After update: "Could not retrieve server key. Please contact administrator."

Hello,
i kind of inherited a passbolt installation, which was recently upgraded. the firefox plugin cannot be used for account recovery because of:
“Could not retrieve server key. Please contact administrator.”
the apache logfile tells:
“GET /auth/verify.json?api-version=v1 HTTP/1.1” 500 720 “-”

what bothers me is that healthcheck does not return anything
su -s /bin/bash -c “/var/www/passbolt/bin/cake passbolt healthcheck --verbose” www-data

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///.__/__//_/

Open source password manager for teams

Healthcheck shell…root@passbolt

migrate works, but install does not seem to ?

su -s /bin/bash -c “/var/www/passbolt/bin/cake passbolt migrate --backup” www-data

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///.__/__//_/

Open source password manager for teams

Saving backup file: /var/www/passbolt/tmp/cache/database/backup_1528786078.sql
mysqldump: [Warning] Using a password on the command line interface can be insecure.
Success: the database was saved on file!

Running migration scripts.

using migration paths

• /var/www/passbolt/config/Migrations
  using seed paths
• /var/www/passbolt/config/Seeds
  using environment default
  using adapter mysql
  using database passbolt

All Done. Took 0.0618s
using migration paths

• /var/www/passbolt/config/Migrations
  using seed paths

• /var/www/passbolt/config/Seeds
  Writing dump file /var/www/passbolt/config/Migrations/schema-dump-default.lock…
  Dump file /var/www/passbolt/config/Migrations/schema-dump-default.lock was successfully written
  root@passbolt:/var/log/apache2# su -s /bin/bash -c “/var/www/passbolt/bin/cake passbolt install --verbose” www-data

  ---

  / __ ____ _____ / / ____ / / /
  / // / __ `/ / / __ / __ / / _/
  / / // ( | ) // / // / / /
  // _,///.__/__//_/

Open source password manager for teams

Running baseline checks, please wait…
root@passbolt

i also had this in my syslog:
passbolt kernel: [1646405.578019] php[14206]: segfault at 12 ip 00007f303c8c97dc sp 00007ffc9ff4ffb0 error 4 in gnupg.so[7f303c8c2000+a000]

so, on my system is some gnupgp process:
gpg-agent --homedir /var/www/.gnupg --use-standard-socket --daemon
why wouldnt it use this ?

i configured within default.php and passbolt.php:
‘keyring’ => ‘/home/www-data/.gnupg’,
this is where the key resides, owned by user www-data of the webserver process.

strace only shows the apache2 wants to read
access("/var/www/passbolt/config/gpg", F_OK) = 0 stat("/var/www/passbolt/config/gpg", {st_mode=S_IFDIR|0775, st_size=4096, …}) = 0 stat("/var/www/passbolt/config/gpg/serverkey.asc", 0x7ffe60c49a30) = -1 ENOENT (No such file or directory) access("/var/www/passbolt/config/gpg/serverkey.asc", F_OK) = -1 ENOENT (No such file or directory)

not a single call to that .gnupg keyring, i am a bit lost

thanks for your time

Hi @uschellh, there seems to be a critical issue with php-gnupg module. I’m not sure how you installed it (it depends on the operating system), but I’d recommend reinstalling it. Maybe your kernel was updated and php-gnupg was compiled with the old headers.

Hello remy,

thanks, i guess that is not the issue, i reinstalled the php-gnupg module, and rebooted, the strace from apache child of the very first firefox plugin visit was still without any call to .gnupg , then i exported the keys from the keyring, and put them into the folder where straced showed them to be searched for, it works now. but for the reference: which config setting should i have done that the system tries to use the keyring ?

I’m not sure I understand your question. Are you asking how to check if the system can access the keyring?
The authentication uses the keyring so that’s a way of finding if it works. The healthcheck also perform pretty much all OpenPGP operations passbolt might need.

no i wanted to make sure my installation is set up to access the .gnupg folder (and the keyring which is inside ?)
those files are for the www-data user, it can access them, however, a strace with “follow child processes” does show it is simply not trying to access anything “.gnupg” , maybe i would have to search for the socket of this process:
gpg-agent --homedir /var/www/.gnupg --use-standard-socket --daemon
and would find it then ? idk

i put into default.php and passbolt.php this contents under the gpg section , removing anything which could conflict:
‘keyring’ => ‘/home/www-data/.gnupg’,

but i would guess it does not use this, hence my question where to put it

oh damn, i guess its the wrong path letme check (but why wouldnt strace show an access-try then)

You also need the putenv configuration variable to be set, otherwise it will default to using the existing value of GNUPGHOME environment variable (or the gnupg default if this variable is not set). See in bootstrap.php

if (Configure::read('passbolt.gpg.putenv')) {
    putenv('GNUPGHOME=' . Configure::read('passbolt.gpg.keyring'));
}

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.