InvalidCSRFTokenException raised when submitting setup token

Hi there!

I installed IcingaWeb2 by following https://icinga.com/docs/icingaweb2/latest/

I generate a setup token:

root@upfront4 /etc/apache2 $ icingacli setup token create
The newly generated setup token is: 9e1a0af69a5db245

I verify that it is written to /etc/icingaweb2/setup.token:

root@upfront4 /etc/apache2 $ cat /etc/icingaweb2/setup.token
9e1a0af69a5db245

When I submit the token in my browser at /icingaweb2/setup, I get the following exception:

Icinga\Web\Form\InvalidCSRFTokenException in /usr/share/php/Icinga/Web/Form/Element/CsrfCounterMeasure.php:63 with message:                                                                                                                     #0 /usr/share/icingaweb2/library/vendor/Zend/Form.php(2280): Icinga\Web\Form\Element\CsrfCounterMeasure->isValid(String, Array)
#1 /usr/share/php/Icinga/Web/Form.php(1292): Zend_Form->isValid(Array)
#2 /usr/share/php/Icinga/Web/Wizard.php(277): Icinga\Web\Form->isValid(Array)
#3 /usr/share/icingaweb2/modules/setup/application/controllers/IndexController.php(46): Icinga\Web\Wizard->handleRequest()
#4 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action.php(507): Icinga\Module\Setup\Controllers\IndexController->indexAction()
#5 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(76): Zend_Controller_Action->dispatch(String)
#6 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#7 /usr/share/php/Icinga/Application/Web.php(300): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#8 /usr/share/php/Icinga/Application/webrouter.php(99): Icinga\Application\Web->dispatch()                              #9 /usr/share/icingaweb2/public/index.php(4): require_once(String)
#10 {main}

This is on Debian 10 (Buster) with a stock standard fresh install of icinga2 and icingaweb2.

icinga2 - The Icinga 2 network monitoring daemon (version: r2.10.5-1)

Copyright (c) 2012-2019 Icinga GmbH (https://icinga.com/)
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

System information:
  Platform: Debian GNU/Linux
  Platform version: 10 (buster)
  Kernel: Linux
  Kernel version: 4.19.0-6-amd64
  Architecture: x86_64

Build information:
  Compiler: GNU 8.3.0
  Build host: b135b72b8067

Application information:

General paths:
  Config directory: /etc/icinga2
  Data directory: /var/lib/icinga2
  Log directory: /var/log/icinga2
  Cache directory: /var/cache/icinga2
  Spool directory: /var/spool/icinga2
  Run directory: /run/icinga2

Old paths (deprecated):
  Installation root: /usr
  Sysconf directory: /etc
  Run directory (base): /run
  Local state directory: /var

Internal paths:
  Package data directory: /usr/share/icinga2
  State path: /var/lib/icinga2/icinga2.state
  Modified attributes path: /var/lib/icinga2/modified-attributes.conf
  Objects path: /var/cache/icinga2/icinga2.debug
  Vars path: /var/cache/icinga2/icinga2.vars
  PID path: /run/icinga2/icinga2.pid

php version:

PHP 7.3.4-2 (cli) (built: Apr 13 2019 19:05:48) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.4, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.4-2, Copyright (c) 1999-2018, by Zend Technologies

I get the same result on FF, Chrome, Brave and Edge. I set session.gc-maxlifetime to 28800 in /etc/php/7.3/apache2/php.ini and restarted apache2 without luck.

The server is responding with a Set-Cookie header with each request to /icingaweb2/setup.

Any help would be appreciated.

Thanks,
Roché

Hi,

Have you checked the following?

Cheers,
George

Hi George

Thanks for your feedback!

I checked whether Apache was using php7 modules before I posted my question. For good measure, I just purged php and reinstalled as per the recommendation in the post you linked to, but I’m still getting the same error. I’m now installing Icinga2 on a brand new server to see if I can reproduce the issue.

Cheers,
Roché

It is working fine on a new server. I will compare the two installations to see what is different. The first server I installed Icinga2 on was recently upgraded from Debian 9 to 10 so clearly something unexpected happens to the environment during the upgrade.

Obviously something got stuck in the system and was not purged correctly.
Good that you have it working now!

Cheers,
George

Aaargh, Varnish was eating my cookies! :open_mouth:

We run Varnish and it does cookie sanitization for some of our other sites. It was doing it a little too aggressively … :man_facepalming:

The upgraded server is running Icingaweb perfectly now.

