Could not verify server key. Unable to encrypt the verify token. Error encrypting message: Could not find valid self-signature in key

Checklist
[x] I have read intro post: t/about-the-installation-issues-category/12
[x] I have read the tutorials, help and searched for similar issues
[x] I provide relevant information about my server (component names and versions, etc.)
[X ] I provide a copy of my logs and healthcheck
[ X] I describe the steps I have taken to trouble shoot the problem
[ ] I describe the steps on how to reproduce the issue

I’m attempting a fresh install of the docker version of the passbold-pro build
passbolt/passbolt latest-pro 5842ea6f3fde 2 months ago 563 MB

I use the following command to bring the system up:

docker run -d --name mariadb --net passbolt_network
-v /home/conxx/docker/mariadb_passbolt_data:/var/lib/mysql
-e MYSQL_ROOT_PASSWORD=root_password
-e MYSQL_DATABASE=mariadb_database
-e MYSQL_USER=mariadb_user
-e MYSQL_PASSWORD=mariadb_password
mariadb

docker run --name passbolt-pro --net passbolt_network -v /home/conxx/docker/subscription_key.txt:/var/www/passbolt/config/license -p 7443:443 -p 7080:80 -e DATASOURCES_DEFAULT_HOST=mariadb -e DATASOURCES_DEFAULT_PASSWORD=mariadb_password -e DATASOURCES_DEFAULT_USERNAME=mariadb_user -e DATASOURCES_DEFAULT_DATABASE=mariadb_database -e APP_FULL_BASE_URL=https://subdomain.example.com -e APP_BASE=/passbolt passbolt/passbolt:latest-pro

I’m using APP_FULL_BASE_URL and APP_BASE as I’m install thing behind an nginx proxy

After the install I’m able to run the following command to get a user and the URL to finish set up.

docker exec passbolt-pro su -m -c “/var/www/passbolt/bin/cake
passbolt register_user
-u user@example.com
-f First
-l Last
-r admin” -s /bin/sh www-data

The browser has no problem grabing the extension and finishing my user set up, untill I get tot he actuiall log in screen where I recieve the message:

Could not verify server key. Unable to encrypt the verify token. Error encrypting message: Could not find valid self-signature in key

Below is the output from the healthcheck:

root@25cfba38f36a:/var/www/passbolt# su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt healthcheck" www-data

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.21.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable.
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /var/www/passbolt/config/
  [HELP] Copy /var/www/passbolt/config/passbolt.default.php to /var/www/passbolt/config/passbolt.php
  [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://subdir.example.com
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
  [HELP] Check that the domain name is correct in config/passbolt.php
  [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
  [HELP] cURL Error (6) Could not resolve host: sub.example.com

 Database

 [PASS] The application is able to connect to the database
 [PASS] 35 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
 [PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
 [FAIL] The server gpg key is not set
  [HELP] Create a key, export it and add the fingerprint to config/passbolt.php
  [HELP] See. /help/tech/install#toc_gpg
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [FAIL] The server key fingerprint doesn't match the one defined in config/passbolt.php.
  [HELP] Double check the key fingerprint, example:
  [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /home/www-data/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
  [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
  [HELP] See. /help/tech/install#toc_gpg
 [FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring
  [HELP] Import the private server key in the keyring of the webserver user.
  [HELP] you can try:
  [HELP] sudo su -s /bin/bash -c "gpg --home /home/www-data/.gnupg --import /var/www/passbolt/config/gpg/serverkey_private.asc" www-data
 [FAIL] The server key does not have a valid email id.
  [HELP] Edit or generate another key with a valid email id.

 Application configuration

 [FAIL] Could not connect to passbolt repository to check versions. It is not possible check if your version is up to date.
  [HELP] Check the network configuration to allow this script to check for updates.
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

  8 error(s) found. Hang in there!

I believe the following error do not matter as I’m behind a proxy and just hitting this http

[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.

The following errors I believe are what is giving me trouble:

[FAIL] The server gpg key is not set
[HELP] Create a key, export it and add the fingerprint to config/passbolt.php
[HELP] See. help/tech/install#toc_gpg

[FAIL] The server key fingerprint doesn’t match the one defined in config/passbolt.php.
[HELP] Double check the key fingerprint, example:
[HELP] sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /home/www-data/.gnupg” www-data | grep -i -B 2 ‘SERVER_KEY_EMAIL’
[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
[HELP] See. /help/tech/install#toc_gpg

[FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c “gpg --home /home/www-data/.gnupg --import /var/www/passbolt/config/gpg/serverkey_private.asc” www-data

[FAIL] The server key does not have a valid email id.
[HELP] Edit or generate another key with a valid email id.

The advice to goto /help/tech/install#toc_gpg seems odd as that the entry point to the tutorials I used to do the install. I wonder if there used to be a better page reference by this url?

I find the page /t/fail-the-server-gpg-key-is-not-set/1458 talking about a similar issue and he says "

Find the solution ! I did a fresh start and didn’t put a password on the gpg key !"

But as they were installing from source I’m not sure thats relevant nor do I really know what is meant by
“didn’t put a password on the gpg key”

There is the post /t/docker-install-could-not-verify-server-key/1903/2
which has a slightly differ but close error that seems to imply once I get this working if I don’t add that extra persistent mount I’ll probably end up with that error if the container ever reboots. Why wouldn’t that be in the install tutorial? Ah well maybe it is, seems talked later on in the part about docker compose which at first I skipped over thinking it didn’t apply to me,

However they still do have that same “Could not verify server key. Unable to encrypt the verify token. Error encrypting message: Could not find valid self-signature in key” error I get in the web UI

Can someone point me to what I’m missing to get this to deal with

[FAIL] The server gpg key is not set
[HELP] Create a key, export it and add the fingerprint to config/passbolt.php
[HELP] See. passbolt.com/help/tech/install#toc_gpg

Since the referenced docs don’t really point to anything specific.

Am I missing an env var by chance?

Is it perhaps because I’m bringing this container up in an environment where there isn’t internet avail?

Any help would be appreciated.

Hello @bwigfield,

By default the docker will create OpenPGP keys unless you provide them. The issue however is that this key will not persist, which maybe your issue here. In the documentation (albeit torward the end) there is a section that explains how to persist they keys, e.g. it is done using bind mount like you did for the subscription key:

docker run --name passbolt --net passbolt_network \
             --mount type=bind,\
               source=<host_path_to_gnupg_keys_dir>,\
               target=/var/www/passbolt/config/gpg \
             --mount type=bind,\
               source=<path_subscription>,\
               target=/var/www/passbolt/config/license \
             -p 443:443 \
             -p 80:80 \
             -e DATASOURCES_DEFAULT_HOST=mariadb \
             -e DATASOURCES_DEFAULT_PASSWORD=<mariadb_password> \
             -e DATASOURCES_DEFAULT_USERNAME=<mariadb_user> \
             -e DATASOURCES_DEFAULT_DATABASE=<mariadb_database> \
             -e APP_FULL_BASE_URL=https://mydomain.com \
             passbolt/passbolt:latest-pro

You can find an example in a docker-compose file here:

Also, on a side note, I wouldn’t recommend running passbolt under a directory (e.g. with APP_BASE=/passbolt as this is known to cause issues).

Feel free to contact us on support@passbolt.com since you are a pro customer, you can get help here also.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.