Decryption failed | several GPG errors

g1lby · September 9, 2018, 11:39pm

Hi everyone,

I just came across your project and really like it, so I thought I’d give it a try on my own server.
I managed to install Passbolt on my LXC container running CentOS 7.4.1708, hosted on Proxmox VE.
Here’s the rest of my environment:

Installation directory: /var/www/vault
Passbolt running on nginx with mariadb, php-fpm, secured with an letsencrypt ssl certificate

[23:13:31] [passbolt-01][~] # rpm -qa | grep php
php-composer-semver-1.4.2-1.el7.noarch
php-composer-spdx-licenses-1.4.0-1.el7.noarch
php-symfony-dom-crawler-2.8.12-2.el7.noarch
php-symfony-var-dumper-2.8.12-2.el7.noarch
php-cli-7.0.31-1.el7.remi.x86_64
php-7.0.31-1.el7.remi.x86_64
php-devel-7.0.31-1.el7.remi.x86_64
php-mbstring-7.0.31-1.el7.remi.x86_64
php-PsrLog-1.0.2-2.el7.noarch
php-symfony-yaml-2.8.12-2.el7.noarch
php-symfony-css-selector-2.8.12-2.el7.noarch
php-composer-ca-bundle-1.0.2-1.el7.noarch
php-seld-phar-utils-1.0.1-1.el7.noarch
php-symfony-debug-2.8.12-2.el7.noarch
php-password-compat-1.0.4-1.el7.noarch
php-symfony-polyfill-1.5.0-1.el7.noarch
php-symfony-dependency-injection-2.8.12-2.el7.noarch
php-symfony-browser-kit-2.8.12-2.el7.noarch
php-symfony-http-foundation-2.8.12-2.el7.noarch
php-symfony-console-2.8.12-2.el7.noarch
php-symfony-http-kernel-2.8.12-2.el7.noarch
php-json-7.0.31-1.el7.remi.x86_64
php-pdo-7.0.31-1.el7.remi.x86_64
php-gd-7.0.31-1.el7.remi.x86_64
php-pecl-zip-1.15.3-1.el7.remi.7.0.x86_64
php-mysqlnd-7.0.31-1.el7.remi.x86_64
php-intl-7.0.31-1.el7.remi.x86_64
php-xml-7.0.31-1.el7.remi.x86_64
php-fpm-7.0.31-1.el7.remi.x86_64
php-fedora-autoloader-1.0.0-1.el7.noarch
php-symfony-common-2.8.12-2.el7.noarch
php-symfony-process-2.8.12-2.el7.noarch
php-symfony-filesystem-2.8.12-2.el7.noarch
php-jsonlint-1.6.1-1.el7.noarch
php-symfony-expression-language-2.8.12-2.el7.noarch
php-composer-xdebug-handler-1.1.0-2.el7.noarch
php-paragonie-random-compat-2.0.12-1.el7.noarch
php-symfony-config-2.8.12-2.el7.noarch
php-symfony-event-dispatcher-2.8.12-2.el7.noarch
php-common-7.0.31-1.el7.remi.x86_64
php-mcrypt-7.0.31-1.el7.remi.x86_64
php-process-7.0.31-1.el7.remi.x86_64
php-pear-1.10.6-1.el7.remi.noarch
php-symfony-class-loader-2.8.12-2.el7.noarch
php-symfony-finder-2.8.12-2.el7.noarch
php-justinrainbow-json-schema5-5.2.7-1.el7.noarch

[23:14:49] [passbolt-01][~] # rpm -qa | grep nginx
nginx-mod-mail-1.12.2-2.el7.x86_64
nginx-mod-http-perl-1.12.2-2.el7.x86_64
nginx-filesystem-1.12.2-2.el7.noarch
nginx-mod-http-geoip-1.12.2-2.el7.x86_64
nginx-mod-http-image-filter-1.12.2-2.el7.x86_64
nginx-all-modules-1.12.2-2.el7.noarch
nginx-mod-stream-1.12.2-2.el7.x86_64
nginx-mod-http-xslt-filter-1.12.2-2.el7.x86_64
nginx-1.12.2-2.el7.x86_64

[23:15:07] [passbolt-01][~] # rpm -qa | grep maria
mariadb-libs-5.5.60-1.el7_5.x86_64
mariadb-5.5.60-1.el7_5.x86_64
mariadb-server-5.5.60-1.el7_5.x86_64

Also, when I run “php --modules”, the extension “gnupg” is listed within the output of that command.

