Cannot recover user due to 'Key doesn't match any account' after server move

In an attempt to move a Passbolt installation to a different server I performed these steps:

  • Perform backup of database on old server using cake passbolt mysql_export --file backup.sql
  • Install passbolt on new server
  • Import database using mysql -u root -p passbolt < backup.sql (tried cake passbolt mysql_import but that didn’t seem to do anything)
  • copy over /usr/share/httpd/.gnupg directory from old to new server
  • changed uid email of server-key on the new server to match the servername of the new server by adding a new uid to the key with correct email, trusting it ultimately and revoking the original uid.
  • exported both public and private key to config/gpg/

healthcheck shows everything is ok

Now navigating to the new server, shows me that the firefox extension is using a different passbolt host and allows me to start the recovery procedure to assign the extension to the new server.
My userid is recognized which proves that it is found in the restored database and I can start the recovery procedure.
But when I try to import my private key, I get the error “This key doesn’t match any account”…
gpg --list-keys contains my public key and gpg --armor --export of my public key on both the old and the new server are identical.
I also tried configuring the extension (using an unconfigured Chrome extension) on the original server and there my private key is accepted without problem, so there is nothing wrong with my private key either

What am I missing ? Why is my private key not accepted ?

Can you check the the “browser console” in firefox and look for a call to verify.json right before you get this message. That query should be able to tell us what’s wrong from a server perspective.

Also, have you tried removing the extension and installing it again to see if it solves the issue?

Not sure where I should see this call to verify.json. The only thing I see appearing in the Console of Firefox is

uncaught exception: undefined

at the moment I press Next to validate my private key.

When I do this in Chrome with a still uninitialized extension, I see this in the Console:

setup.html:1 Uncaught (in promise) undefined
Promise.then (async)
(anonymous) @ setup.js:285
dispatch @ jquery.js:5183
elemData.handle @ jquery.js:4991

Reinstalling the extention in Firefox will probably not give any difference as the extension I use in Chrome is just installed and is not yet ‘bound’ to a specific Passbolt installation. But does give the exact same result

My bad, I got confused, I thought you meant it was working fine on the new server with unconfigured chrome.

Do you have the same issue when creating a new user on the new server? (you can do that in command line using ./bin/cake passbolt register_user -i).
Are the specs of the new server the same or is it a different OS / webserver / Gnupg version? If so can you give us both specs so that we can try to reproduce the issue.

I tried creating a new user, but Chromium for some reason just plain crashes when the private key has to be saved to disk (tried a few times)…
So I tried using Firefox, which worked for generating the private key, but now I get the error:

Could not verify server key. Unable to encrypt the verify token. Error encrypting message: B is undefined

The server specs:
old server:
Oracle Linux 7.5
Apache 2.4.6
PHP 7.2.5
GPG 2.0.22
SELinux: permissive
Passbolt CE 2.0.7

new server:
CentOS 7.5
Apache 2.4.6
PHP 7.2.11
GPG 2.0.22
SELinux: enforcing (tried with permissive, but that didn’t change the passbolt behavior)
Passbolt CE 2.4.0 (after restore of database a database migration was performed)

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.

@Robinr did you manage to figure this one out?

Yes, I did.
There was a problem with the server certificate as served by apache. The certificate itself was correct, but I configured it to include a wrong chain file (“TERENA SSL CA 3” instead of “TERENA SSL High Assurance CA 3”). I didn’t notice this when surfing to the instance using a browser as both chains are already known to the browser so it validated the certificate alright. However the passbolt extension seems to depend on the chain retrieved from the server, which was a wrong one, and thus it was unable to verify the certificate…
As soon as I replaced the chain file on the server, all started working correctly.

Nice catch, I wouldn’t have been able to figure this one out.

1 Like