"Could not verify server key. Decryption failed. Oops something went wrong." until healthcheck is run


#1

I have an odd problem. I received the error message as stated in the subject, but then if I run the healthcheck the error message goes away and we can login no problem.

CentOS 7.5.1804
Apache 2.4.6
php 7.1.23-1 using php-fpm (added after, with or without it results in the same error messages)
PassBolt CE 2.5.0 installed from source
Plugin version 2.4.4

Healthcheck Output
-bash-4.2$ ./bin/cake passbolt healthcheck

 ____                  __          ____  
/ __ \____  _____ ____/ /_  ____  / / /_ 

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//.__/__//_/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 7.1.23.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[FAIL] Debug mode is on.
[HELP] Set debug = false; in config/passbolt.php
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://REDACTED
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
fopen(): Failed to enable crypto
fopen(https://REDACTED/healthcheck/status.json): failed to open stream: operation failed

Database

[PASS] The application is able to connect to the database
[PASS] 18 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /usr/share/httpd/.gnupg.
[PASS] The directory /usr/share/httpd/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server gpg key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.

Application configuration

[PASS] Using latest passbolt version (2.5.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

3 error(s) found. Hang in there!

(Yes, it’s a self signed certificate on a private IP internal to our network)

There’s nothing relevant in the error_log or cli_debug.log. I do have debugging turned on.

When it’s in this state, and I run healthcheck it requests the GPG pass phrase to complete the health check. When you can login, the GPG pass phrase is not asked for during healthcheck.

It seems like the pass phrase is stored (or the key is decrypted) then it is forgotten (timeout?). But I can’t find any references to anything like this here in the forums or in the documentation.

If there’s anything else you need, please let me know.

Jim


#2

At the moment passphrases on server keys are not supported. It seems that if you make some operations on the server that requires GPG the passphrase will be stored for a given amount of time and therefore you can use the previously encrypted private server key via passbolt (php-gnupg / libgpgme).

It’s best you switch to a server key that doesn’t use a passphrase.


#3

Thanks for the update.

And use, using gpg-agent.conf and setting the default and max cache-ttl to very large numbers it allows you to work and only have to reenter the password once a day. That still wasn’t acceptable though.

Thanks again!
Jim


#4