Could not verify server key. The OpenPGP server key defined in the config could not be found in the GnuPG keyring

Installation Issues
1

Hello Everybody,
I finally made it to install and successfully configure Passbolt.
After the first configuration the wizard took me to the main login page but I got this message

Selection_070

I probably made some mistake in the GPG key configuration.

What surprises me is that the healtcheck is good. Grepping it with the “key” keyword I get the following:

 [PASS] The server gpg key is not the default one
 [PASS] The directory /home/mzanetti/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

So I can’t see where the issue could be. Could it be because the server is trying to access the keyring of my user but apache runs with the www-data user? I’m not really into this whole GPG keys thing so I could easily have perfomed some mistake… -.-

Thank you to anyone who will help
Marco

2

I can see you are running the healtcheck with your personal user.
Can you run the healtcheck with the user who runs your webserver ? It should help you to complete your installation.

3

Thank you Cedric,
that was a clever move and it worked.

In order to help future users I’ll report here the command I used

sudo -u www-data ./bin/cake passbolt healthcheck

since www-data doesn’t have a password

I got one error

[FAIL] The server public key defined in the config/passbolt.php is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c “gpg --home /var/www/.gnupg --import /var/www/passbolt_api/config/gpg/serverkey_private.asc” www-data

So I did perform the command and got the following result

data
gpg: key 08750EFE: secret key imported
gpg: key 08750EFE: public key "Marco Zanetti" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

which sounds good. But still, if I perform another healtcheck, I get the exact same error

[FAIL] The server public key defined in the config/passbolt.php is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c “gpg --home /var/www/.gnupg --import /var/www/passbolt_api/config/gpg/serverkey_private.asc” www-data

and I get the suggestion to perform the same command again, so I gues it didn’t work properly.

If I try and access the system this is what I get

Selection_071

which is not surprising.

What should I do now?

Thank you
Marco

4

Can you check the content of logs/error.log.
Did you create/update the config/passbolt.php file with the fingerprint of your key ?
See section 11. https://help.passbolt.com/hosting/install/ce/debian-9-stretch.html

5

The only thing I see in error.log is

2018-07-18 14:04:53 Error: [Imagine\Exception\RuntimeException] Gd not installed
Request URL: /auth/verify.json?api-version=v1

I performed the steps reported in the guide, or at least I think I did.

I noticed that the fingerprint reported in the example is without spaces

'fingerprint' => '1C765F5273EC9AF56300BC6F6C76DA6B9F23C8BB',

while mine is something like

'fingerprint' => '1C76 5F52 73EC 9AF5 6300 BC6F 6C76 DA6B 9F23 C8BB',

How should I paste the fingerprint in the file?

Anyways, I tried both with and without spaces and I get the same “Could not verify server key. An Internal Error Has Occurred” error… -.-

6

I installed GD and enabled debug mode and now I see this error

Selection_073

Please notice this happens with both the spaces-separated-fingerprint and the without-spaces one.

7

The fingerprint should be without space.

1 Like
8

Did run again the heathcheck ?

9

Yes, I get two errors

[FAIL] Debug mode is on.
  [HELP] Set debug = false; in config/passbolt.php

and

 [FAIL] The server public key defined in the config/passbolt.php is not in the keyring
  [HELP] Import the private server key in the keyring of the webserver user.
  [HELP] you can try:
  [HELP] sudo su -s /bin/bash -c "gpg --home /var/www/.gnupg --import /var/www/passbolt_api/config/gpg/serverkey_private.asc" www-data
10

The private key is not in the keyring, it explains your issue.
Does your www-data user allowed to read the file /var/www/passbolt_api/config/gpg/serverkey_private.asc ?
What’s the result of the command given as tips ?
Can you copy/paste here the content of your passbolt.php ?

11

Did you change your server key (/var/www/passbolt_api/config/gpg/serverkey_private.asc) after completing the plugin setup ?

