After Upgrade on new Server Private Key not valid

Fabian · May 26, 2023, 7:51am

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hello,

we tried to upgrade Passbolt from version 2.4.1 to the latest version on a new server running Ubuntu 22.04.2.

We followed this guide: Passbolt Help | Migrate an existing Passbolt CE to a new Ubuntu server

However we get an error when importing the old serverkey:

fabian@passbolt:~$ sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import --verbose --pinentry-mode loopback /etc/passbolt/gpg/serverkey_private.asc" www-data
gpg: sec  rsa2048/F47BC46B7421040D 2020-07-13  Fabian (nope) <fabian.schaefer@iris-sport.de>
gpg: key F47BC46B7421040D: "Fabian (nope) <fabian.schaefer@iris-sport.de>" not changed
gpg: key F47BC46B7421040D/F47BC46B7421040D: error sending to agent: Permission denied
gpg: error building skey array: Permission denied
gpg: error reading '/etc/passbolt/gpg/serverkey_private.asc': Permission denied
gpg: import from '/etc/passbolt/gpg/serverkey_private.asc' failed: Permission denied
gpg: Total number processed: 0
gpg:              unchanged: 1
gpg:       secret keys read: 1

The permissions are all as they should be according to the guide

Healthcheck:

GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
 [HELP] Import the private server key in the keyring of the webserver user.
 [HELP] you can try:
 [HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
 [PASS] There is a valid email id defined for the server key.

So now I don’t know what we could do…

Steph · May 26, 2023, 7:57am

Hello @Fabian and Welcome to the forum.

I took a look at the error and found something on the Internet. It could be the GPG command that needs an extra parameter since a newer version of GNUPG2.

Maybe you can try this instead:

 sudo su -s /bin/bash -c "gpg --batch --home /var/lib/passbolt/.gnupg --import --verbose --pinentry-mode loopback /etc/passbolt/gpg/serverkey_private.asc" www-data

Basically, it’s the same command as before with the extra parameter --batch. If it works it means we need to update the help page to reflect that change.

Fabian · May 26, 2023, 8:16am

Hello, thanks for this advise, but still the same error

max · May 26, 2023, 8:27am

Hi,
Can you check the permission and ownership of the keyring and the two keys inside the second folder please

Thanks!

Fabian · May 26, 2023, 8:33am

Yeah sure,

max · May 26, 2023, 8:41am

Can you do a
chown www-data:www-data /var/lib/passbolt/.gnupg/*
And try again please