2.0.0-rc2 Upgrade Issue (Key Not Found)

mbillow · March 19, 2018, 2:41am

Hello,

I upgraded my server to Passbolt 2.0.0-rc2 today and was able to get most of the way there, except the error below.

In the CakePHP logs (log/error.log):

2018-03-19 01:36:43 Error: [Cake\Network\Exception\InternalErrorException] The GPG Server key defined in the config is not found in the gpg keyring
Request URL: /auth/verify.json?api-version=v1

And on the /auth/login route, “Could not verify server key. Server code: That version of GPGAuth is not supported. (undefined)” is displayed in a red box.

I ran the health check and it didn’t return any errors. The health check verifies that the keys are properly setup, so I don’t see why this error is being thrown.

# su -c "/var/www/passbolt/bin/cake passbolt healthcheck" -s /bin/bash nginx

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.1.15.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable.
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://[redacted]
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 19 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The server gpg key is not the default one
 [PASS] The environment variable GNUPGHOME is set to /var/lib/nginx/.gnupg.
 [PASS] The directory /var/lib/nginx/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The public key can be used to sign a message.
 [PASS] The public key can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (2.0.0-rc2).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 No error found. Nice one sparky!

Below are the details of my setup:

OS: RHEL 7.4
Server: nginx/1.12.2
PHP: 7.1.15 (fpm-fcgi)
DB: mysql 15.1 Distrib 5.5.56-MariaDB

Just to double check, I listed the secret keys in the nginx user’s ring and the server secret key was listed. The fingerprint also matches the one that is in the conf/passbolt.conf file.

# su -c "gpg --list-secret-keys" -s /bin/bash nginx
/var/lib/nginx/.gnupg/secring.gpg
---------------------------------
sec   2048R/C44D9582 2018-03-01 [expires: 2020-02-29]
uid                  [redacted]
ssb   2048R/D9633E38 2018-03-01

If there is anything else information-wise that could be helpful, please let me know.

remy · March 19, 2018, 4:09am

Hi @mbillow

Do you also have gpg2 running on the same machine by any chance?
If so could you check what’s in the keyring with gpg2?

Cheers,

mbillow · March 19, 2018, 4:20am

Same key.

# su -c "gpg2 --list-secret-keys" -s /bin/bash nginx
/var/lib/nginx/.gnupg/secring.gpg
---------------------------------
sec   2048R/C44D9582 2018-03-01 [expires: 2020-02-29]
uid                  [redacted]
ssb   2048R/D9633E38 2018-03-01

remy · March 19, 2018, 5:31am

@mbillow that’s odd, any chance we can get @cedric on a call with you? Feel free to drop us an email at contact@passbolt.com so that we can get to the bottom of this issue.

remy · March 19, 2018, 5:38am

It seems to me that you may have a difference of config or settings between php running as CLI and running for the webserver. Maybe:

Double check that php gnupg is loaded for both cli and non-cli php
Try to put the server in debug mode and access the healthcheck via the web https://yourdomain/healthcheck that might tell you more
Check for any selinux warning if any

mbillow · March 19, 2018, 5:54am

Huh… I could swear I checked the audit log earlier and there was nothing there. The httpd_setrlimit boolean was the problem. Looks like we are back up and running.

Thanks for the help!

remy · March 19, 2018, 6:42am

No problem, I’m glad it worked out fine.

system · March 24, 2018, 6:43am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.