Could not retrieve server key. Please contact administrator

Hello there. I’ve done a clean install of Passbolt on Debian 9 on Linode but am stuck. Generated an admin user but when I go to set it up I get “Could not retrieve server key. Please contact administrator.”

Health check provides this output:

Environment

[PASS] PHP version 7.0.27-0+deb9u1.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.cascadiablooms.com
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in config/passbolt.php
[HELP] Check the network settings

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate

Database

[PASS] The application is able to connect to the database
[PASS] 18 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The server gpg key is not the default one
[PASS] The environment variable GNUPGHOME is set to /var/www/.gnupg.
[PASS] The directory /var/www/.gnupg containing the keyring is writable by the webserver user.
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[FAIL] The public key cannot be used to sign a message
[HELP] Make sure that the server private key is valid and that there is no passphrase.
[HELP] Make sure you imported the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c “gpg --home /var/www/.gnupg --import /var/www/passbolt/config/gpg/serverkey_private.asc” www-data
[FAIL] The public key cannot be used to encrypt and sign a message
[FAIL] The private key cannot be used to decrypt a message
[FAIL] The private key cannot be used to decrypt and verify a message
[FAIL] The public key cannot be used to verify a signature.

Application configuration

[PASS] Using latest passbolt version (2.0.7).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

8 error(s) found. Hang in there!

seems strange that “The public key can be used to encrypt a message” but “The public key cannot be used to sign a message”.

How do I “Make sure that the server private key is valid and that there is no passphrase.”?

Also I ran gpg --home /var/www/.gnupg --import /var/www/passbolt/config/gpg/serverkey_private.asc as www-data and got this result:

gpg: key AE6BAF45A83D7870: “name <LEGIT_EMAIL>” not changed
gpg: key AE6BAF45A83D7870: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1

so, not sure how to interpret that. Sorry if I’ve done something dumb! I’m pretty sure I followed https://help.passbolt.com/hosting/install/ce/debian-9-stretch.html exactly!

A few things to check:

• Do you use a passphrase for this key? Passphrase are not supported, you need to create a server key with no passphrase.
• Who is the owner of that /var/www/.gnupg directory and what are the permissions? We’ve seen GnuPG not being happy about different combinations, such as if the keyring was created or is owned by another user.

Server key in the sense normal private key right(ssh-keygen)?
Pleae guide me what to do with those fail errors @remy

No in the sense of OpenPGP key. Passbolt use OpenPGP keys in the following ways:

• server secret key: used to decrypt messages sent by the user during authentication, and sign messages.
• server public key: used by the user to encrypt messages for the server, and verify server signature.
• user public keys: used by the server and other users to encrypt data for a given user, and verify signature.
• user secret key: used by the user to decrypt and sign.

There are some typo in the healthcheck that makes it confusing.

The errors in the healtcheck means that the server cannot use the key specified in the config to sign and decrypt. It could be due to multiple reasons, most of the time it is because the secret key is set to use a passphrase, which is not supported by php-gnupg.

I hope this helps. You can try again and follow the tutorial at: Passbolt Help | Install Passbolt CE on Debian 9 (Stretch) follow the step in step 8 and 9 carefully, it should work.

I have removed the passphrase from the key but stil the same issue

Since its a new install, I’d say generate a new key with no passphrase and import it / set the configuration properly. The key with the passphrase might still be in the gpg keyring.

ok! Well I followed http://blog.chapagain.com.np/gpg-how-to-change-edit-private-key-passphrase/ to find that I did indeed have a password set. Went in and changed it to no passowrd, same issue. Created a new gpg key and updated the config and now it works! Thanks for pointing me in the right direction. Only healthcheck error now is,

[PASS] PHP GPG Module is installed and loaded.
[PASS] The server gpg key is not the default one
[PASS] The environment variable GNUPGHOME is set to /var/www/.gnupg.
[PASS] The directory /var/www/.gnupg containing the keyring is writable by the webserver user.
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[FAIL] The server key fingerprint doesn’t match the one defined in config/passbolt.php.
[HELP] Double check the key fingerprint, example:
[HELP] sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /var/www/.gnupg” www-data | grep -i -B 2 ‘SERVER_KEY_EMAIL’
[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[PASS] The server public key defined in the config/passbolt.php is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The public key can be used to sign a message.
[PASS] The public key can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.

Should I worry about this or just ignore it because it’s working? I did update the config with the new fingerprint…

Hello @travvy,

This check is a blocker for the install process, but you already install it with success.
It is not a blocker for other process right now, but it could later be, so better to correct it if you can.

You have to export the private key that correspond to the fingerprint you set in the config file and put it in PASSBOLT_PATH/config/gpg/serverkey_private.asc (if you didn’t change the location of the private key).

Cheers,
Cédric

We have the same problem when we recever account.
We have solved the problem changing the src/Controller/Auth/AuthVerifyController.php file.
It search the config file in the webroot folder instead the root directory.

@fransuisse No it doesn’t search in the webroot unless you tell it too (like by using WWW_ROOT instead of ROOT or CONFIG as based of your path). There is a problem with the path in your config not src/Controller/Auth/AuthVerifyController.php.

Path in config should be either absolute path to the key or something like

ROOT . DS . 'config' . DS . 'gpg' . DS . 'my_key.asc',

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.