Okay, let’s get to the errors I’m encountering:
nginx error.log:
nothing.

on the website:
within the logic section:
Oops, something went wrong.

within the GnuPG section:
Could not verify server key. Decryption failed.

within the header (debug turned on):
[ Warning (2)](javascript:void(0);): session_start(): open(/var/lib/php/session/sess_84684vpura02c1dcknjvo3pqe2, O_RDWR) failed: Permission denied (13) [ CORE/src/Network/Session.php , line 335 ]

./bin/cake passbolt healthcheck:
Healthcheck shell…Exception: data signing failed in [/var/www/vault/src/Utility/Healthchecks/GpgHealthchecks.php, line 304]

no other errors in healthcheck.

I’ve already tried understanding the corresponding lines mentioned in the error messages, but that didn’t help me as a sysadmin with very less coding knowledge, unfortunately. Also tried modifying a few permissions, but reverted them as this also didn’t help, permissions look fine.

If you need any more information which I might’ve forgotten in the first post here, I’d be happy to provide more

Really hope this can be fixed, Passbolt seems like the perfect platform for my team and me

Cheers,
g1lby

diego · September 10, 2018, 7:03am

Hi @g1lby,

Sorry to hear you are having problems running passbolt Could you provide some info / check the following items:

your_passbolt_install_dir/tmp/error.log
output from executing your_passbolt_install_dir/bin/cake passbolt healthcheck
Could you check that the gpg keyring passbolt is using is owned by the user running your http engine? Typically www-data or nginx and check that the serverkey passbolt should use is present in the mentioned keyring.

More details on the setup for centos here
Hope this helps!

g1lby · September 10, 2018, 9:49am

hi @diego,
thank you so much for getting back to me so quickly!

here are the contents of the log directory within the install dir:
[09:40:27] [passbolt-01][/var/www/vault/tmp] $ ls -la
insgesamt 24
drwxr-xrwx 6 nginx nginx 4096 9. Sep 20:53 .
drwxr-xr-x 14 nginx nginx 4096 9. Sep 22:15 …
drwxr-xrwx 6 nginx nginx 4096 9. Sep 20:53 cache
-rw-r–r-- 1 nginx nginx 0 9. Sep 20:39 empty
drwxr-xrwx 2 nginx nginx 4096 9. Sep 20:39 selenium
drwxr-xrwx 2 nginx nginx 4096 9. Sep 20:53 sessions
drwxr-xrwx 2 nginx nginx 4096 9. Sep 20:53 tests

there is no error.log file, unfortunately.

as I mentioned, there are no other errors than the one I posted above when running the healthcheck.
but nevertheless, here is the full output of the command you posted:

[09:43:21] [passbolt-01][/var/www/vault] $ ./bin/cake passbolt healthcheck

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///.__/__//_/

Open source password manager for teams

Healthcheck shell…Exception: data signing failed in [/var/www/vault/src/Utility/Healthchecks/GpgHealthchecks.php, line 304]

Here are the permissions on the keyring and related files:

[09:44:56] [passbolt-01][/var/lib/nginx/.gnupg] # ls -la
insgesamt 32
drwx------ 3 nginx nginx 4096 10. Sep 09:44 .
drwx------ 8 nginx nginx 4096 9. Sep 22:39 …
-rw------- 1 nginx nginx 7680 9. Sep 20:45 gpg.conf
drwx------ 2 nginx nginx 4096 9. Sep 21:10 private-keys-v1.d
-rw------- 1 nginx nginx 1197 9. Sep 21:10 pubring.gpg
-rw------- 1 nginx nginx 0 9. Sep 20:45 pubring.gpg~
-rw------- 1 nginx nginx 2575 9. Sep 21:10 secring.gpg
srwxr-xr-x 1 nginx nginx 0 10. Sep 09:43 S.gpg-agent
-rw------- 1 nginx nginx 1200 9. Sep 21:10 trustdb.gpg

could you tell me how I can check whether the serverkey passbolt should use is present in the keyring?

