Uruchomienie KUIP i EZD RP Error 500

Mam problem z uruchomieniem EZD RP i KUIP. Po wczytaniu strony https://ezdrp-web.mojadomena.pl lub https://kuip-web.mojadomena.pl dostaję komunikat :

{
"errorId": "cf31da44f53049a8ad7dcf157c19ef0c",
"instance": "/Account/LoginPassword",
"status": 500,
"type": "https://httpstatuses.io/500",
"title": "HTTP error InternalServerError"
}

Czy ktoś miał podobny problem ?
W podach ezdrp-web i kuip-web nic w logach nie ma.

Poniżej log z poda sso-identityserver:

{“@t”:“2024-12-10T06:35:37.2588076Z”,“@mt”:“An error occurred while reading the key ring.”,“@l”:“Error”,“@x”:“System.UnauthorizedAccessException: Access to the path ‘/app/keys/data_protection/key-bdddd82e-093b-4ba2-98a6-780ba75ba640.xml’ is denied.\n —> System.IO.IOException: Permission denied\n — End of inner exception stack trace —\n at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode)\n at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize)\n at System.IO.Strategies.OSFileStreamStrategy…ctor(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize)\n at Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository.ReadElementFromFile(String fullPath)\n at Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository.GetAllElementsCore()+MoveNext()\n at System.Collections.Generic.List1..ctor(IEnumerable1 collection)\n at Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository.GetAllElements()\n at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.GetAllKeys()\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRingCore(DateTime utcNow, Boolean forceRefresh)”,“EventId”:{“Id”:48,“Name”:“ErrorOccurredWhileReadingKeyRing”},“SourceContext”:“Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider”,“RequestId”:“0HN8O8CCO7VNK:00000004”,“RequestPath”:“/Account/LoginPassword”,“ConnectionId”:“0HN8O8CCO7VNK”,“ExceptionDetail”:{“Type”:“System.UnauthorizedAccessException”,“HResult”:-2147024891,“Message”:“Access to the path ‘/app/keys/data_protection/key-bdddd82e-093b-4ba2-98a6-780ba75ba640.xml’ is denied.”,“Source”:“System.Private.CoreLib
“,“TargetSite”:“Microsoft.Win32.SafeHandles.SafeFileHandle Open(System.String, OpenFlags, Int32)”,“InnerException”:{“Type”:“System.IO.IOException”,“HResult”:13,“Message”:“Permission denied”,“Source”:null}},“ConsoleLogger”:“true”,“IceHost”:“SSO”,“InstanceName”:“powiat.koszalin.pl”,“SeqLogger”:“true”}
{”@t”:“2024-12-10T06:35:37.3327064Z”,“@mt”:“An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information. For more information go to Search - Microsoft Bing An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information. For more information go to Search - Microsoft Bing —> System.UnauthorizedAccessException: Access to the path ‘/app/keys/data_protection/key-bdddd82e-093b-4ba2-98a6-780ba75ba640.xml’ is denied.\n —> System.IO.IOException: Permission denied\n — End of inner exception stack trace —\n at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode)\n at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize)\n at System.IO.Strategies.OSFileStreamStrategy…ctor(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize)\n at Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository.ReadElementFromFile(String fullPath)\n at Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository.GetAllElementsCore()+MoveNext()\n at System.Collections.Generic.List1..ctor(IEnumerable1 collection)\n at Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository.GetAllElements()\n at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.GetAllKeys()\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.CreateCacheableKeyRingCore(DateTimeOffset now, IKey keyJustAdded)\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider.GetCurrentKeyRingCore(DateTime utcNow, Boolean forceRefresh)\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Protect(Byte plaintext)\n — End o
f inner exception stack trace —\n at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Protect(Byte plaintext)\n at Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Protect(IDataProtector protector, String plaintext)\n at SSO.Authentication.AS.CommandsRole.LoginPasswordRequestHandler.InvokeAsync(LoginPasswordRequestCommand input, Dictionary2 properties)\n at .(ICommandDto , Dictionary2 , Type , ICommandHandlerBase )\n at .Handle(IContainerScope , ICommandDto , Func1 )\n at .Handle(ICommandDto , Dictionary2 )\n at .Receive(IContainerScope , ICommandDto , Func1 )\n at (TaskAwaiter1& )\n at .Handle(HttpContext , Type )\n at ...MoveNext()\n— End of stack trace from previous location —\n at Microsoft.AspNetCore.Routing.EndpointMiddleware.g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)\n at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)\n at IdentityServer4.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes)\n at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)\n at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context)\n at SSO.IdentityServer.Middleware.ForwardedHeadersStartupModule.<>c.<b__2_0>d.MoveNext()\n— End of stack trace from previous location —\n at ...MoveNext()”,“ErrorResponseBody”:“{\n "errorId": "11ed1fe5a83d4da08b745dcdaa8db9af",\n "instance": "/Account/LoginPassword",\n "status": 500,\n "type": "https://https
tatuses.io/500",\n "title": "HTTP error InternalServerError"\n}”,“ErrorId”:“11ed1fe5a83d4da08b745dcdaa8db9af”,“SourceContext”:“LoggerMiddleware”,“RequestId”:“0HN8O8CCO7VNK:00000004”,“RequestPath”:“/Account/LoginPassword”,“ConnectionId”:“0HN8O8CCO7VNK”,“ExceptionDetail”:{“Type”:“System.Security.Cryptography.CryptographicException”,“HResult”:-2146233087,“Message”:“An error occurred while trying to encrypt the provided data. Refer to the inner exception for more information. For more information go to Search - Microsoft Bing Protect(Byte)”,“InnerException”:{“Type”:“System.UnauthorizedAccessException”,“HResult”:-2147024891,“Message”:“Access to the path ‘/app/keys/data_protection/key-bdddd82e-093b-4ba2-98a6-780ba75ba640.xml’ is denied.”,“Source”:“System.Private.CoreLib”,“TargetSite”:“Microsoft.Win32.SafeHandles.SafeFileHandle Open(System.String, OpenFlags, Int32)”,“InnerException”:{“Type”:“System.IO.IOException”,“HResult”:13,“Message”:“Permission denied”,“Source”:null}}},“ConsoleLogger”:“true”,“IceHost”:“SSO”,“InstanceName”:“powiat.koszalin.pl”,“SeqLogger”:“true”}

Problemem okazał się dostęp do pliku /app/keys/data_protection/key-bdddd82e-093b-4ba2-98a6-780ba75ba640.xml na kontenerze sso-idp katalog keys miał właściciela root, wystarczyło zmienić właściciela katalogu i EZD RP udało się uruchomić. Szkoda, że w instrukcji nie ma informacji typowych błędów, które można napotkać.

Niestety to rozwiązanie jest zastosowane bezpośrednio na kontenerze dlatego po restarcie maszyny temat error 500 powraca.

Może ktoś z NASK się wypowie dlaczego w kontenerze /app/keys który jest zamontowany ustawia właściciela na root:root a pozostałe katalogi na appuser:appuser po zmianie z root:root na appuser:appuser aplikacja się uruchamia bez problemu.