404s after fresh install on Ubuntu 19.10

Hi Passbolt Community,

I have read through the “RTFM” checklist.

– Server operating system name and version: Ubuntu 19.10
– Web server name and version: Apache 2.4.41
– Database server name and version: mysqld Ver 8.0.19-0ubuntu0.19.10.3
– Php version: 7.3.11
– Passbolt version: latest from GitHub

I have a fresh install of Passbolt from source on Ubuntu 19.10 and after running health check, I see:


     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.11-0ubuntu0.19.10.2.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable.
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://192.168.2.210
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
  [HELP] Check that the domain name is correct in config/passbolt.php
  [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
  [HELP] cURL Error (60) SSL certificate problem: self signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 23 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/www/.gnupg.
 [PASS] The directory /var/www/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server gpg key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [FAIL] The private key cannot be used to sign a message
  [HELP] Make sure that the server private key is valid and that there is no passphrase.
  [HELP] Make sure you imported the private server key in the keyring of the webserver user.
  [HELP] you can try:
  [HELP] sudo su -s /bin/bash -c "gpg --home /var/www/.gnupg --import /var/www/passbolt/config/gpg/serverkey_private.asc" www-data
 [FAIL] The public and private keys cannot be used to encrypt and sign a message
 [FAIL] The private key cannot be used to decrypt a message
 [FAIL] The private key cannot be used to decrypt and verify a message
 [FAIL] The public key cannot be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (2.12.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

  8 error(s) found. Hang in there!

We’re looking to host this internally only (by IP address) for the time being so I’ve set it to 192.168.2.210 - is that a problem? I can add a DNS entry if necessary, but is it a must have?

I believe the cause of this error:

 [FAIL] The private key cannot be used to sign a message

I believe this is related to my running of

gpg --gen-key

… as suggested in the ‘Build From Source’ instructions. For some reason, I was unable to set an empty passphrase - it had to be at least 1 character so I set it to a space. Is this the cause for the failure? I saw the warning:

Do not set a passphrase or an expiration date The php-gnupg module does not support using passphrase at the moment. Make sure you do not set a passphrase. Similarly do not set an expiration date. Otherwise all your users will need to perform an account recovery when you will eventually need to update the key.

… but for some reason despite trying several times I was unable to simply tab to ‘OK’ and proceed. It kept taking me back to the same screen and would not let me enter an empty passphrase.

I have run:

sudo su -s /bin/bash -c "gpg --home /var/www/.gnupg --import /var/www/passbolt/config/gpg/serverkey_private.asc" www-data

… as suggested by the healthcheck. This produced:

gpg: WARNING: unsafe permissions on homedir '/var/www/.gnupg'
gpg: key xxx: "FirstName <xx@xx.com> not changed
gpg: key xxx: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

Hi @rushlightening I think you can just hit enter instead of tabbing over…but if not then it’s recently changed.

Thanks. Unfortunately that does not work. I’m connecting to the server via PuTTY Release 0.67.

I have managed to find a work-around following a process like this:

!/usr/bin/env bash
rm -rf .gnupg
mkdir -m 0700 .gnupg
touch .gnupg/gpg.conf
chmod 600 .gnupg/gpg.conf
tail -n +4 /usr/share/gnupg2/gpg-conf.skel > .gnupg/gpg.conf

cd .gnupg
# I removed this line since these are created if a list key is done.
# touch .gnupg/{pub,sec}ring.gpg
gpg --list-keys


cat >keydetails <<EOF
    %echo Generating a basic OpenPGP key
    Key-Type: RSA
    Key-Length: 2048
    Subkey-Type: RSA
    Subkey-Length: 2048
    Name-Real: XXX
    Name-Comment: Admin User
    Name-Email: xxx
    Expire-Date: 0
    %no-ask-passphrase
    %no-protection
    %pubring pubring.kbx
    %secring trustdb.gpg
    # Do a commit here, so that we can later print "done" :-)
    %commit
    %echo done
EOF

gpg --verbose --batch --gen-key keydetails

This seems to work for generating a passphrase-less key.

Here is the output of gpg --version:

gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/xxx/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cypher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

It was installed from apt

OK. That worked as far as creating a key with no passphrase from what I can tell.

gpg --list-keys --fingerprint shows the key.

