Docker install Could not verify server key

Hi

I have (had) a working version of passbolt dockerized. It worked perfectly until I had to restart the server and the container. (Restart policy : always)

After that I get the error:

Could not verify server key. There was an error during authentication.

I entered the docker container and this is the output of some commands:

su -s /bin/bash -c "./bin/cake passbolt healthcheck" www-data

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /var/www/passbolt/config/
  [HELP] Copy /var/www/passbolt/config/passbolt.php.default to /var/www/passbolt/config/passbolt.php
  [HELP] The passbolt config file is not required if passbolt is configured with environment variables

...

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
 [PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
 [FAIL] The server gpg key is not set
  [HELP] Create a key, export it and add the fingerprint to config/passbolt.php
  [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [FAIL] The server key fingerprint doesn't match the one defined in config/passbolt.php.
  [HELP] Double check the key fingerprint, example: 
  [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /home/www-data/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
  [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
  [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring
  [HELP] Import the private server key in the keyring of the webserver user.
  [HELP] you can try:
  [HELP] sudo su -s /bin/bash -c "gpg --home /home/www-data/.gnupg --import /var/www/passbolt/config/gpg/serverkey_private.asc" www-data
 [FAIL] The server key does not have a valid email id.
  [HELP] Edit or generate another key with a valid email id.

 ...

  4 error(s) found. Hang in there!

and the available keys.

root@2254c7995676:/var/www/passbolt# su -s /bin/bash -c "gpg --list-secret-keys" www-data
/home/www-data/.gnupg/pubring.kbx
---------------------------------
sec   rsa2048 2019-06-28 [SC]
      14183CEF49C8BBB4B9C2F6637EB88C5DD392F0E4
uid           [ultimate] Passbolt default user <passbolt@yourdomain.com>
ssb   rsa2048 2019-06-28 [E]

root@2254c7995676:/var/www/passbolt# 
root@2254c7995676:/var/www/passbolt#  su -s /bin/bash -c "gpg --list-keys" www-data
/home/www-data/.gnupg/pubring.kbx
---------------------------------
pub   rsa2048 2019-06-28 [SC]
      14183CEF49C8BBB4B9C2F6637EB88C5DD392F0E4
uid           [ultimate] Passbolt default user <passbolt@yourdomain.com>
sub   rsa2048 2019-06-28 [E]

pub   rsa2048 2019-04-19 [SC]
      A343CA64F3E4CB16DE4031385316755CD859B5DB
uid           [ unknown] Juan Surname <juan@myserver.com> (passbolt-key)
sub   rsa2048 2019-04-19 [E]

How can I get this configuration right? I would like to restart the container without having to set the key again.

error log:

2019-07-12 01:28:13 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/robots.txt” could not be found.
Request URL: /robots.txt

2019-07-12 01:28:14 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/sitemap.xml” could not be found.
Request URL: /sitemap.xml

2019-07-12 01:28:14 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/.well-known/security.txt” could not be found.
Request URL: /.well-known/security.txt

these are the ENV variables of the container:

Hello @juca,

In order to persist the server keys, the folder config/gpg folder should be mounted while starting the docker container.

From the documentation:

$ docker run --name passbolt --net passbolt_network \
             --mount type=bind,\
               source=<host_path_to_gnupg_keys_dir>,\
               target=/var/www/passbolt/config/gpg \
             -p 443:443 \
             -p 80:80 \
             -e DATASOURCES_DEFAULT_HOST=mariadb \
             -e DATASOURCES_DEFAULT_PASSWORD=<mariadb_password> \
             -e DATASOURCES_DEFAULT_USERNAME=<mariadb_user> \
             -e DATASOURCES_DEFAULT_DATABASE=<mariadb_database> \
             -e APP_FULL_BASE_URL=https://mydomain.com \
             passbolt/passbolt:latest

Best regards

Thanks!

you might want to edit the instructions and make mouting the keys folder as volume as a default option since it will be needed anyway.

And the following ENV variable is also required:

PASSBOLT_GPG_SERVER_KEY_FINGERPRINT YOUR_FINGERPRINT

2 Likes

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.