Could not verify server key. The OpenPGP server key defined in the config could not be found in the GnuPG keyring

Yes, I get two errors

[FAIL] Debug mode is on.
  [HELP] Set debug = false; in config/passbolt.php

and

 [FAIL] The server public key defined in the config/passbolt.php is not in the keyring
  [HELP] Import the private server key in the keyring of the webserver user.
  [HELP] you can try:
  [HELP] sudo su -s /bin/bash -c "gpg --home /var/www/.gnupg --import /var/www/passbolt_api/config/gpg/serverkey_private.asc" www-data

The private key is not in the keyring, it explains your issue.
Does your www-data user allowed to read the file /var/www/passbolt_api/config/gpg/serverkey_private.asc ?
What’s the result of the command given as tips ?
Can you copy/paste here the content of your passbolt.php ?

Did you change your server key (/var/www/passbolt_api/config/gpg/serverkey_private.asc) after completing the plugin setup ?

Yes, it has permissions. This is the ls of the folder

drwxrwxr-x 2 www-data www-data 4096 Jul 17 14:29 .
drwxrwxr-x 6 www-data www-data 4096 Jul 18 14:20 ..
-rw-r----- 1 www-data www-data 1743 Jul 18 14:04 serverkey.asc
-rw-r----- 1 www-data www-data 3634 Jul 18 14:03 serverkey_private.asc
-rw-rw-r-- 1 www-data www-data 3147 Jul 17 14:15 unsecure.key
-rw-rw-r-- 1 www-data www-data 6647 Jul 17 14:15 unsecure_private.key
sudo su -s /bin/bash -c "gpg --home /var/www/.gnupg --import /var/www/passbolt_api/config/gpg/serverkey_private.asc" www-data

gpg: key 08750EFE: already in secret keyring
gpg: Total number processed: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

Sure! Here it comes

<?php
/**
 * Passbolt ~ Open source password manager for teams
 * Copyright (c) Passbolt SARL (https://www.passbolt.com)
 *
 * Licensed under GNU Affero General Public License version 3 of the or any later version.
 * For full copyright and license information, please see the LICENSE.txt
 * Redistributions of files must retain the above copyright notice.
 *
 * @copyright     Copyright (c) Passbolt SARL (https://www.passbolt.com)
 * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
 * @link          https://www.passbolt.com Passbolt(tm)
 * @since         2.0.0
 */
/**
 * PASSBOLT CONFIGURATION FILE TEMPLATE
 *
 * By default passbolt try to use the environment variables or fallback on the default values as
 * defined in default.php. You can use passbolt.default.php as a basis to set your own configuration
 * without using environment variables.
 *
 * 1. copy/paste passbolt.default.php to passbolt.php
 * 2. set the variables in the App section
 * 3. set the variables in the passbolt section
 *
 * To see all available options, you can refer to the default.php file, and modify passsbolt.php accordingly.
 * Do not modify default.php or you may break your upgrade process.
 *
 * Read more about how to install passbolt: https://www.passbolt.com/help/tech/install
 * Any issue, check out our FAQ: https://www.passbolt.com/faq
 * An installation issue? Ask for help to the community: https://community.passbolt.com/
 */
return [

    /**
     * DEFAULT APP CONFIGURATION
     *
     * All the information in this section must be provided in order for passbolt to work
     * This configuration overrides the CakePHP defaults locating in app.php
     * Do not edit app.php as it may break your upgrade process
     */
    'App' => [
        // A base URL to use for absolute links.
        // The url where the passbolt instance will be reachable to your end users.
        // This information is need to render images in emails for example
        'fullBaseUrl' => 'https://passbolt.metide.com',
    ],

    // Database configuration.
    'Datasources' => [
        'default' => [
            'host' => 'localhost',
            //'port' => 'non_standard_port_number',
            'username' => 'passbolt',
            'password' => 'my_db_password',
            'database' => 'passbolt',
        ],
    ],

    // Email configuration.
    'EmailTransport' => [
        'default' => [
            'host' => 'smtp.gmail.com',
            'port' => 587,
            'username' => 'ouremail@gmail.com',
            'password' => 'account_password',
            // Is this a secure connection? true if yes, null if no.
            'tls' => true,
            //'timeout' => 30,
            //'client' => null,
            //'url' => null,
        ],
    ],
    'Email' => [
        'default' => [
            // Defines the default name and email of the sender of the emails.
            'from' => ['passbolt@your_organization.com' => 'Passbolt'],
            //'charset' => 'utf-8',
            //'headerCharset' => 'utf-8',
        ],
    ],

    /**
     * DEFAULT PASSBOLT CONFIGURATION
     *
     * This is the default configuration.
     * It enforces the use of ssl, and does not provide a default OpenPGP key.
     * If your objective is to try passbolt quickly for evaluation purpose, and security is not important
     * you can use the demo config example provided in the next section below.
     */
    'debug' => true,
    'passbolt' => [
        // GPG Configuration.
        // The keyring must to be owned and accessible by the webserver user.
        // Example: www-data user on Debian
	//'ssl' => [
	//	'force' => false,
	//],
        'gpg' => [
            // Tell GPG where to find the keyring.
            // If putenv is set to false, gnupg will use the default path ~/.gnupg.
            // For example :
            // - Apache on Centos it would be in '/usr/share/httpd/.gnupg'
            // - Apache on Debian it would be in '/var/www/.gnupg'
            // - Nginx on Centos it would be in '/var/lib/nginx/.gnupg'
            // - etc.
            //'keyring' => getenv("HOME") . DS . '.gnupg',
            //
            // Replace GNUPGHOME with above value even if it is set.
            //'putenv' => false,