12

Yes, it has permissions. This is the ls of the folder

drwxrwxr-x 2 www-data www-data 4096 Jul 17 14:29 .
drwxrwxr-x 6 www-data www-data 4096 Jul 18 14:20 ..
-rw-r----- 1 www-data www-data 1743 Jul 18 14:04 serverkey.asc
-rw-r----- 1 www-data www-data 3634 Jul 18 14:03 serverkey_private.asc
-rw-rw-r-- 1 www-data www-data 3147 Jul 17 14:15 unsecure.key
-rw-rw-r-- 1 www-data www-data 6647 Jul 17 14:15 unsecure_private.key

sudo su -s /bin/bash -c "gpg --home /var/www/.gnupg --import /var/www/passbolt_api/config/gpg/serverkey_private.asc" www-data

gpg: key 08750EFE: already in secret keyring
gpg: Total number processed: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

Sure! Here it comes

<?php
/**
 * Passbolt ~ Open source password manager for teams
 * Copyright (c) Passbolt SARL (https://www.passbolt.com)
 *
 * Licensed under GNU Affero General Public License version 3 of the or any later version.
 * For full copyright and license information, please see the LICENSE.txt
 * Redistributions of files must retain the above copyright notice.
 *
 * @copyright     Copyright (c) Passbolt SARL (https://www.passbolt.com)
 * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
 * @link          https://www.passbolt.com Passbolt(tm)
 * @since         2.0.0
 */
/**
 * PASSBOLT CONFIGURATION FILE TEMPLATE
 *
 * By default passbolt try to use the environment variables or fallback on the default values as
 * defined in default.php. You can use passbolt.default.php as a basis to set your own configuration
 * without using environment variables.
 *
 * 1. copy/paste passbolt.default.php to passbolt.php
 * 2. set the variables in the App section
 * 3. set the variables in the passbolt section
 *
 * To see all available options, you can refer to the default.php file, and modify passsbolt.php accordingly.
 * Do not modify default.php or you may break your upgrade process.
 *
 * Read more about how to install passbolt: https://www.passbolt.com/help/tech/install
 * Any issue, check out our FAQ: https://www.passbolt.com/faq
 * An installation issue? Ask for help to the community: https://community.passbolt.com/
 */
return [

    /**
     * DEFAULT APP CONFIGURATION
     *
     * All the information in this section must be provided in order for passbolt to work
     * This configuration overrides the CakePHP defaults locating in app.php
     * Do not edit app.php as it may break your upgrade process
     */
    'App' => [
        // A base URL to use for absolute links.
        // The url where the passbolt instance will be reachable to your end users.
        // This information is need to render images in emails for example
        'fullBaseUrl' => 'https://passbolt.metide.com',
    ],

    // Database configuration.
    'Datasources' => [
        'default' => [
            'host' => 'localhost',
            //'port' => 'non_standard_port_number',
            'username' => 'passbolt',
            'password' => 'my_db_password',
            'database' => 'passbolt',
        ],
    ],

    // Email configuration.
    'EmailTransport' => [
        'default' => [
            'host' => 'smtp.gmail.com',
            'port' => 587,
            'username' => 'ouremail@gmail.com',
            'password' => 'account_password',
            // Is this a secure connection? true if yes, null if no.
            'tls' => true,
            //'timeout' => 30,
            //'client' => null,
            //'url' => null,
        ],
    ],
    'Email' => [
        'default' => [
            // Defines the default name and email of the sender of the emails.
            'from' => ['passbolt@your_organization.com' => 'Passbolt'],
            //'charset' => 'utf-8',
            //'headerCharset' => 'utf-8',
        ],
    ],

    /**
     * DEFAULT PASSBOLT CONFIGURATION
     *
     * This is the default configuration.
     * It enforces the use of ssl, and does not provide a default OpenPGP key.
     * If your objective is to try passbolt quickly for evaluation purpose, and security is not important
     * you can use the demo config example provided in the next section below.
     */
    'debug' => true,
    'passbolt' => [
        // GPG Configuration.
        // The keyring must to be owned and accessible by the webserver user.
        // Example: www-data user on Debian
	//'ssl' => [
	//	'force' => false,
	//],
        'gpg' => [
            // Tell GPG where to find the keyring.
            // If putenv is set to false, gnupg will use the default path ~/.gnupg.
            // For example :
            // - Apache on Centos it would be in '/usr/share/httpd/.gnupg'
            // - Apache on Debian it would be in '/var/www/.gnupg'
            // - Nginx on Centos it would be in '/var/lib/nginx/.gnupg'
            // - etc.
            //'keyring' => getenv("HOME") . DS . '.gnupg',
            //
            // Replace GNUPGHOME with above value even if it is set.
            //'putenv' => false,