2 Likes

I have the same problem on a fresh install on a Buster Raspberry Pi, but only on Firefox 74.0(64bit) on Ubuntu canonical -1.0. Chrome works fine (Version 80.0.3987.149 (Official Build) (64-bit)).
Sometimes I get an Icinga page with a complaint about an invalid timezone “US/Denver”, using UTC instead. (I changed this to ‘America/Denver’, and no longer see the error.)
The exception is:

#0 /usr/share/icingaweb2/library/vendor/Zend/Form.php(2280): Icinga\Web\Form\Element\CsrfCounterMeasure->isValid(String, Array)
#1 /usr/share/php/Icinga/Web/Form.php(1279): Zend_Form->isValid(Array)
#2 /usr/share/php/Icinga/Web/Form.php(1156): Icinga\Web\Form->isValid(Array)
#3 /usr/share/icingaweb2/application/controllers/AuthenticationController.php(54): Icinga\Web\Form->handleRequest()
#4 /usr/share/icingaweb2/library/vendor/Zend/Controller/Action.php(507): Icinga\Controllers\AuthenticationController->loginAction()
#5 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(76): Zend_Controller_Action->dispatch(String)
#6 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#7 /usr/share/php/Icinga/Application/Web.php(300): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#8 /usr/share/php/Icinga/Application/webrouter.php(104): Icinga\Application\Web->dispatch()
#9 /usr/share/icingaweb2/public/index.php(4): require_once(String)
#10 {main}

I installed using
https://blog.sleeplessbeastie.eu/2018/01/15/how-to-install-icinga2-and-icingaweb2/
but switched to the icinga2 procedure at the nginx install point. I’m running Apache2.
I deleted the Firefox icinga cookies with no effect.
I would really love to get Firefox working with Icinga2 Web. Thanks!

icinga2 --version

icinga@master-bldr:~ $ icinga2 --version
[2020-03-20 13:58:34 -0600] warning/Application: Failed adjust resource limit for number of processes (RLIMIT_NPROC) with error "Operation not permitted"
[2020-03-20 13:58:34 -0600] warning/Application: Failed adjust resource limit for number of processes (RLIMIT_NPROC) with error "Operation not permitted"
icinga2 - The Icinga 2 network monitoring daemon (version: r2.11.2-1)

Copyright (c) 2012-2020 Icinga GmbH (https://icinga.com/)
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

System information:
  Platform: Raspbian GNU/Linux
  Platform version: 10 (buster)
  Kernel: Linux
  Kernel version: 4.19.97-v7+
  Architecture: armv7l

Build information:
  Compiler: GNU 8.3.0
  Build host: runner-LTrJQZ9N-project-297-concurrent-0

Application information:

General paths:
  Config directory: /etc/icinga2
  Data directory: /var/lib/icinga2
  Log directory: /var/log/icinga2
  Cache directory: /var/cache/icinga2
  Spool directory: /var/spool/icinga2
  Run directory: /run/icinga2

Old paths (deprecated):
  Installation root: /usr
  Sysconf directory: /etc
  Run directory (base): /run
  Local state directory: /var

Internal paths:
  Package data directory: /usr/share/icinga2
  State path: /var/lib/icinga2/icinga2.state
  Modified attributes path: /var/lib/icinga2/modified-attributes.conf
  Objects path: /var/cache/icinga2/icinga2.debug
  Vars path: /var/cache/icinga2/icinga2.vars
  PID path: /run/icinga2/icinga2.pid

icinga2 feature list

Disabled features: compatlog debuglog elasticsearch gelf graphite influxdb livestatus opentsdb perfdata statusdata syslog
Enabled features: api checker command ido-pgsql mainlog notification

icinga2 daemon -C

[2020-03-20 14:09:03 -0600] information/cli: Icinga application loader (version: r2.11.2-1)
[2020-03-20 14:09:03 -0600] information/cli: Loading configuration file(s).
[2020-03-20 14:09:03 -0600] information/ConfigItem: Committing config item(s).
[2020-03-20 14:09:03 -0600] information/ApiListener: My API identity: master-bldr
[2020-03-20 14:09:04 -0600] information/ConfigItem: Instantiated 1 FileLogger.
[2020-03-20 14:09:04 -0600] information/ConfigItem: Instantiated 1 NotificationComponent.
[2020-03-20 14:09:04 -0600] information/ConfigItem: Instantiated 1 IcingaApplication.
[2020-03-20 14:09:04 -0600] information/ConfigItem: Instantiated 1 CheckerComponent.
[2020-03-20 14:09:04 -0600] information/ConfigItem: Instantiated 3 Zones.
[2020-03-20 14:09:04 -0600] information/ConfigItem: Instantiated 1 Endpoint.
[2020-03-20 14:09:04 -0600] information/ConfigItem: Instantiated 1 ExternalCommandListener.
[2020-03-20 14:09:04 -0600] information/ConfigItem: Instantiated 2 ApiUsers.
[2020-03-20 14:09:04 -0600] information/ConfigItem: Instantiated 1 ApiListener.
[2020-03-20 14:09:04 -0600] information/ConfigItem: Instantiated 235 CheckCommands.
[2020-03-20 14:09:04 -0600] information/ConfigItem: Instantiated 1 IdoPgsqlConnection.
[2020-03-20 14:09:04 -0600] information/ScriptGlobal: Dumping variables to file '/var/cache/icinga2/icinga2.vars'
[2020-03-20 14:09:04 -0600] information/cli: Finished validating the configuration file(s).

