /etc/openproject/addons/apache2/includes/server/*.conf
 
 <VirtualHost *:80>
        ServerName enter.yourdomain.com
        DocumentRoot /opt/openproject/public
        RewriteEngine On
        RewriteRule ^/?(.*) https://%{SERVER_NAME}:443/$1 [R,L]
RewriteCond %{SERVER_NAME} =enter.yourdomain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
 </VirtualHost>

<VirtualHost *:443>
        ServerName enter.yourdomain.com
        DocumentRoot /opt/openproject/public
         ErrorLog ${APACHE_LOG_DIR}/openproject.error
        CustomLog ${APACHE_LOG_DIR}/openproject.access combined

        <Directory /opt/openproject/public/>
            Require all granted
            Options FollowSymlinks MultiViews
            AllowOverride All

           <IfModule mod_dav.c>
               Dav off
           </IfModule>

        SetEnv HOME /opt/openproject/public
        SetEnv HTTP_HOME /opt/openproject/public
        Satisfy Any

       </Directory>

        RequestHeader set X-Forwarded-Proto "https"
 
        ProxyRequests off
 
        Include /etc/openproject/addons/apache2/includes/vhost/*.conf
 
        # Can't use Location block since it would overshadow all the other proxypass directives on CentOS
        ProxyPass / http://127.0.0.1:6000/ retry=0
        ProxyPassReverse / http://127.0.0.1:6000/
	SSLCertificateFile /etc/letsencrypt/live/enter.yourdomain.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/enter.yourdomain.com/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
	SSLUseStapling on
 </VirtualHost>

<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
</IfModule>

Hi Greg, Thanks a lot for sharing your insights here! That's really helpful.

Kind regards

Matthias

Super thumbs up. This sorted it on my Ubunutu 20.04 install!  :-)