After migrate server, I get "Sorry, the server key has changed"

Installation Issues
1

Hi, after migrate passbolt from server, I get the message
“Sorry, the server key has changed”**
or security reasons please check with your administrator that this is a change that they initiated. The new fingerprint:

B491 1E08 F425 C154 6A4F
7FE1 BC44 2522 8651 XXXX

I accept the fingerprint, login and it works, but when I enter again get the same message,
The main problem is can’t configure a new browser because the server don’t accept my passbolt_private.asc and every time I login on a browser preconfigured I’ve to accept the message.

I’ve imported the serverkey_private.asc from the old server and putted /etc/passbolt/gpg/serverkey_private.asc

The command import and result:

**sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data**
gpg: WARNING: unsafe permissions on homedir '/var/lib/passbolt/.gnupg'
gpg: key BC4425228651XXXX: "xxxxx <xxxxx@xxxx.cat>" not changed
gpg: key BC4425228651XXXX: secret key imported
gpg: Nombre total processat: 1
gpg:           no modificades: 1
gpg:  claus privades llegides: 1
gpg: claus privades no canviades: 1

I’ve check the key and is seems be ok:

gpg: WARNING: unsafe permissions on homedir '/var/lib/passbolt/.gnupg'
/var/lib/passbolt/.gnupg/pubring.kbx
------------------------------------
sec   rsa2048 2018-08-27 [SC]
      B491 1E08 F425 C154 6A4F  7FE1 BC44 2522 8651 XXXX
uid           [ unknown] xxxxx <xxxxx@xxxx.cat>
ssb   rsa2048 2018-08-27 [E]

In my /etc/passbolt/passbolt.php

          'fingerprint' => 'B4911E08F425C1546A4F7FE1BC4425228651XXXX',
           'public'=>'/etc/passbolt/gpg/serverkey.asc',
           'private'=>'/etc/passbolt/gpg/serverkey_private.asc',

Seems to be the private key is not correct but I’ve checked the common configurations without exit. What is wrong?

Thanks



     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell........Warning Error: file_get_contents(/etc/passbolt/jwt/jwt.pem): failed to open stream: No such file or directory
In [/usr/share/php/passbolt/plugins/Passbolt/JwtAuthentication/src/Service/AccessToken/JwtKeyPairService.php, line 110]

2021-11-09 14:03:07 Warning: Warning (2): file_get_contents(/etc/passbolt/jwt/jwt.pem): failed to open stream: No such file or directory in [/usr/share/php/passbolt/plugins/Passbolt/JwtAuthentication/src/Service/AccessToken/JwtKeyPairService.php, line 110]
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.25.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://pass.olot.cat
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (3.3.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [WARN] The JWT Authentication plugin is disabled
 [HELP] Set the environment variable PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED to true

 [PASS] No error found. Nice one sparky

Checklist
[ ] I have read intro post: About the Installation Issues category
[ ] I have read the tutorials, help and searched for similar issues
[ ] I provide relevant information about my server (component names and versions, etc.)
[ ] I provide a copy of my logs and healthcheck
[ ] I describe the steps I have taken to trouble shoot the problem
[ ] I describe the steps on how to reproduce the issue

2

Hi @Will :wave:

When you say:

You are trying to configure Passbolt on another server, but trying to use passbolt_private.asc GPG key of the server to perform your account recovery ? You have to use your personal GPG key.

But maybe I missed something ? Your settings looks good. :thinking:

3

I use my personal GPG key downloaded from another and configured browser. I loign and download the private key from Firefox, but when I try to configure chrome, put the private key and show error.

The message “Sorry, the server key has changed” appears always on the home. I accept the message, succesful login (firefox), use passbolt fine and logoff. When I turn to login, the message reappears.
I’ve 4 users and the message appears on all users.
How can accept the “new” private key server?

4

Hi,

Can you check if your server clock is well synchronized ? You can compare with https://time.is/

Best regards,

5

I’ve checked and the server clock is syncronitzed.
date
14:26:45 CET

6

Hum, it is weird :confused:

Can you check also if your local PC is well time-synchronized ?
Clear cache / cookies ?
Did you try to uninstall / reinstall the Passbolt extension ?
Which Chrome browser version are you using ?
You can also try with a new fresh chrome or firefox profile.

Can you also check if your Passbolt server has enough entropy ?

cat /proc/sys/kernel/random/entropy_avail

Mine has 2205.

