Orocrm dashboard displays a "You do not have permission to perform this action." error
Ok, this is a fresh Orocrm install and i have the following errors:
When i dug a little in the network logs, this is what i found :
I don't know if its related, but these errors have started to show up when i enabled SSL support following all the instructions of the WebSocket Connection Configuration page available in the orocrm doc.
This is the content of my nginx config file:
server {
listen 80;
listen [::]:80;
server_name crm.domain.tld;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name crm.domain.tld;
root /home/whatever/crm/public;
ssl_certificate /etc/letsencrypt/live/crm.domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/crm.domain.tld/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_protocols TLSv1.2;
# ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES2;
location / {
try_files $uri /index.php$is_args$args;
}
location ~ ^/index\.php(/|$) {
fastcgi_pass unix:/run/php/crm-php7.4-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
internal;
}
location ~ \.php {
return 404;
}
location /ws {
# redirect all traffic to localhost:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8080/$is_args$args;
proxy_redirect off;
proxy_read_timeout 86400;
# enables WS support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# prevents 502 bad gateway error
proxy_buffers 8 32k;
proxy_buffer_size 64k;
reset_timedout_connection on;
error_log /home/whatever/logs/oro_wss_error.log;
access_log /home/whatever/logs/oro_wss_access.log;
}
error_log /home/whatever/logs/error.log;
access_log /home/whatever/logs/access.log;
}
This is the content of my parameters.yml:
parameters:
database_driver: pdo_mysql
database_host: '%env(ORO_DB_HOST)%'
database_port: '%env(ORO_DB_PORT)%'
database_name: '%env(ORO_DB_NAME)%'
database_user: '%env(ORO_DB_USER)%'
database_password: '%env(ORO_DB_PASSWORD)%'
database_server_version: '%env(ORO_DB_VERSION)%'
database_driver_options: { }
mailer_transport: '%env(ORO_MAILER_DRIVER)%'
mailer_host: '%env(ORO_MAILER_HOST)%'
mailer_port: '%env(ORO_MAILER_PORT)%'
mailer_encryption: '%env(ORO_MAILER_ENCRYPTION)%'
mailer_user: '%env(ORO_MAILER_USER)%'
mailer_password: '%env(ORO_MAILER_PASSWORD)%'
websocket_bind_address: 0.0.0.0
websocket_bind_port: 8080
websocket_frontend_host: '*'
websocket_frontend_port: 443
websocket_frontend_path: 'ws'
websocket_backend_host: '*'
websocket_backend_port: 443
websocket_backend_path: 'ws'
websocket_backend_transport: 'ssl'
websocket_backend_ssl_context_options: { }
web_backend_prefix: ''
session_handler: session.handler.native_file
secret: '%env(ORO_SECRET)%'
installed: '*******************'
assets_version: *******************
assets_version_strategy: time_hash
message_queue_transport: dbal
message_queue_transport_config: null
deployment_type: null
liip_imagine.jpegoptim.binary: null
liip_imagine.pngquant.binary: null
env(ORO_DB_HOST): localhost
env(ORO_DB_PORT): null
env(ORO_DB_NAME): *******************
env(ORO_DB_USER): *******************
env(ORO_DB_PASSWORD): *******************
env(ORO_DB_VERSION): null
env(ORO_MAILER_DRIVER): smtp
env(ORO_MAILER_HOST): 127.0.0.1
env(ORO_MAILER_PORT): null
env(ORO_MAILER_ENCRYPTION): null
env(ORO_MAILER_USER): null
env(ORO_MAILER_PASSWORD): null
env(ORO_SECRET): *******************
This is the content of my supervisor config file:
***
[program:oro_web_socket]
command=php ./bin/console gos:websocket:server --env=prod
numprocs=1
autostart=true
autorestart=true
directory=/home/whatever/crm
user=whatever
redirect_stderr=true
[program:oro_message_consumer]
command=php ./bin/console oro:message-queue:consume --env=prod
process_name=%(program_name)s_%(process_num)02d
numprocs=5
autostart=true
autorestart=true
directory=/home/whatever/crm
user=whatever
redirect_stderr=true
var/logs/prod.log doesn't input anything with tail -f prod.log.
WSS Logs are empty.
It might be related too, but after enabling the api sandbox in the Orocrm options i was stuck in a loop redirecting me every secs or so to the dashboard of Orocrm. I managed to somehow fix it by hitting the stop loading button of my browser at the right time. Once the option was disabled, no more loop redirection.
Any clues ? I'm running out of ideas.
Its indeed tied to SSL, Moving from unsafe to SSL was a symptom of an underlying problem with deeper roots.
For a bit of context this is what i did before i had the error messages:
When i started the installation of Orocrm i had no SSL certificate. I opened my browser and started configuring it up. When i was done configuring Orocrm i had to change the password since i was using a temporary password but before that i had to install the SSL certificate.
I've started to install the SSL certificate with Letsencrypt tool. Once i was done with it i've set up Orocrm to support SSL, then i re-opened orocrm again and things started to go wrong.
What did provoke the error messages ?
Not clearing the cookies after moving from unsafe to SSL.
I'm not sure how are working things deep-down, but its probably because there was a an already avaiable _csrf cookie in my browser, it was not possible for the https-_csrf cookie to exist probably due to a condition somewhere.
How to fix the error messages ?
Well you probably guessed it by now, its very simple. To fix the error messages you simply need to remove the _csrf cookie, and refresh the page. It will be replaced by a https-_csrf cookie instead.
- Symfony app in docker swarm mode with multiple replicas, session problem?
- nginx configuration is deemed incomplete yet identical to other installation
- 400 Bad Request - request header or cookie too large
- Nestjs doesn't handle request from nginx proxy_pass using docker-compose
- Why is a web server (i.e Nginx) REQUIRED for FastAPI but not Express API?
- How to host a Flask app on a subfolder / URL prefix with Nginx?
- Nginx location priority
- nginx conf file: Detect if browser language is "de", then redirect to page .... else redirect to other page
- Nginx Reverse Proxy: Throwing 502 Bad Gateway
- Livewire image upload fails on production server
- nginx SSL no start line: expecting: TRUSTED CERTIFICATE
- Are you trying to mount a directory onto a file (or vice-versa)?
- SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
- nginx the "ssl" directive is deprecated, use the "listen ... ssl"
- CORS issue with NGinx and fetch react native
- Problem installing Issuer (cert-manager) inside GKE cluster tls: failed to verify certificate: x509: certificate signed by unknown authority
- Reverse proxy with keepalive and re-resolve DNS according to TTL in nginx
- How to get nginx logs to display in prometheus?
- The POST request body as part of the cache key in NGINX caching is not working as expected
- Adding a Flask Authentication layer infront of Juptyer
- How to serve Vite development server behind an Nginx reverse proxy
- Configuring HTTPS for Express and Nginx
- PHP-FPM its anatomy
- Kong blocks all IPs when rate-limiting plugin is added
- Running REST API (Ollama) and Nginx reverse proxy
- Unable to add Let's encrypt ssl certificate to domains using nginx (certbot)
- Trying to map folder-names to ports in nginx using a map $wanted_port $application
- Dockerized Nginx Serve Separate Url For Hosts
- Why is OpenResty Nginx converting my upstream's xml response to JSON?
- Nginx is dropping part of request path in the request URL when redirecting after adding a trailing slash