            // Main server key.
            'serverKey' => [
                // Server private key fingerprint.
                'fingerprint' => '879D50946E5118B3E675682F6F7F2E3308750EFE',
                //'public' => CONFIG . 'gpg' . DS . 'serverkey.asc',
                //'private' => CONFIG . 'gpg' . DS . 'serverkey_private.asc',
            ],
        ],
    ],

/**
 * DEMO CONFIGURATION EXAMPLE
 *
 * Uncomment the lines below if you want to try passbolt quickly.
 * and if you are not concerned about the security of your installation.
 * (Don't forget to comment the default config above).
 */
//    'debug' => true,
//    'passbolt' => [
//        'registration' => [
//            'public' => true
//        ],
//        'ssl' => [
//            'force' => false,
//        ],
//        'gpg' => [
//            'serverKey' => [
//                'fingerprint' => '2FC8945833C51946E937F9FED47B0811573EE67E',
//                'public' => CONFIG . DS . 'gpg' . DS . 'unsecure.key',
//                'private' => CONFIG . DS . 'gpg' . DS . 'unsecure_private.key',
//            ],
//        ],
//    ]

];
13

I don’t think I did, because I don’t think I generated new keys after the installation was over. Surely I didn’t do that on purpose, if I did, but can’t be sure… Should I do something in order to check?

14

Here it says something about deleting a user and creating a new one… but I’m not sure how to do it.

15

I tried to generate brand new keys, now I get (in the logs and in the web page, due to the debug = true)

2018-07-18 15:56:13 Error: [Exception] get_key failed
Request URL: /auth/verify.json?api-version=v1
16

So to be sure we’re not completely out of subject, can you give me more details about your environment ? I guess it’s Debian 9, apache.
Can you also check the right on the folder /var/www/.gnupg. It should be only accessible for www-data.

17

Hello Cedric,
I’m running an Ubuntu server 16.04 with Apache. The permissions on the /var/www/.gnupg folder are the following:

drwx------ 3 www-data www-data 4096 Jul 18 15:51 .gnupg/

And this is its content

drwx------ 3 www-data www-data 4096 Jul 18 15:51 ./
drwxrwxr-x 6 root     www-data 4096 Jul 17 14:30 ../
-rw------- 1 www-data www-data 9398 Jul 17 14:30 gpg.conf
-rw-r--r-- 1 www-data www-data    0 Jul 18 13:32 .gpg-v21-migrated
drwx------ 2 www-data www-data 4096 Jul 18 13:32 private-keys-v1.d/
-rw------- 1 www-data www-data 2443 Jul 18 15:51 pubring.gpg
-rw------- 1 www-data www-data 1222 Jul 18 13:31 pubring.gpg~
-rw------- 1 www-data www-data 5139 Jul 18 15:51 secring.gpg
srwxr-xr-x 1 www-data www-data    0 Jul 18 15:26 S.gpg-agent=
-rw------- 1 www-data www-data 1200 Jul 18 13:31 trustdb.gpg

which looks good to me :-/

18

Hello everybody,
is there anyone around who thinks maybe he/she could help me? ^____^

Thank you
Marco

19

I’m so so so sad that nobody is answering here anymore :frowning:

20

Hi,
Can you try the following 2 commands: sudo su -s /bin/bash -c "gpg --list-keys" www-data and sudo su -s /bin/bash -c "gpg --list-secret-keys" www-data?
Do you see both the public and private server keys in the list? With the same fingerprint?

Also, could you tell me what is your version of gpg? gpg --version