7

It’s very strange. I’ve installed firefox 94 and chrome 95 on a clean PC with the same result. If I tried to recovery my account, says “This key does not match any account.” when I upload passbolt-recovery-kit.asc or passbolt_private.asc downloaded from another computer with Firefox pre configured.
The problem is I cannot recovery a account on a new computer and " Sorry, the server key has changed." message on a working browser.
My entropy is:

2230

What logs can I check?
cat /var/log/nginx/passbolt-access.log seems to be ok. all logs are http 200

Thanks all!!!

8

This is not expected. Are you sure you restored your full DB from your old server ? You can check this with this SQL request (replace admin@domain.tld with email of your user):

SELECT u.username, g.armored_key from users u INNER JOIN gpgkeys g ON u.id = g.user_id WHERE u.username = "admin@domain.tld" \G;

It should output your public GPG key.

Can you also give us the output of this command (here is mine):

$ sudo ls -alh /var/lib/passbolt/.gnupg/
total 40K
drwx------ 4 www-data www-data 4.0K Nov 11 01:07 .
drwxr-xr-x 4 www-data www-data 4.0K Nov 11 00:19 ..
srwx------ 1 www-data www-data    0 Nov 11 01:07 S.gpg-agent
srwx------ 1 www-data www-data    0 Nov 11 00:19 S.gpg-agent.browser
srwx------ 1 www-data www-data    0 Nov 11 00:19 S.gpg-agent.extra
srwx------ 1 www-data www-data    0 Nov 11 00:19 S.gpg-agent.ssh
drwx------ 2 www-data www-data 4.0K Nov 11 00:19 openpgp-revocs.d
drwx------ 2 www-data www-data 4.0K Nov 11 00:19 private-keys-v1.d
-rw-r--r-- 1 www-data www-data 6.7K Nov 11 01:07 pubring.kbx
-rw-r--r-- 1 www-data www-data 5.3K Nov 11 00:20 pubring.kbx~
-rw------- 1 www-data www-data  600 Nov 11 00:38 random_seed
-rw------- 1 www-data www-data 1.3K Nov 11 00:19 trustdb.gpg

Finally, can you try to import your private key in the Passbolt GPG keyring ?

sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /path/to/your/passbolt-recovery-kit.txt" www-data
9

Yes, I’ve imported a SQL dump from the old server. The SELECT comand return my public key, that is the same that shows on my passbolt user area (on firefox preconfigured).

[11:47]root@AJPASS(1):~# ls -alh /var/www/.gnupg
total 92K
drwxr-xr-x 3 www-data www-data 4,0K 11 nov. 11:46 .
drwxr-xr-x 5 root     root     4,0K 10 nov. 14:50 ..
drwxr-x--- 2 www-data www-data 4,0K 10 nov. 14:50 private-keys-v1.d
-rw-r--r-- 1 www-data www-data  12K 25 març  2021 pubring.kbx
-rw-r--r-- 1 www-data www-data 9,8K 27 ag.  2020 pubring.kbx~
-rw-r--r-- 1 www-data www-data  600 11 nov. 11:38 random_seed
srwx------ 1 www-data www-data    0 10 nov. 15:03 S.gpg-agent
srwx------ 1 www-data www-data    0 10 nov. 15:03 S.gpg-agent.browser
srwx------ 1 www-data www-data    0 10 nov. 15:03 S.gpg-agent.extra
srwx------ 1 www-data www-data    0 10 nov. 15:03 S.gpg-agent.ssh
-rw-r--r-- 1 www-data www-data  48K 27 ag.  2020 tofu.db
-rw-r--r-- 1 www-data www-data 1,2K 27 ag.  2018 trustdb.gpg

I’ve imported many times the private keys from serverkey_private.asc, but I’don’t know what’s
passbolt-recovery-kit.txt
What’s this file?

10

When you setup Passbolt and when you create your account, a GPG keypair is generated, and you are prompted to backup your private key and store it in a safe place. passbolt-recovery-kit is the private key of your account.

Why did you gave me the output of /var/www/.gnupg ?

In the healthcheck output in your first post, it is written Passbolt GPG home is /var/lib/passbolt/.gnupg:

And in the commands you provided to import your gpg key, you are also using /var/lib/passbolt/.gnupg:

Is there something in /var/www/passbolt ?
How did you process to migrate your server ? Did you migrate from the installation from source to the package installation ? Which documentation did you followed ?

11

Sorry, but finallyI I do a fresh install and imported the passwords. I needed to solve it and I had to opt for the most practical solution.