            // Main server key.
            'serverKey' => [
                // Server private key fingerprint.
                'fingerprint' => '879D50946E5118B3E675682F6F7F2E3308750EFE',
                //'public' => CONFIG . 'gpg' . DS . 'serverkey.asc',
                //'private' => CONFIG . 'gpg' . DS . 'serverkey_private.asc',
            ],
        ],
    ],

/**
 * DEMO CONFIGURATION EXAMPLE
 *
 * Uncomment the lines below if you want to try passbolt quickly.
 * and if you are not concerned about the security of your installation.
 * (Don't forget to comment the default config above).
 */
//    'debug' => true,
//    'passbolt' => [
//        'registration' => [
//            'public' => true
//        ],
//        'ssl' => [
//            'force' => false,
//        ],
//        'gpg' => [
//            'serverKey' => [
//                'fingerprint' => '2FC8945833C51946E937F9FED47B0811573EE67E',
//                'public' => CONFIG . DS . 'gpg' . DS . 'unsecure.key',
//                'private' => CONFIG . DS . 'gpg' . DS . 'unsecure_private.key',
//            ],
//        ],
//    ]

];

I don’t think I did, because I don’t think I generated new keys after the installation was over. Surely I didn’t do that on purpose, if I did, but can’t be sure… Should I do something in order to check?

Here it says something about deleting a user and creating a new one… but I’m not sure how to do it.

I tried to generate brand new keys, now I get (in the logs and in the web page, due to the debug = true)

2018-07-18 15:56:13 Error: [Exception] get_key failed
Request URL: /auth/verify.json?api-version=v1

So to be sure we’re not completely out of subject, can you give me more details about your environment ? I guess it’s Debian 9, apache.
Can you also check the right on the folder /var/www/.gnupg. It should be only accessible for www-data.

Hello Cedric,
I’m running an Ubuntu server 16.04 with Apache. The permissions on the /var/www/.gnupg folder are the following:

drwx------ 3 www-data www-data 4096 Jul 18 15:51 .gnupg/

And this is its content

drwx------ 3 www-data www-data 4096 Jul 18 15:51 ./
drwxrwxr-x 6 root     www-data 4096 Jul 17 14:30 ../
-rw------- 1 www-data www-data 9398 Jul 17 14:30 gpg.conf
-rw-r--r-- 1 www-data www-data    0 Jul 18 13:32 .gpg-v21-migrated
drwx------ 2 www-data www-data 4096 Jul 18 13:32 private-keys-v1.d/
-rw------- 1 www-data www-data 2443 Jul 18 15:51 pubring.gpg
-rw------- 1 www-data www-data 1222 Jul 18 13:31 pubring.gpg~
-rw------- 1 www-data www-data 5139 Jul 18 15:51 secring.gpg
srwxr-xr-x 1 www-data www-data    0 Jul 18 15:26 S.gpg-agent=
-rw------- 1 www-data www-data 1200 Jul 18 13:31 trustdb.gpg

which looks good to me :-/

Hello everybody,
is there anyone around who thinks maybe he/she could help me? ^____^

Thank you
Marco

I’m so so so sad that nobody is answering here anymore :frowning:

Hi,
Can you try the following 2 commands: sudo su -s /bin/bash -c "gpg --list-keys" www-data and sudo su -s /bin/bash -c "gpg --list-secret-keys" www-data?
Do you see both the public and private server keys in the list? With the same fingerprint?

Also, could you tell me what is your version of gpg? gpg --version

Hello Kevin,
thank you for your reply! :slight_smile:

This is the output of the first command

/var/www/.gnupg/pubring.gpg
---------------------------
pub   2048R/08750EFE 2018-07-17
uid                  Marco Zanetti (Chissà a cosa serve) <marco.zanetti@company.com>
sub   2048R/88638305 2018-07-17

pub   2048R/5335C8B5 2018-07-18
uid                  Company Testing (Company Testing key) <company.testing@gmail.com>
sub   2048R/F23A5957 2018-07-18

and this is the output of the second one

/var/www/.gnupg/secring.gpg
---------------------------
sec   2048R/08750EFE 2018-07-17
uid                  Marco Zanetti (Chissà a cosa serve) <marco.zanetti@company.com>
ssb   2048R/88638305 2018-07-17

sec   2048R/5335C8B5 2018-07-18
uid                  Company Testing (Company Testing key) <company.testing@gmail.com>
ssb   2048R/F23A5957 2018-07-18

I don’t really know what I should see. The only thing I can tell you is that the key generated with marco.zanetti@company.com was the first one I generated. Then, since I got errors, I created a new one with the company.testing@gmail.com address. That does not work either.

the output of gpg --version is the following

gpg (GnuPG) 1.4.20
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Alright.