Icinga Web 2 version (screenshot from System - About)

Icinga Web 2 vesion 2.6.2

Icinga Web 2 modules e.g. the Icinga Director (optional)

Name	monitoring
State	enabled 
Version	2.6.2
Description	Icinga monitoring module
This is the core module for most Icingaweb users. It provides an abstraction layer for various Icinga data backends.
Dependencies	This module has no dependencies
Permissions	monitoring/command/*: Allow all commands
monitoring/command/schedule-check: Allow scheduling host and service checks
monitoring/command/acknowledge-problem: Allow acknowledging host and service problems
monitoring/command/remove-acknowledgement: Allow removing problem acknowledgements
monitoring/command/comment/*: Allow adding and deleting host and service comments
monitoring/command/comment/add: Allow commenting on hosts and services
monitoring/command/comment/delete: Allow deleting host and service comments
monitoring/command/downtime/*: Allow scheduling and deleting host and service downtimes
monitoring/command/downtime/schedule: Allow scheduling host and service downtimes
monitoring/command/downtime/delete: Allow deleting host and service downtimes
monitoring/command/process-check-result: Allow processing host and service check results
monitoring/command/feature/instance: Allow processing commands for toggling features on an instance-wide basis
monitoring/command/feature/object/*: Allow processing commands for toggling features on host and service objects
monitoring/command/feature/object/active-checks: Allow processing commands for toggling active checks on host and service objects
monitoring/command/feature/object/passive-checks: Allow processing commands for toggling passive checks on host and service objects
monitoring/command/feature/object/notifications: Allow processing commands for toggling notifications on host and service objects
monitoring/command/feature/object/event-handler: Allow processing commands for toggling event handlers on host and service objects
monitoring/command/feature/object/flap-detection: Allow processing commands for toggling flap detection on host and service objects
monitoring/command/send-custom-notification: Allow sending custom notifications for hosts and services
Restrictions	monitoring/filter/objects: Restrict views to the Icinga objects that match the filter
monitoring/blacklist/properties: Hide the properties of monitored objects that match the filter

cat /etc/icinga2/icinga2.conf

/**
 * Icinga 2 configuration file
 * - this is where you define settings for the Icinga application including
 * which hosts/services to check.
 *
 * For an overview of all available configuration options please refer
 * to the documentation that is distributed as part of Icinga 2.
 */

/**
 * The constants.conf defines global constants.
 */
include "constants.conf"

/**
 * The zones.conf defines zones for a cluster setup.
 * Not required for single instance setups.
 */
include "zones.conf"

/**
 * The Icinga Template Library (ITL) provides a number of useful templates
 * and command definitions.
 * Common monitoring plugin command definitions are included separately.
 */
include <itl>
include <plugins>
include <plugins-contrib>
include <manubulon>

/**
 * This includes the Icinga 2 Windows plugins. These command definitions
 * are required on a master node when a client is used as command endpoint.
 */
include <windows-plugins>

/**
 * This includes the NSClient++ check commands. These command definitions
 * are required on a master node when a client is used as command endpoint.
 */
include <nscp>

/**
 * The features-available directory contains a number of configuration
 * files for features which can be enabled and disabled using the
 * icinga2 feature enable / icinga2 feature disable CLI commands.
 * These commands work by creating and removing symbolic links in
 * the features-enabled directory.
 */
include "features-enabled/*.conf"

/**
 * Although in theory you could define all your objects in this file
 * the preferred way is to create separate directories and files in the conf.d
 * directory. Each of these files must have the file extension ".conf".
 */
// Disabled by the node setup CLI command on 2020-03-19 15:45:01 -0600
// include_recursive "conf.d"
// Added by the node setup CLI command on 2020-03-19 15:45:01 -0600
include "conf.d/api-users.conf"

I installed browser certificates for Apache2 as described in:
https://hostadvice.com/how-to/configure-apache-with-tls-ssl-certificate-on-ubuntu-18/
This solved the problem.