Container restart causes HTTP 500 due to empty SECRET_KEY_BASE #397
Description
Summary
Restarting a redmine:5.1.10-bookworm container causes every HTTP request to fail with HTTP 500 and the Rails message `secret_key_base` for production environment must be a type of String.
Environment
- Image:
redmine:5.1.10-bookworm - Clean container start (
docker run) succeeds; issue appears only afterdocker restart.
Steps to Reproduce
docker run --name redmine -p 3000:3000 -d redmine:5.1.10-bookworm- Confirm the UI responds.
docker restart redmine- Access Redmine in a browser and check logs:
docker logs redmine
Expected Result
After a container restart, the application keeps serving 200 responses.
Actual Result
- Browser receives HTTP 500 after the restart.
docker logsshows`secret_key_base` for production environment must be a type of Stringon every request.
Root Cause
Commit a57cd24 changed the entrypoint to drop secrets.yml and rely on SECRET_KEY_BASE. In 5.1/bookworm/docker-entrypoint.sh, the following lines assign and export SECRET_KEY_BASE:
: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
export SECRET_KEY_BASEWhen REDMINE_SECRET_KEY_BASE is unset, this assigns an empty string to SECRET_KEY_BASE and exports it. Rails prefers ENV["SECRET_KEY_BASE"]; the empty (but present) value triggers the validation error inside validate_secret_key_base. See the diff around lines 454–459 in that commit.
Potentially Affected Versions
The same code pattern exists in 5.0/5.1/6.0 across Debian and Alpine variants.
Proposed Fix
Export only when non-empty (so an empty shell variable does not become a visible env var):
: "${SECRET_KEY_BASE:=$REDMINE_SECRET_KEY_BASE}"
if [ -n "$SECRET_KEY_BASE" ]; then
export SECRET_KEY_BASE
fiThis keeps existing logic intact (including the subsequent fallback that generates config/initializers/secret_token.rb when no key is present) while preventing an empty ENV["SECRET_KEY_BASE"] from shadowing the initializer. The problem reproduces specifically after docker restart, because the generated secret_token.rb exists but is ignored when ENV["SECRET_KEY_BASE"] is set (to empty).