Could not verify server key. Unable to encrypt the verify token. Error encrypting message: Could not find valid key packet for encryption in key ...222f

passboltUser · July 3, 2018, 1:22pm

Checklist
[y] I have read intro post: About the Installation Issues category
[y] I have read the tutorials, help and searched for similar issues
[y] I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
(unfortunately no logs)
[y] I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
(let a key expire?)

Our Passbolt worked today just a few hours ago. Then suddenly this error on login screen:

Could not verify server key. Unable to encrypt the verify token. Error encrypting message: Could not find valid key packet for encryption in key …222f
and on password login:

Oops, something went wrong

Couldn’t find it in search engine.

I did:

sudo su -s /bin/bash -c "gpg --list-secret-keys" www-data
and got saying
expired
in the key. Then I extended the key expiration date:

gpg --edit-key ..
key 0
expire
1y
key 1
expire
save

Now it doesn’t say expired anymore:

# su -s /bin/bash -c "gpg --list-secret-keys" www-data
/var/www/.gnupg/secring.gpg
---------------------------
sec   4096R/4F93222F 2017-07-03 [expires: 2019-07-03]
uid                  passbolt XY <**@**.com>
ssb   4096R/96AC0126 2017-07-03

The key fingerprint didn’t change.

Then I did:

$ gpg --armor --export-secret-keys SERVER_KEY@EMAIL.TEST > /var/www/passbolt/config/gpg/serverkey_private.asc
$ gpg --armor --export SERVER_KEY@EMAIL.TEST > /var/www/passbolt/config/gpg/serverkey.asc

mentioned in Passbolt Help | Install Passbolt CE on Debian 9 (Stretch).

But unfortunately still same error.

$ sudo su -s /bin/bash www-data
/var/www/pb/bin/cake passbolt healthcheck

says:

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell......Segmentation fault (core dumped)

remy · July 4, 2018, 5:42am

This is a message from the web extension side. Meaning even if you remove the expiry date on the key server side, the client still have the original version of the key with the expiration date set. You can reset the server key on the client side by performing an account recovery.

It seems there is critical error with php-gnupg when parsing this updated key.

I would suggest the following to resolve your problem:

Delete the gnupg keyring for the www-data user (make a backup of the original one)
Create a new server key that does not expire (in a fresh www-data user keyring)
Export the public and private key in the config directory
Update the fingerprint in the config/passbolt.php file
Run a healthcheck to see if the new key is working fine
Initiate an account recovery for all the users to approve the new public server key

I understand this is a painful process, especially if you have many users. We identified this issue a while back and we will schedule some work this summer to allow pushing updated server keys to the client (or drop the gpgauth verify step and need for a server key altogether). Once you are done with the new key, if possible send me the updated key so that we can investigate the issue with parsing php-gnupg.

passboltUser · July 4, 2018, 8:06am

Thanks. Can you post the bash commands for your mentioned problem resolution for 2nd and 3rd point?
For the first point I did:
cp /home/www-data/.gnupg/ /home/www-data/.gnupg_backup -R
For the second point:
gpg --gen-key
but still no keys in:
ls -la /home/www-data/.gnupg
It looks like the key is created in ls -la /var/www/.gnupg

Wouldn’t deleting the whole www-data keyring also delete stored user’s passwords?

remy · July 4, 2018, 8:56am

Something like this should work:

gpg --gen-key
gpg --armor --export-secret-keys NEW_KEY_EMAIL > /var/www/pb/config/gpg/serverkey_private.asc
gpg --armor --export NEW_KEY_EMAIL > /var/www/pb/config/gpg/serverkey.asc
sudo su -s /bin/bash -c "gpg --home /home/www-data/.gnupg --import /var/www/pb/config/gpg/serverkey_private.asc" www-data

passboltUser · July 4, 2018, 9:10am

Thanks. My commands worked, but wondered why I still had the same error, turns out after removing the plugin firefox had to be restarted. Works now and all keys are still there

Running the healthcheck using

sudo su -s /bin/bash www-data
/var/www/pb/bin/cake passbolt healthcheck

exits with

Healthcheck shell......Segmentation fault (core dumped)

.

$ sudo su -s /bin/bash -c "/var/www/pb/bin/cake passbolt healthcheck" www-data

also doesn’t work and exits without the Segmentation fault message: Healthcheck shell.......

But

$ /var/www/pb/bin/cake passbolt healthcheck

as a different user (neither root, nor www-data) works (not sure if it worked before):

[FAIL] The public image directory and its content are not writable.
[FAIL] The logs directory and its content are not writable.
[FAIL] The database schema is not up to date.
[FAIL] The environment variable GNUPGHOME is set to /home/username/.gnupg, but the directory does not exist.
[FAIL] The server public key defined in the config/passbolt.php is not in the keyring

Ok, I will check these errors out.

system · July 9, 2018, 9:10am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.