The fact that you are using GPG V1.x could be the cause of your issue, but it’s not certain. If possible, try to upgrade to GPG V2, delete your keyring completely (rm -fr /var/www/.gnupg) , and import your keys again.

Otherwise, could you add the --fingerprint parameter to the 2 commands and update the output given in your previous post? What I am trying to figure is whether the fingerprint provided in your configuration file is also in your keyring for both the public and private server key.

1 Like

In Ubuntu gpg and gpg2 are two separate commands. Should I perform everything with gpg2 and not gpg?

If so, please notice that the first command output would be

/var/www/.gnupg/pubring.gpg
---------------------------
pub   rsa2048/08750EFE 2018-07-17 [SC]
uid         [ unknown] Marco Zanetti (Chissà a cosa serve) <marco.zanetti@company.com>
sub   rsa2048/88638305 2018-07-17 [E]

pub   rsa2048/5335C8B5 2018-07-18 [SC]
uid         [ unknown] Company Testing (Company Testing key) <company.testing@gmail.com>
sub   rsa2048/F23A5957 2018-07-18 [E]

and the second

/var/www/.gnupg/pubring.gpg
---------------------------
sec   rsa2048/08750EFE 2018-07-17 [SC]
uid         [ unknown] Marco Zanetti (Chissà a cosa serve) <marco.zanetti@company.com>
ssb   rsa2048/88638305 2018-07-17 [E]

I can’t help but noticing that the second key is absent from the “secrets” keyring

Also, this is the output of the plain gpg commands (not gpg2) with the --fingerprint flag

/var/www/.gnupg/pubring.gpg
---------------------------
pub   2048R/08750EFE 2018-07-17
      Key fingerprint = 879D 5094 6E51 18B3 E675  682F 6F7F 2E33 0875 0EFE
uid                  Marco Zanetti (Chissà a cosa serve) <marco.zanetti@company.com>
sub   2048R/88638305 2018-07-17

pub   2048R/5335C8B5 2018-07-18
      Key fingerprint = EB8D CF29 1ED1 E680 91E3  8F69 A6DA 4E2D 5335 C8B5
uid                  company Testing (company Testing key) <company.testing@gmail.com>
sub   2048R/F23A5957 2018-07-18

and

/var/www/.gnupg/secring.gpg
---------------------------
sec   2048R/08750EFE 2018-07-17
      Key fingerprint = 879D 5094 6E51 18B3 E675  682F 6F7F 2E33 0875 0EFE
uid                  Marco Zanetti (Chissà a cosa serve) <marco.zanetti@company.com>
ssb   2048R/88638305 2018-07-17

sec   2048R/5335C8B5 2018-07-18
      Key fingerprint = EB8D CF29 1ED1 E680 91E3  8F69 A6DA 4E2D 5335 C8B5
uid                  company Testing (company Testing key) <company.testing@gmail.com>
ssb   2048R/F23A5957 2018-07-18

Fingerprints look pretty the same to me

I would delete the keyring and import them again but… with which command(s) then?

Alright. Then indeed it’s best to delete the keyring and start fresh again. There might be some conflicts between GPGv1 and GPGv2, as we have already seen in the past.

The keyring will be created automatically when you import your keys. So:
sudo su -s /bin/bash -c "gpg2 --import name_of_your_secret_key" www-data

The imported key must be the same as the one defined in your passbolt.php file. (same file, same fingerprint)

Then you can run the healthcheck again to see if it’s working.

Thank you Kevin.

I performed
rm -fr /var/www/.gnupg
and then
sudo su -s /bin/bash -c "gpg2 --import /var/www/passbolt_api/config/gpg/serverkey_private.asc" www-data

now if I look at the keys I see

mzanetti@localhost:~$ sudo su -s /bin/bash -c "gpg2 --list-keys --fingerprint" www-data
/var/www/.gnupg/pubring.kbx
---------------------------
pub   rsa2048/5335C8B5 2018-07-18 [SC]
      Key fingerprint = EB8D CF29 1ED1 E680 91E3  8F69 A6DA 4E2D 5335 C8B5
uid         [ unknown] company Testing (company Testing key) <company.testing@gmail.com>
sub   rsa2048/F23A5957 2018-07-18 [E]

mzanetti@localhost:~$ sudo su -s /bin/bash -c "gpg2 --list-secret-keys --fingerprint" www-data
/var/www/.gnupg/pubring.kbx
---------------------------
sec   rsa2048/5335C8B5 2018-07-18 [SC]
      Key fingerprint = EB8D CF29 1ED1 E680 91E3  8F69 A6DA 4E2D 5335 C8B5
uid         [ unknown] company Testing (company Testing key) <company.testing@gmail.com>
ssb   rsa2048/F23A5957 2018-07-18 [E]

It looks all VERY fine to me. The keys are the same, I just have one issue…

Selection_077

The error is always there!!! -.-

You need to perform a user account recover (or create a new user and follow the setup) for the new server key to be taken into account by the user browser extension.

1 Like