Could not verify the server key. The authentication failed. [fingerprint problem?]

Checklist
[ x] I have read intro post: About the Installation Issues category
[ x] I have read the tutorials, help and searched for similar issues
[ x] I provide relevant information about my server (component names and versions, etc.)
[ x] I provide a copy of my logs and healthcheck
[x ] I describe the steps I have taken to trouble shoot the problem
[x ] I describe the steps on how to reproduce the issue

Hello,
I’ve installed and run passbolt on docker - it was working as expected. After restarting the docker stack I get the error: “Could not verify the server key. The authentication failed.”

The installation was finished by creating intial user ‘passboltadm’.
After passbolt was up and running I registered another user ‘usr1’ that was added to the admin group too. Unfortunately I removed user ‘passboltadm’.
Passbolt was running after removal and I was able to store account data till docker restart.

After docker restart of the passbolt stack I get the error menitoned above.

I logged into the passbolt container.

pg --home $GNUPGHOME --list-keys

shows public keys of ‘passboltadm’ and ‘usr1’

gpg --home $GNUPGHOME --list-secret-keys

shows only private key of user ‘passboltadm’

Exporting PASSBOLT_GPG_SERVER_KEY_FINGERPRINT for ‘passboltd’ and running

./bin/cake passbolt healthcheck

works (successful, only mentioning that SSL use is not forced)

Exporting PASSBOLT_GPG_SERVER_KEY_FINGERPRIN for ‘usr1’ and running healthcheck fails with:

./bin/cake passbolt healthcheck

Could not use key A1A...  for signing. get_key failed in /usr/share/php/passbolt/src/Utility/OpenPGP/Backends/Gnupg.php on line 240
Caused by: [Exception] get_key failed in /usr/share/php/passbolt/src/Utility/OpenPGP/Backends/Gnupg.php on line 236

Healthcheck

./bin/cake passbolt healthcheck

send a test email

./bin/cake passbolt send_test_email \
  --recipient=youremail@domain.com

the datacheck

./bin/cake passbolt datacheck --hide-success-details

and database migrations status

./bin/cake migrations status

are fine (pass).

So I guess it was a bad idea to remove the user form the installation process …

How to recover without loosing stored account infos?

I’d like to mention that I did not specify the DATASOURCES_DEFAULT_ env variables in the docker-compose.yml. Instead I used passbolt’s install wizard.
After docker reboot and without the env-variables I got the error that passbolt wasn’t installed and than the internal error 500 after starting the installation wizard.
After adding the DATASOURCES_DEFAULT_ varaibles to docker-compose.yml I end up with the “Could not verify the server key” error … not sure if this info is relevant.

thank you in advance,
Oliver

I was able to recover from the problem by (making a backup before) removing the files serverkey_private.asc/serverkey.asc in directory gpg and jwt.key/jwt.pem in directory jwt. After restarting the passbolt docker container I was notified that the fingerprint has changed. All the account data I’ve had registered are available again.

What I need to know is: is there still a problem because I’ve had removed the first user (admin group) that was created during the installation process?

Hey @olko welcome to the forum!

Deleting an admin account won’t cause an issue with the server so you are fine there.

Since you rotated your GPG key you’ll want to take a look at the administration settings though and possibly re-add any that are missing. These encrypted with the GPG key and stored in the database so rotating it can make them unreadable.

Hi clayton, you are right the setting for the email server are lost.

What I’m wondering why the gpg keys from the removed ‘passboltadm’ are still in the keyring? Especailly its private key is available while the private key of my account isn’t shown.

Might it be a good idea to re-add the “Passbolt default user” ‘passboltadm’ with its gpg-keys? If yes, what are the steps?

Are you sure that this is the private key of the previously deleted user and not just the server GPG key? Depending what email address you used to make the server GPG key it might look like the user’s key but actually be the server key

The private key of the users shouldn’t be on the server.

Seams that it was the server GPG key.

gpg --list-keys

ouputs.

pub   rsa3072 2023-12-04 [SC]
      63210....
uid   [ultimate] Passbolt default user <passbolt@yourdomain.com>

Under which circumstances does the connection between passbolt server and database break? I don’t understand why this error I reported happened … (I’d like to prevent it in the future).

Typically the connection between passbolt and the database won’t break.

I see that you mention you changed the connection information and restarted docker. What commands did you use for the restart?

I’m not sure what has broken the connection between db and passbolt-servcie.
I guess it was re-deploying the docker configuration, but the persistent storage wasn’t changed - which should keep the connection. I’m confused …

The persistent storage wasn’t changed but you mentioned the environment variables like DATASOURCES_DEFAULT_ were changed which hold the connection information for passbolt

right but the data I put into the install wizard and later into the DATASOURCES_DEFAULT_ variables are the same, meaning pointing to the same db instance

For a docker install there typically wouldn’t be an install wizard and you’d just be filling in the environment variables. How did you access the install wizard for this?

Just want to make sure I have the full steps for what you did here for the installation

I did a typical docker installation (without the env variables).
After the docker instance was up I entered the URL (passbolt.myurl.com).
The start pages told me that the installation is not complete - the page provides a button to start the wizard (asking for db account, first user etc.).

Ok, that is a bit outside of the typical install path. I don’t believe your route is tested, the expectation when using docker is that you’d update the environment variables and install that way.

If you haven’t input any passwords yet I’d recommend starting over and following the standard installation for docker.

Hmm - using the wizard was more convenient …
Unfortunately I’ve moved my passwords to passbolt.
At the moment I start the docker container with following environment variables:

• APP_FULL_BASE_URL:
• DATASOURCES_DEFAULT_HOST:
• DATASOURCES_DEFAULT_DATABASE:
• DATASOURCES_DEFAULT_USERNAME:
• DATASOURCES_DEFAULT_PASSWORD:

Because the wizard completed without errors I assume that the installation (storing the relevant data into the database) was correct.
Is there any check beside the healtcheck that can validate the correctness of my installtion?

In that case I’d recommend taking a backup and following the migration guide. I’m guessing the GPG issue you faced comes from not following the installation guide. The webinstaller path creates a GPG key but this is also done in docker if you don’t specify one with an environment variable(the rotate keys page shows this in action). I am not sure what all issues you may face down the line by keeping your current set up.

Other than the healthcheck we also have a status-report that can be run which is the healthcheck plus a few extra commands. It follows the same instructions as the healthcheck but you’d run ./bin/status-report instead of ./bin/cake passbolt healthcheck

Thank you Clayton, I’ll take a backup and do a fresh installation of passbolt (as the links show I can export and re-import the stored accounts).