I have exactly the same problem, also with Ubuntu 16.04.
I’m using Apache in version 2.4.33-1+ubuntu16.04.1+deb.sury.org+1

The solution to downgrade to 7.4.3 worked for me.

I can confirm that 7.4.5 does not resolve the problem.

Dear Martin, Thomas,

please see my response here: https://community.openproject.com/topics/9407?r=9410#message-9410

You’re running on https but your reverse proxy does not receive the X-Forwarded-Proto ‘https’ header, and in turn the secure cookie is not transmitted.

Best,
Oliver

Thank you very much, this solved the problem!
I had to add this line to my nginx-configuration:
proxy_set_header X-Forwarded-Proto $scheme;

For reference, here’s my entire nginx-config, anonymized:

#/etc/nginx/sites-enabled/openproject_nginx.conf
upstream backend {
    server 127.0.0.1:6000 fail_timeout=0;
}

server {
    listen 443 ssl default_server;
    server_name projects.example.com;

    ssl on;    
    ssl_certificate_key /etc/ssl/private/example.key;
    ssl_certificate /etc/ssl/certs/projects.example.com.2017.crt.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    root /opt/openproject/public;

    try_files $uri/index.html $uri @backend;

    location @backend {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;
        proxy_pass http://backend;
    }

    error_page 500 502 503 504 /500.html;
    client_max_body_size 4G;
    keepalive_timeout 10;
}

# redirect all http:// requests to https://
server {
    listen 80;
    listen [::]:80;
    server_name _;
    return 301 https://$host$request_uri;
}

Hi Thomas,

great to hear! I’ll add that as a note to the manual installation.

Best,
Oliver

I can confirm that the solution is working with Apache 2.4 and https:

Inside the Virtualhost I could set:

RequestHeader set X-Forwarded-Proto "https"

and reload Apache.

Thank you for your help!

I can confirm that Thomas Roder’s configuration worked for me.

I have Debian 9 with nginx and it worked fine. Then i installed php7.0-fpm and i got the 422 error after the server rebooted. Maybe it has to do with this. Had the same problem on another machine, where i only updated Plesk and couldn’t figure the issue.

Now its working. My config looks like this:

location / {
    gzip off;

    proxy_redirect off;
    proxy_http_version 1.1;

    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass http://127.0.0.1:6000;
}

In my case, the notification was due when I enable https on “system setting >> protocol”

So I re-run “openproject configure”, and the configuration back to default. That can solve my problem

I can say that Hilfan's solution worked for me at least. 

In my case I inherited an open project installation and was working on moving it into a container like the rest of our tools. I didn't know at the time but the https setting was enabled and it seems like its value is stored in the database so any time I restored a backup of the old version, it would assume it's running on https (it wasn't), giving my the CSRF error.

My upgrade path consisted of restoring the backup data to a container running open project 7.4.3 (which doesn't enforce secure cookies), logging in as admin, switching flag to only http, and then upgrading the container to version 8. This picked up the change in the database and I was able to log in without the CSRF warning.

I recently upgraded my dockerized OpenProject from version 6.1.4 to the last "packaged" 8.0.1 (still running in the container) and the 422 errors start popping up.

I followed previous instructions and managed to made it "work" (somehow) but i still get occasional 422 errors mainly on login. The interesting thing is that sometimes just refreshing the page (after error) shows the "right content" and seems to work normally... until it throws the 422 again...

In my config I have a "double proxy" configuration like this:

internet --> HTTPS:443 FrontEnd (Apache) --> HTTP:40004 Backend (Apache) --> HTTP:6000 Docker OP (Apache)

OpenProject has the "protocol" set to HTTP in Settings

Apache on the frontend has the RequestHeader set X-Forwarded-Proto "https"

I recreated the Op database from scratch as it simply would not work with the original/old DB regardless of the settings.

I also noticed a parameter in OP configuration (by executing openproject config)

OPENPROJECT_RAILS__FORCE__SSL=
RAILS_FORCE_SSL=

and tried to play with those too... without getting to some "definitive answer".

Can someone, please, tell how should all those parameters be configured for normal OP operation in the before mentioned setup?

Thanks in advance!

I faced the same CSRF issue as Mauricio until I set the first backend step to HTTPS and copied the certificate from the frontend to the backend. However, once I do that, I get a different problem: all requests are redirected to the backend's private IP address — which obviously fails to resolve if the user is not in the same internal network.

Just to add to the discussion. I'm running OpenProject 8.0.2.  and have the same error, although only with Chrome. Firefox and IE work without any problems.

I use pfSense with HAproxy and the X-Forwarded-proto https is set and the _open_project_session cookie is created. Clearing the sessions, deleting the cache and cookie doesn't resolve this. The openproject log says "Can't verify CSRF token authenticity.".

Any suggestions?

Sorry, solved it. I just checked the protocol setting in OpenProject and it was reset to http (during upgrade?). Setting it to https solved it in Chrome.