Cannot import key from old server after migration

Checklist
[x ] I have read intro post: About the Installation Issues category
[x ] I have read the tutorials, help and searched for similar issues
[ x] I provide relevant information about my server (component names and versions, etc.)
[ x] I provide a copy of my logs and healthcheck
[ x] I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

I am trying to migrate to a new Redhat 8 Passbolt server. I have followed the migration document:

And I did not initialize before doing the migration steps as recommended in this article:

When I try to login to the new server, it generates the email with the link to recover my account, but when I enter my private key, after searching for several minutes it comes back with the error

“This key does not match any account.”

I have verified the private key several times, by exporting it from the old server, I have also compared
the tables in both the old and new databases, and they match.

Note that all of the keys from our old server are 2048, and the new version defaults to 3076. Could this be part of the problem?

[root@8254c19d730d4e8 passbolt]# sudo -H -u nginx /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck”

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 8.1.23.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://10.182.157.99
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[WARN] SSL peer certificate does not validate
[WARN] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check Passbolt Help | Troubleshoot SSL
[HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate

Database

[PASS] The application is able to connect to the database
[PASS] 32 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (4.2.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[WARN] The deprecated self registration public setting was found in /etc/passbolt/passbolt.php.
[HELP] You may remove the “passbolt.registration.public” setting.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found

SMTP Settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

[PASS] No error found. Nice one sparky!

The error.log file has this for each failed attempt:

2023-09-12 20:20:34 error: [Cake\Http\Exception\InternalErrorException] The authentication failed. in /usr/share/php/passbolt/src/Controller/Auth/AuthLoginController.php on line 90
Request URL: /auth/verify.json?api-version=v2
Client IP: 138.35.8.42
2023-09-12 20:20:34 error: The authentication failed.
2023-09-12 20:20:34 error: #0 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Controller/Controller.php(547): App\Controller\Auth\AuthLoginController->loginPost()
#1 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Controller/ControllerFactory.php(139): Cake\Controller\Controller->invokeAction()
#2 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Controller/ControllerFactory.php(114): Cake\Controller\ControllerFactory->handle()
#3 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/BaseApplication.php(320): Cake\Controller\ControllerFactory->invoke()
#4 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(86): Cake\Http\BaseApplication->handle()
#5 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/SecurityHeadersMiddleware.php(255): Cake\Http\Runner->handle()
#6 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Http\Middleware\SecurityHeadersMiddleware->process()
#7 /usr/share/php/passbolt/src/Middleware/HttpProxyMiddleware.php(50): Cake\Http\Runner->handle()
#8 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\HttpProxyMiddleware->process()
#9 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php(138): Cake\Http\Runner->handle()
#10 /usr/share/php/passbolt/src/Middleware/CsrfProtectionMiddleware.php(39): Cake\Http\Middleware\CsrfProtectionMiddleware->process()
#11 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\CsrfProtectionMiddleware->process()
#12 /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtCsrfDetectionMiddleware.php(55): Cake\Http\Runner->handle()
#13 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Passbolt\JwtAuthentication\Middleware\JwtCsrfDetectionMiddleware->process()
#14 /usr/share/php/passbolt/src/Middleware/GpgAuthHeadersMiddleware.php(40): Cake\Http\Runner->handle()
#15 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\GpgAuthHeadersMiddleware->process()
#16 /usr/share/php/passbolt/plugins/PassboltCe/Locale/src/Middleware/LocaleMiddleware.php(47): Cake\Http\Runner->handle()
#17 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Passbolt\Locale\Middleware\LocaleMiddleware->process()
#18 /usr/share/php/passbolt/plugins/PassboltCe/MultiFactorAuthentication/src/Middleware/InjectMfaFormMiddleware.php(67): Cake\Http\Runner->handle()
#19 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Passbolt\MultiFactorAuthentication\Middleware\InjectMfaFormMiddleware->process()
#20 /usr/share/php/passbolt/plugins/PassboltCe/MultiFactorAuthentication/src/Middleware/MfaRequiredCheckMiddleware.php(82): Cake\Http\Runner->handle()
#21 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Passbolt\MultiFactorAuthentication\Middleware\MfaRequiredCheckMiddleware->process()
#22 /usr/share/php/passbolt/vendor/cakephp/authentication/src/Middleware/AuthenticationMiddleware.php(124): Cake\Http\Runner->handle()
#23 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Authentication\Middleware\AuthenticationMiddleware->process()
#24 /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtDestroySessionMiddleware.php(43): Cake\Http\Runner->handle()
#25 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Passbolt\JwtAuthentication\Middleware\JwtDestroySessionMiddleware->process()
#26 /usr/share/php/passbolt/src/Middleware/SessionAuthPreventDeletedUsersMiddleware.php(46): Cake\Http\Runner->handle()
#27 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\SessionAuthPreventDeletedUsersMiddleware->process()
#28 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/BodyParserMiddleware.php(162): Cake\Http\Runner->handle()
#29 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Http\Middleware\BodyParserMiddleware->process()
#30 /usr/share/php/passbolt/src/Middleware/SessionPreventExtensionMiddleware.php(66): Cake\Http\Runner->handle()
#31 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\SessionPreventExtensionMiddleware->process()
#32 /usr/share/php/passbolt/src/Middleware/ApiVersionMiddleware.php(46): Cake\Http\Runner->handle()
#33 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\ApiVersionMiddleware->process()
#34 /usr/share/php/passbolt/src/Middleware/UuidParserMiddleware.php(52): Cake\Http\Runner->handle()
#35 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\UuidParserMiddleware->process()
#36 /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtRouteFilterMiddleware.php(47): Cake\Http\Runner->handle()
#37 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Passbolt\JwtAuthentication\Middleware\JwtRouteFilterMiddleware->process()
#38 /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtAuthDetectionMiddleware.php(58): Cake\Http\Runner->handle()
#39 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Passbolt\JwtAuthentication\Middleware\JwtAuthDetectionMiddleware->process()
#40 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php(186): Cake\Http\Runner->handle()
#41 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Routing\Middleware\RoutingMiddleware->process()
#42 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware.php(77): Cake\Http\Runner->handle()
#43 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Routing\Middleware\AssetMiddleware->process()
#44 /usr/share/php/passbolt/src/Middleware/SslForceMiddleware.php(52): Cake\Http\Runner->handle()
#45 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\SslForceMiddleware->process()
#46 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Error/Middleware/ErrorHandlerMiddleware.php(131): Cake\Http\Runner->handle()
#47 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Error\Middleware\ErrorHandlerMiddleware->process()
#48 /usr/share/php/passbolt/src/Middleware/ContentSecurityPolicyMiddleware.php(39): Cake\Http\Runner->handle()
#49 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\ContentSecurityPolicyMiddleware->process()
#50 /usr/share/php/passbolt/src/Middleware/ContainerInjectorMiddleware.php(54): Cake\Http\Runner->handle()
#51 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\ContainerInjectorMiddleware->process()
#52 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(67): Cake\Http\Runner->handle()
#53 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Server.php(90): Cake\Http\Runner->run()
#54 /usr/share/php/passbolt/webroot/index.php(40): Cake\Http\Server->run()
#55 {main}

