Checklist
[ x] I have read intro post: About the Installation Issues category
[x ] I have read the tutorials, help and searched for similar issues
[x ] I provide relevant information about my server (component names and versions, etc.)
[ ] I provide a copy of my logs and healthcheck
[ ] I describe the steps I have taken to trouble shoot the problem
[ ] I describe the steps on how to reproduce the issue
We are using passbold CE docker version 2.1-debian since may 2018. Last week
our users could not login anymore, getting the error “Could not verify server key. Unable to encrypt the verify token. Error encrypting message: Could not find valid key packet for encryption in key …”
I found multiple topics with this title so i investigated:
____ __ ____
/ __ ____ _____ / / ____ / / /
/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/
Open source password manager for teams
---------------------------------------------------------------
Healthcheck shell
---------------------------------------------------------------
Environment
[PASS] PHP version 7.2.6.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /var/www/passbolt/config/
[HELP] Copy /var/www/passbolt/config/passbolt.php.default to /var/www/passbolt/config/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.intranet.plano
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
fopen(): Failed to enable crypto
fopen(https://passbolt.intranet.plano/healthcheck/status.json): failed to open stream: operation failed
Database
[PASS] The application is able to connect to the database
[PASS] 18 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The server gpg key is not the default one
[PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
[PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
Application configuration
[FAIL] This installation is not up to date. Currently using 2.1.0 and it should be v2.11.0.
[HELP] See. https://www.passbolt.com/help/tech/update
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[WARN] Registration is open to everyone.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set passbolt.registration.public to false in config/passbolt.php.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.
3 error(s) found. Hang in there!
Passbold runs behind a reverse proxy - the SSL errors can be ignored.
Next checking the gpg keys:
root@50aff3cf2be2:/var/www/passbolt# su -c “gpg --list-secret-keys” -s /bin/bash www-data
/home/www-data/.gnupg/pubring.kbx
---------------------------------
sec rsa2048 2018-04-24 [SC]
AA18E0670D9F8F6994CE80EBA4FDFE0EAD207536
uid [ unknown] Passbolt default user technik@planopunkt.de
ssb rsa2048 2018-04-24 [E]
root@50aff3cf2be2:/var/www/passbolt# su -c "gpg --list-keys" -s /bin/bash www-data
/home/www-data/.gnupg/pubring.kbx
---------------------------------
pub rsa2048 2018-04-24 [SC]
AA18E0670D9F8F6994CE80EBA4FDFE0EAD207536
uid [ unknown] Passbolt default user <technik@planopunkt.de>
sub rsa2048 2018-04-24 [E]
GPG key look good. As a workaround, our users login via in the passbolt extension and then
use the “open passbolt in new tab” link. They land logged in on the passbolt website.
I tried an account recovery with my private key, but got the error “This key doesn’t match any account”.
The error logs shows mulitple route matching errors ( A route matching “/account/settings.json” could not be found.)
Has anybody an idea, what else i can try to fix this problem?
Thank you!
Steffen