Can't login to hosted passbolt

siberijah · December 3, 2020, 1:48pm

Hi community!
I have my primary admin account with unique passwords stored and recently something happened and I can’t login. There is an exception “There was an error during authentication. Enable debug mode for more information”. I’m the first user registered there. All other users are able to login, create passwords,share them etc…

Can’t find anything except next in the cli-debug.log

root@9050195d136c:/var/www/passbolt# cat logs/cli-debug.log
2020-12-03 12:40:33 Debug: command 'preview' in plugin 'EmailQueue' was not aliased, conflicts with 'Passbolt/EmailDigest'*
2020-12-03 12:40:33 Debug: command 'sender' in plugin 'EmailQueue' was not aliased, conflicts with 'Passbolt/EmailDigest'*

Version: 2.13.5
Healthcheck status: “No error found. Nice one sparky!”

remy · December 3, 2020, 2:15pm

Hello,

Can you tell us:

if there is something available in /var/www/passbolt/logs/error.log?
if you didn’t create your user key using passbolt, can you check if it is expired?

How to check for the user key on the server:
You can look for the keys that are present on the gpg key server, then filter using fingerprint / email.

sudo -H -u www-data bash -c "gpg --list-keys"

You can specify the keyring location if it’s not in /var/www/.gnupg using --home=/home/www-data/.gnupg

siberijah · December 3, 2020, 2:13pm

Hi Remy, thanks for the fast answer.

That’s what I have in error log:

root@3c91ff83636d:/var/www/passbolt# cat /var/www/passbolt/logs/error.log
2020-12-03 14:05:49 Error: [Cake\Http\Exception\ForbiddenException] You need to login to access this location. (/var/www/passbolt/src/Auth/GpgAuthenticate.php:85)
Request URL: /auth/is-authenticated.json

2020-12-03 14:05:50 Error: [Cake\Http\Exception\ForbiddenException] You need to login to access this location. (/var/www/passbolt/src/Auth/GpgAuthenticate.php:85)
Request URL: /auth/is-authenticated.json

But the interesting thing is that all permissions looks good:

root@3c91ff83636d:/var/www/passbolt# ls /var/www/passbolt/src/Auth/GpgAuthenticate.php -la
-rw-rw-r-- 1 www-data www-data 15308 Jul 30 09:28 /var/www/passbolt/src/Auth/GpgAuthenticate.php

GPG keys are not full. I have around 15 users, but all of them can access but me. Brad Pitt is a test user that I created after I created first 10 users.

root@3c91ff83636d:/var/www/passbolt# su -c "source /etc/environment; gpg --list-keys" -s /bin/bash www-data
/home/www-data/.gnupg/pubring.kbx
---------------------------------
pub   rsa2048 2020-12-03 [SC]
      546B09C876A09022B12AD9EA16E41FB76720FD3E
uid           [ultimate] Passbolt default user <passbolt@yourdomain.com>
sub   rsa2048 2020-12-03 [E]

pub   rsa2048 2020-11-06 [SC]
      DE564D23432MFEM3IMFM4539A84C152F22B6282
uid           [ unknown] Brad Pitt <Brad.Pitt@gmail.com>
sub   rsa2048 2020-11-06 [E]

remy · December 3, 2020, 2:19pm

The authentication error in the logs is normal (could be triggered when a session timed out for example).

Can you retry to login and see if new errors are added at the end of the file?
Can you show the full details of your key to see if it is expired?

siberijah · December 3, 2020, 2:46pm

That logs that I shared I’ve copyed right after I redeployed docker-compose and tried to login. So there are only this errors. In docker logs all clear just POST and GET and 200 answer codes and something strange but I think not realted to the problem: 2020-12-03 14:10:26,109 INFO reaped unknown pid 409

I couldn’t understand the second question about the full details of my key, could you please explain a bit?

ps. No other errors

garrett · December 3, 2020, 5:16pm

Hi @siberijah

To see the details of your key (so you can check if it has expired) the command would be something like:
sudo -H -u www-data bash -c "gpg -a --export {your-key-fingerprint-here} | gpg --list-packets"

-a is armored export of your key by fingerprint and then a checking of its contents. You’d be looking for a field in the output noting “key expires after”. It may not exist, if the key does not expire.

remy · December 7, 2020, 1:17pm

@siberijah any news on the key details? Did you manage to fix the issue?

siberijah · December 7, 2020, 1:44pm

Thanks for helping me but there was nothing heplful, all looked really good. I decided just to re-register this user…

garrett · December 7, 2020, 1:57pm

@siberijah Ok, sounds good thanks for the update. I’ll go ahead and close this one for now. DM me if it happens again anytime soon.

garrett · December 7, 2020, 1:57pm