Cheers,
g1lby

diego · September 11, 2018, 7:22am

Hi!

you could use: gpg --list-keys --fingerprint as the nginx user. On the outuput you can check that the fingerprint corresponds to the one you introduced in config/passbolt.php

g1lby · September 11, 2018, 8:50am

Hi,

I executed the command you suggested and compared it with the fingerprint I wrote down during the installation.
It matches. It also matches with the one configured in config/passbolt.php.

But one thing that I saw was, that this part of the configfile was commented:

‘gpg’ => [
// Tell GPG where to find the keyring.
// If putenv is set to false, gnupg will use the default path ~/.gnupg.
// For example :
// - Apache on Centos it would be in ‘/usr/share/httpd/.gnupg’
// - Apache on Debian it would be in ‘/var/www/.gnupg’
// - Nginx on Centos it would be in ‘/var/lib/nginx/.gnupg’
// - etc.
// ‘keyring’ => getenv(“HOME”) . DS . ‘.gnupg’,
//
// Replace GNUPGHOME with above value even if it is set.
//‘putenv’ => false,

So I removed the slashes and now I see the following errors in logs/error.log

2018-09-11 08:43:42 Warning: Warning (2): session_start(): open(/var/lib/php/session/sess_84684vpura02c1dcknjvo3pqe2, O_RDWR) failed: Permission denied (13) in [/var/www/vault/vendor/cakephp/cakephp/src/Network/Session.php, line 335]

2018-09-11 08:43:42 Warning: Warning (2): session_write_close() [function.session-write-close]: open(/var/lib/php/session/sess_84684vpura02c1dcknjvo3pqe2, O_RDWR) failed: Permission denied (13) in [Unknown, line 0]

2018-09-11 08:43:42 Warning: Warning (2): session_write_close() [function.session-write-close]: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in [Unknown, line 0]

2018-09-11 08:43:42 Warning: Warning (2): session_start(): open(/var/lib/php/session/sess_84684vpura02c1dcknjvo3pqe2, O_RDWR) failed: Permission denied (13) in [/var/www/vault/vendor/cakephp/cakephp/src/Network/Session.php, line 335]

2018-09-11 08:43:42 Warning: Warning (2): session_write_close() [function.session-write-close]: open(/var/lib/php/session/sess_84684vpura02c1dcknjvo3pqe2, O_RDWR) failed: Permission denied (13) in [Unknown, line 0]

2018-09-11 08:43:42 Warning: Warning (2): session_write_close() [function.session-write-close]: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in [Unknown, line 0]

Still no clue what’s going on

Cheers,
Marc

diego · September 12, 2018, 6:25am

Hi!

Please check that your /var/lib/php/session files are accessible to the www user and restart nginx/php-fpm

g1lby · September 12, 2018, 9:46am

I recognized that this folder didn’t belong to nginx but to apache. I changed the owner to nginx.