Has anyone successfully migrated a Passbolt instance from version 3.6.0 running on CentOS 7 to version 4.2.0 running on RedHat 8?

I don’t want to start over with a brand new server and user keys, and then have to enter all of the passwords manually, but it is beginning to look like that might be my only option.

There seems to be a problem with Passbolt version 4.2.0 on RedHat 8 with recovering accounts.

I initially saw this issue after migrating from version 3.6.0 to version 4.2.0, using the Firefox browser.

I have now tried doing a brand new (no migration) install of 4.2.0 on RedHat 8, letting it generate new keys (in Firefox). I then tried to access Passbolt using Edge, and when I tried using the newly generated private key, I get the same error message, that the key does not match any account.

Can someone please look into this and let me know how to successfully recover an account in Passbolt 4.2.0 running on RedHat 8?

I need to get off of the CentOS server as quickly as possible, so I need a solution that works on RedHat 8.

I did successfully login to the new server after the cold install, and even added one password.
I also made sure to backup both my private and public keys.

I then made the mistake of logging in to the old server, using a new Firefox window. After going through the steps to recover my account on the old server it disconnected me from the new server.

I then opened up Edge and tried to recover my account on the new server. After entering my email, the recovery email was never sent.

I verified the email configuration using the following command:
sudo -H -u nginx bash -c “/usr/share/php/passbolt/bin/cake passbolt send_test_email --recipient=douglas.fisher@dxc.com”

That test worked and I received the test email.

I then used the following the following command to manually generate the recovery URL:
su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt recover_user -c -u douglas.fisher@dxc.com” nginx

Using the above URL I get to the screen where I enter the private key, and I browse to the passbolt-recovery-kit.asc file that was saved when I created the account. I then get the error:

image449×556 25.4 KB

I have verified that the key is in the keyring:

gpg --list-keys --home=/var/lib/passbolt/.gnupg

gpg: WARNING: unsafe ownership on homedir ‘/var/lib/passbolt/.gnupg’
/var/lib/passbolt/.gnupg/pubring.kbx

pub rsa3072 2023-09-20 [SC]
326B8F6C917AD9DE02D68A9B56059FAD80750696
uid [ unknown] 10.182.157.99 (Passbolt) no-reply@dxc.com
sub rsa3072 2023-09-20 [E]

pub rsa3072 2023-09-20 [SC]
385D77877DD5BCF3C84105987477C7FB3819D346
uid [ unknown] Doug Fisher douglas.fisher@dxc.com
sub rsa3072 2023-09-20 [E]

I met with Max and Clayton from the Passbolt development team, and running the following commands as root on the server fixed the problem, for both a new PB install and migrating from an existing server:

setsebool -P httpd_use_gpg=on
setsebool -P gpg_web_anon_write=on
semanage permissive -a gpg_web_t

Thanks to their help, my new server is now working.