Kamal unable to decrypt "secrets" file

[JFCote]

I have a mostly vanilla Rails 8 application in terms of configuration. Default dockerfile, etc.. I have been able to deploy a couple of time without problem. But since I added the smtp configuration for the mailer that use the credentials.dig, it is not able to be healthy after deployment, so it keeps the previous version and fail the deployment.

I added configuration for the mailer in production.rb file:

  config.action_mailer.delivery_method = :smtp
  config.action_mailer.smtp_settings = {
     user_name: Rails.application.credentials.dig(:smtp, :user_name),
     password: Rails.application.credentials.dig(:smtp, :password),
     address: "mail.privateemail.com",
     domain: "mydomain.ca",
     port: 587,
     authentication: "login",
     enable_starttls_auto: true
  }

My secrets file is the following:

KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
RAILS_MASTER_KEY=$(cat config/master.key)

I run:

kamal setup or kamal deploy and I always receive this error:

2025-01-06T20:25:37.001187898Z ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage
2025-01-06T20:25:37.001193553Z /rails/config/environments/production.rb:67:in `block in <main>'
2025-01-06T20:25:37.001197961Z /rails/config/environments/production.rb:3:in `<main>'
2025-01-06T20:25:37.001200232Z /rails/config/environment.rb:5:in `<main>'
2025-01-06T20:25:37.001202367Z Tasks: TOP => db:prepare => db:load_config => environment
2025-01-06T20:25:37.001204854Z (See full trace by running task with --trace)
2025-01-06T20:25:39.441285808Z bin/rails aborted!

Followed by this:

ERROR (SSHKit::Command::Failed): Exception while executing on host REDACTED: docker exit status: 1
docker stdout: Nothing written
docker stderr: Error: target failed to become healthy within configured timeout (30s)

I've read the documentation and I think I have everything that is needed. I guess the secrets file should be generated by kamal and used to create the environment variable needed to decrypt the "credential"... But I might be wrong. If it's not the case, then maybe it's a problem with the documentation?

I even tried to remove the "secrets" file from Git and put the master key directly in it, and it didn't work...

I tried to be helped by 3 AI and multiple google search, without finding a solution... I'm new to Rails and Kamal, so I might be missing very basic stuff here, so sorry if this end up being a code 18. Other than that, killer project, I LOVE kamal and coming from 15+ years of development in other framework/language and working with k8s, this is very refreshing!

Thanks

[raff-s]

Do you only have one credentials.yml.enc or a specific one for production under credentials/production.yml.enc?
Also, are you exposing the key in your deploy.yml?

env:
  secret:
    - RAILS_MASTER_KEY

[JFCote]

Hey @raff-s ! Thanks for the reply! I will validate this once I get on my home machine tonight. I'll get back to you soon.

[JFCote]

@raff-s I have one called production.yml.enc in /config/credentials folder.
I also have one in /config" folder with the name credentials.yml.enc`.

Is this the problem?

I also have the key in my deploy.yml.

Let me know if something is wrong in this setup.

[raff-s]

It depends on how you set up those encrypted files.
Usually in a production environment you'll have different keys for different environments.
When you run rails credentials:edit --environment production locally does it open the file?
To debug this I would backup/delete the existing production files and see if the app can start with the default master key and credentials.

[JFCote]

@raff-s When I edit the credential files for production, I have my secret in it, like this:

smtp:
  user_name: '[email protected]'
  password: 'mypassword'
#
# aws:
#   access_key_id: 123
#   secret_access_key: 345

# Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.
secret_key_base: secretkeybase

I will try to re-deploy tomorrow with what you are suggesting. I had stopped my droplet for the moment because it was not working.