Two Factor Authentication: error 500: ArgumentError OpenSSL::Cipher::CipherError (bad decrypt):

Devnco · April 16, 2019, 3:23pm

Hello everyone,

I’ve already searched but I didn’t find a solution yet.

Each time I’m trying to enable 2FA on my profile I get an error 500.

Here is the log :

Started GET "/profile/two_factor_auth" for *.*.*.* at 2019-04-16 17:15:59 +0200
Processing by Profiles::TwoFactorAuthsController#show as HTML
Completed 500 Internal Server Error in 23ms (ActiveRecord: 1.6ms)

OpenSSL::Cipher::CipherError (bad decrypt):

app/controllers/profiles/two_factor_auths_controller.rb:7:in `show'
lib/gitlab/i18n.rb:55:in `with_locale'
lib/gitlab/i18n.rb:61:in `with_user_locale'
app/controllers/application_controller.rb:434:in `set_locale'
lib/gitlab/middleware/multipart.rb:103:in `call'
lib/gitlab/request_profiler/middleware.rb:16:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:13:in `call'
lib/gitlab/middleware/correlation_id.rb:16:in `block in call'
lib/gitlab/correlation_id.rb:15:in `use_id'
lib/gitlab/middleware/correlation_id.rb:15:in `call'
lib/gitlab/middleware/read_only/controller.rb:40:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/request_context.rb:26:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:29:in `call'
lib/gitlab/middleware/release_env.rb:13:in `call'

I’m running latest version of gitlab-ce 11.9.8 (48528bc) on Debian 9

Has anyone experienced the same issue ?

Thanks in advance,

Regards,

Jeremy

dsumenkovic · April 17, 2019, 10:19am

Hello Jeremy,

Could you please open a support ticket about that over at https://support.gitlab.com? We’d love to help you out.

lbd24 · April 29, 2019, 3:06pm

Hello…

Is there a fix or workaround for this? I have the same problem for just one user (that I know of so far). I also opened a ticket, fwiw…

Thanks!

lbd24 · May 2, 2019, 5:27pm

The solution for us, based on information here: https://gitlab.com/gitlab-org/gitlab-ce/issues/1960, was to set encrypted_otp_secret to null for that user.

It repopulated when I impersonated the user, who was sent directly to the 2fa setup page upon login because a group he was in required it. So I don’t know for sure whether it was the login or the 2fa setup page that did the repopulation.