I then follow the instructions to copy the public and private keys which from the docs (https://help.passbolt.com/hosting/install/ce/from-source.html) say:

$ gpg --armor --export-secret-keys SERVER_KEY@EMAIL.TEST > /var/www/passbolt/config/gpg/serverkey_private.asc
$ gpg --armor --export SERVER_KEY@EMAIL.TEST > /var/www/passbolt/config/gpg/serverkey.asc

When running the first (replacing SERVER_KEY@EMAIL.TEST), I am able to hit enter to denote an empty passphrase but then I get a bad warning:

gpg: key xxx: error receiving key from agent: No passphrase given - skipped
gpg: key yyy: error receiving key from agent: No passphrase given - skipped
gpg: WARNING: nothing exported

So nothing is exported? Hmmm.

Actually, my bad. I just checked since I use Putty on 19 as well… I have a script in that folder just like yours. I ran into the same thing.

Try exporting locally in the same folder, then copy over.

Also, make sure the key is owned by www-data.

Exporting locally in the same folder (without > and then literally copying and pasting the resulting private key/public key into the correct locations) seems to do the trick. I also considered downgrading gpg but that did not look straight forward.

I then updated the config and added the key with:

sudo su -s /bin/bash -c "gpg --home /var/www/.gnupg --import /var/www/passbolt/config/gpg/serverkey_private.asc" www-data

Unfortunately we’re still not quite there:


     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.11-0ubuntu0.19.10.2.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable.
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://192.168.2.210
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
  [HELP] Check that the domain name is correct in config/passbolt.php
  [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
  [HELP] cURL Error (60) SSL certificate problem: self signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 23 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/www/.gnupg.
 [PASS] The directory /var/www/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server gpg key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [FAIL] The private key cannot be used to decrypt and verify a message
 [FAIL] The public key cannot be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (2.12.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

  5 error(s) found. Hang in there!

This is progress however I’m worried about these:

 [FAIL] The private key cannot be used to decrypt and verify a message
 [FAIL] The public key cannot be used to verify a signature.

I’ve re-run the installation with --force to force it to reinstall things:

:/var/www/passbolt$ sudo su -s /bin/bash -c "./bin/cake passbolt install --force" www-data

I get:

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
---------------------------------------------------------------

Running baseline checks, please wait...
Critical healthchecks are OK

Cleaning up existing tables if any.
---------------------------------------------------------------
Dropping table action_logs
Dropping table actions
Dropping table authentication_tokens
Dropping table comments
Dropping table email_queue
Dropping table entities_history
Dropping table favorites
Dropping table file_storage
Dropping table gpgkeys
Dropping table groups
Exception: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'groups' at line 1 in [/var/www/passbolt/vendor/cakephp/cakephp/src/Database/Statement/MysqlStatement.php, line 38]

So, yes, I’m stuck at this point and help would be greatly appreciated :wink:

Ok, there are a couple issues now.

The issue with the “groups” error you last mentioned is because MySQL 8.x uses “GROUPS” as a reserved word. Here is a discussion about what to do: https://github.com/passbolt/passbolt_api/issues/325

The commands for keys needto run via the webserver user. (It appears from above you are running as root? Or basic user?

I was also going through Putty, and was using Nginx (with www-data user). I created a home directory for www-data. My script was owned by www-data first, and then I ran the script but the contents were only this:

keydetails file contents:
%echo Generating a basic OpenPGP key
Key-Type: default
Subkey-Type: default
Name-Real: {my key name was here}
Name-Email: {my email address was here}
Expire-Date: 0
%no-ask-passphrase
%no-protection
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done

sudo su -s /bin/bash -c  "gpg  --verbose --batch --gen-key keydetails" www-data

That put the key in the webserver keyring. Then, whatever commands I needed to run on that key in the keyring, I used this:

sudo su -s /bin/bash -c "gpg --batch --no-tty --homedir /home/www-data --yes --{gpg command here} {fingerprint here}" www-data

The --no-tty was needed for reasons you already have discovered.

Exporting would be something like:

sudo su -s /bin/bash -c "gpg --batch --no-tty --homedir /home/www-data --yes --armor --export-secret-keys {fingerprint, or email}" www-data

and it will export to current folder. Rename, and copy it where you need it.

If this doesn’t work, I’m thinking it just needs to be tweaked. I’m working off of notes I used across two projects…one was Passbolt, and the other used keys as well (same server, incidentally).

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.