[09:34:10] [passbolt-01][/var/www/vault/logs] # ls -la /var/lib/php/session/
insgesamt 12
drwxrwx— 2 nginx nginx 4096 12. Sep 09:33 .
drwxr-xr-x 5 root root 4096 9. Sep 20:51 …
-rw------- 1 nginx nginx 37 12. Sep 09:33 sess_84684vpura02c1dcknjvo3pqe2

After I restarted php-fpm and nginx, I still get these errors in the logfile of passbolt:

2018-09-12 02:48:28 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/libs/js/iframe.js” could not be found.
Exception Attributes: array (
‘url’ => ‘/libs/js/iframe.js’,
)
Request URL: /libs/js/iframe.js
2018-09-12 08:53:24 Warning: Warning (2): session_start(): open(/var/lib/php/session/sess_glmmnbunql717q4bon9ltrp493, O_RDWR) failed: Permission denied (13) in [/var/www/vault/vendor/cakephp/cakephp/src/Network/Session.php, line 335]

2018-09-12 08:53:24 Warning: Warning (2): session_write_close() [function.session-write-close]: open(/var/lib/php/session/sess_glmmnbunql717q4bon9ltrp493, O_RDWR) failed: Permission denied (13) in [Unknown, line 0]

2018-09-12 08:53:24 Warning: Warning (2): session_write_close() [function.session-write-close]: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in [Unknown, line 0]

Then I changed mode to 777 but the errors remain.

Cheers,
Marc

diego · September 12, 2018, 9:55am

Just a wild guess here but are you using SElinux?

g1lby · September 12, 2018, 11:24am

SELinux is turned off via puppet:

[11:23:13] [passbolt-01][/var/www/vault/logs] # getenforce
Disabled

g1lby · September 14, 2018, 12:58pm

How should we continue troubleshooting?
I’ll be on vacation from tomorrow on for seven days. Can we leave this thread open and not close it automatically?

diego · September 14, 2018, 2:15pm

Hi!

I’m not sure if your problems could come from the fact you are using LXC proxmox (it shouldn’t). However, one last thing came to my mind which is for you to check that php-fpm and nginx are both running as the same user (nginx user or www-data). This might be the reason why you are having this permission problems.

Otherwise I would encourage you to follow our centos https://help.passbolt.com/hosting/install/ce/centos-7.html (which is battle tested) from scratch again.

g1lby · September 15, 2018, 4:02am

when running ps aux, this is showing up:

root 733 0.0 0.3 287652 4172 ? Ss Sep12 0:06 php-fpm: master process (/etc/php-fpm.conf)
nginx 734 0.0 1.2 294556 13296 ? S Sep12 0:00 php-fpm: pool www
nginx 735 0.0 1.0 292508 11240 ? S Sep12 0:00 php-fpm: pool www
nginx 736 0.0 1.2 294556 13248 ? S Sep12 0:00 php-fpm: pool www
nginx 737 0.0 1.1 292508 11692 ? S Sep12 0:00 php-fpm: pool www
nginx 738 0.0 1.4 295360 14968 ? S Sep12 0:00 php-fpm: pool www
nginx 762 0.0 0.1 17852 1924 ? Ss Sep12 0:03 gpg-agent --daemon --use-standard-socket
nginx 763 0.0 1.2 294556 13312 ? S Sep12 0:00 php-fpm: pool www
root 27352 0.0 0.3 120968 3244 ? Ss 03:59 0:00 nginx: master process /usr/sbin/nginx
nginx 27353 0.0 0.6 121380 6832 ? S 03:59 0:00 nginx: worker process
nginx 27354 0.0 0.6 121380 6832 ? S 03:59 0:00 nginx: worker process
nginx 27355 0.0 0.6 121380 6832 ? S 03:59 0:00 nginx: worker process
nginx 27356 0.0 0.6 121380 6832 ? S 03:59 0:00 nginx: worker process
nginx 27357 0.0 0.6 121380 6832 ? S 03:59 0:00 nginx: worker process
nginx 27358 0.0 0.6 121380 6832 ? S 03:59 0:00 nginx: worker process
nginx 27359 0.0 0.6 121380 6832 ? S 03:59 0:00 nginx: worker process
nginx 27360 0.0 0.6 121380 6832 ? S 03:59 0:00 nginx: worker process

So the master processes are running as root - is that correct or do these also need to be run as the user nginx?

Cheers,
Marc

system · September 20, 2018, 4:02am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.