Could not verify server key

plano · November 27, 2019, 2:03pm

Checklist
[ x] I have read intro post: About the Installation Issues category
[x ] I have read the tutorials, help and searched for similar issues
[x ] I provide relevant information about my server (component names and versions, etc.)
[ ] I provide a copy of my logs and healthcheck
[ ] I describe the steps I have taken to trouble shoot the problem
[ ] I describe the steps on how to reproduce the issue

We are using passbold CE docker version 2.1-debian since may 2018. Last week
our users could not login anymore, getting the error “Could not verify server key. Unable to encrypt the verify token. Error encrypting message: Could not find valid key packet for encryption in key …”

I found multiple topics with this title so i investigated:
____ __ ____
/ __ ____ _____ / / ____ / / /
/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.2.6.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable.
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /var/www/passbolt/config/
  [HELP] Copy /var/www/passbolt/config/passbolt.php.default to /var/www/passbolt/config/passbolt.php
  [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.intranet.plano
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
  [HELP] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
fopen(): Failed to enable crypto
fopen(https://passbolt.intranet.plano/healthcheck/status.json): failed to open stream: operation failed

 Database

 [PASS] The application is able to connect to the database
 [PASS] 18 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The server gpg key is not the default one
 [PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
 [PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [FAIL] This installation is not up to date. Currently using 2.1.0 and it should be v2.11.0.
  [HELP] See. https://www.passbolt.com/help/tech/update
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [WARN] Registration is open to everyone.
  [HELP] Make sure this instance is not publicly available on the internet.
  [HELP] Or set passbolt.registration.public to false in config/passbolt.php.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

  3 error(s) found. Hang in there!

Passbold runs behind a reverse proxy - the SSL errors can be ignored.
Next checking the gpg keys:
root@50aff3cf2be2:/var/www/passbolt# su -c “gpg --list-secret-keys” -s /bin/bash www-data
/home/www-data/.gnupg/pubring.kbx
---------------------------------
sec rsa2048 2018-04-24 [SC]
AA18E0670D9F8F6994CE80EBA4FDFE0EAD207536
uid [ unknown] Passbolt default user technik@planopunkt.de
ssb rsa2048 2018-04-24 [E]

root@50aff3cf2be2:/var/www/passbolt# su -c "gpg --list-keys" -s /bin/bash www-data
/home/www-data/.gnupg/pubring.kbx
---------------------------------
pub   rsa2048 2018-04-24 [SC]
      AA18E0670D9F8F6994CE80EBA4FDFE0EAD207536
uid           [ unknown] Passbolt default user <technik@planopunkt.de>
sub   rsa2048 2018-04-24 [E]

GPG key look good. As a workaround, our users login via in the passbolt extension and then
use the “open passbolt in new tab” link. They land logged in on the passbolt website.

I tried an account recovery with my private key, but got the error “This key doesn’t match any account”.
The error logs shows mulitple route matching errors ( A route matching “/account/settings.json” could not be found.)

Has anybody an idea, what else i can try to fix this problem?

Thank you!

Steffen

remy · November 27, 2019, 2:09pm

Hello @plano,

Why are you using version 2.1? Currently the stable version is v2.11.

Also did your server key expire at some point and you updated it on the server? If that’s the case the clients need to do a recovery to use the new server key.

plano · November 27, 2019, 2:59pm

Hi remy,

I will update the container once this problem is solved. We never had problems with passbolt bevor, so no need to upgrade.

the server key is 1.5 years old and gpg gives no expiry date. I assume the server key was created by
passbolt without an expiry date set. The server key was not changed since the container was created.

Thank you for your input @remy.

Steffen

remy · November 27, 2019, 3:18pm

“Error encrypting message: Could not find valid key packet for encryption in key” is typically shown when the server key is expired. Do you have a copy of the server public key I could use to try to reproduce the issue?

The error logs shows mulitple route matching errors ( A route matching “/account/settings.json” could not be found.)

This is a old bug that has been fixed (but not fixed in 2.1).

plano · November 28, 2019, 9:17am

Yes, i prepared an archive with the key pair. How can I send it to you? I have not found
a way to pm you.

remy · November 28, 2019, 9:59am

You can send it at support@passbolt.com. Please only send the key as a text file, not an archive.

plano · November 29, 2019, 7:49am

Dear Passbolt support team,

the new version of the extension for chrome and firefox fixes my problem. Thank you very much
for your quick help.

Kind regards,

Steffen

system · December 4, 2019, 7:49am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.