Could not import the user OpenPGP key - New users only

Hello I have been trying to get my Passbolt to work correctly for a few days now.
But I am kinda stuck below are the things I tried.
Some pointers would be helpful thanks.

Checklist
[x] I have read intro post: About the Installation Issues category
[x] I have read the tutorials, help and searched for similar issues
[x] I provide relevant information about my server (component names and versions, etc.)
[x] I provide a copy of my logs and healthcheck
[x] I describe the steps I have taken to trouble shoot the problem
[x] I describe the steps on how to reproduce the issue

What happens:
A user tries to register, he follows all instructions and gets the welcome mail. Everything working fine so far but when the user tries to login it shows the following error:

Sorry, you have not been signed in.

Something went wrong, the sign in failed with the following error:

Could not import the user OpenPGP key.

The error log under /var/log/passbolt/error.log shows:

2021-09-20 14:10:44 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /usr/share/php/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP: 10.0.0.121

Server info:
Ubuntu 20.04 upgraded from 18.04 maybe even 16.04 not sure about that
The passbolt installation was originally installed with the script you provided but was migrated to package
2GB RAM and 2vcpu
Running the latest version of Passbolt CE 3.2.1-3

Things I tried:

*Reading multiple threads with similar problems
*checked the database, the new user was there with a gpg key
*Server time was 2 hours behind the actual time > Fixed
*Update from 3.2.0 to 3.2.1
*Enabled debug mode, checked log files
*Tried moving to a new server using an unofficial guide, that didnt really worked out so I am still on this server
*changed permissions on /home/www-data/.gnupg because of the "gpg: WARNING: unsafe permissions " i got while running:
sudo -H -u www-data /bin/bash -c “gpg --list-keys”
This also only list the keys of users back to february and the new user is missing! This might be reason of the error?
I can even see the gpg key of the user in the admin backend:

SSL is working fine despite the error in the healthcheck

healthcheck

root@passbolt:/usr/share/php/passbolt# sudo -H -u www-data bash -c “./bin/cake passbolt healthcheck”

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 7.4.23.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[FAIL] Debug mode is on.
[HELP] Set debug = false; in config/passbolt.php
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.xxx.de
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
fopen(): Failed to enable crypto
fopen(https://passbolt.xxx.de/healthcheck/status.json): failed to open stream: operation failed

Database

[PASS] The application is able to connect to the database
[PASS] 25 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.

Application configuration

[PASS] Using latest passbolt version (3.2.1).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[WARN] Registration is open to everyone.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set passbolt.registration.public to false in config/passbolt.php.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

[FAIL] 3 error(s) found. Hang in there!

Any help would be greatly appreciated.

Hi @BobshortForBobertson and welcome to this forum :handshake: :slight_smile:

This also only list the keys of users back to february and the new user is missing! This might be reason of the error?

Did you tried to import the key of this user on your Passbolt server via some sudo -H -u www-data /bin/bash -c "gpg --import /path/to/your/user.key" ?

Best,

Another thought: there is no /home/www-data directory by default on Ubuntu, and changing permissions on this folder sounds weird.

I also forgot the --home parameter in the command I shared to you, as .gnupg folder on Passbolt servers are set on /var/lib/passbolt/.gnupg so the right command is:

sudo -H -u www-data /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /path/to/your/user.key"

Let me know if you found something relevant.

Best,

Hi JC,

thanks for the answer, that was crazy fast :slight_smile:
We might be getting closer to an answer thanks to you.
But it still seems a bit funky at the moment, I tried the following:

sudo -H -u www-data /bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --list-keys”
The most recent Key is half a month old, but this doesn’t seem to be the right file

sudo -H -u www-data /bin/bash -c “gpg --list-keys” sudo -H -u www-data /bin/bash -c “gpg --list-keys” This one shows the test user I just created, the most recent key from an actual user is from february

sudo -H -u www-data /bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --import /home/username/publickeyusername.key”
gpg: no writable keyring found: Not found
gpg: error reading ‘/home/username/publickeyusername.key’: General error
gpg: import from ‘/home/username/publickeyusername.key’ failed: General error
gpg: Total number processed: 0

root@passbolt:/home/username# sudo -H -u www-data /bin/bash -c “gpg --import /home/username/publickeyusername.key”
gpg: key A46F1AEADE2CBEA5: public key “Test username usernamet@company.de” imported
gpg: Total number processed: 1
gpg: imported: 1

Now this is looking good.

But when I try to login with the user it says this despite the user being activated:
Access to this service requires an invitation.

This email is not associated with any approved users on this domain. Please contact your administrator to request an invitation link.

After resending the invitation the user as to recover the account. That step is working fine but after trying to login we are once again at:
Could not import the user OpenPGP key.

Nvm it is almost working perfectly now.
I just noticed that the permissions of /var/lib/passbolt/.gnupg/pubring.kbx where set to root so I changed it to www-data.

Now I am still getting two messages:
x-gpgauth-authenticated should be set to false during stage1
and

Access to this service requires an invitation.

This email is not associated with any approved users on this domain. Please contact your administrator to request an invitation link.

But interestingly enough I can just ignore those and refresh the website after that I can access Passbolt normally, create passwords etc.

I am gonna take a closer look at that tomorrow.

Good morning,

well it seems like fixing the permissions on the keyring fixed all problems.

chown www-data:www-data /var/lib/passbolt/.gnupg/pubring.kbx
chown www-data:www-data /var/lib/passbolt/.gnupg/pubring.kbx~

After disabling the debug mode in /etc/passbolt/passbolt.php, I have no more errors/warnings.
Thanks @_jc for pushing me into the right direction.

Cool :+1:

Thanks for the feedback, this part is not well known for users.

1 Like