Exception from Healthcheck

Hello,

I am installing Passbolt on Debian 9.5. using Apache.

I tried moving the key into www-data’s keyring using the command below:

sudo su -s /bin/bash -c “gpg --import /var/www/passbolt/config/gpg/serverkey_private.asc” www-data

Here the output of that command:

gpg: key B1A356…: “James Little jlittle@email.com” not changed
gpg: key B1A356…/B1A356…: error sending to agent: Permission denied
gpg: error building skey array: Permission denied
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1

I don’t know why I keep getting permission denied.

However, after I try doing that, everything breaks.

Here the new output from health check:

Healthcheck shell…Exception: get_key failed in [/var/www/passbolt/src/Utility/Healthchecks/GpgHealthchecks.php, line 301]

Here what the error.log says:

2018-08-29 21:41:11 Error: [Exception] get_key failed
Request URL: /auth/verify.json?api-version=v1

And here is what I am getting from the web application:

Could not verify server key. An Internal Error Has Occurred.

Before I tried importing the key into the keyring the only error Health check was returning was I needed to import the key into the keyring.

Any help would be greatly appreciated.

Hello,

Do you have a passphrase on your key?
What are the permissions for the www-data keyring?

Hi remy,

I do have a passphrase on my key, should I create a new one without a passphrase?

The permissions are below:

-rw-r----- 1 www-data www-data 1769 Aug 29 16:20 serverkey.asc
-rw-r----- 1 www-data www-data 3661 Aug 29 16:20 serverkey_private.asc

Thank You!

I do have a passphrase on my key, should I create a new one without a passphrase?

Yes, passphrases are not supported by php-gnupg (due to limitations introduced by gnupg pinentry afaik).

I will generate a new key without a passphrase this time and report back to confirm that fixed the issue.

Thanks again.

Well, I created a new key without a passphrase, I was really frustrated the installation manual didn’t mention this, but there it was in big bold letters

“Important: Currently php-gnupg does not support keys with a passphrase so you will need to leave that field empty.”

At any rate, I am super annoyed, because I am pretty sure I did this correctly, but I took screen shots as verification I did it right, but I sure hope someone finds my mistake.

The only error I am receiving from health check now (well other than I need to update, this is a new one) is a fingerprint mismatch.

[FAIL] The server key fingerprint doesn’t match the one defined in config/passbolt.php.

So I found the fingerprint for the key:

Notice the user (www-data), See the key was generated today (the 30th) this is the key without the passphrase.

So I copied the fingerprint (so I think), and pasted it in the config/passbolt.php and removed all the spaces

‘serverKey’ => [
// Server private key fingerprint.
‘fingerprint’ => ‘EA9C … 7055’,
‘public’ => CONFIG . ‘gpg’ . DS . ‘serverkey.asc’,
‘private’ => CONFIG . ‘gpg’ . DS . ‘serverkey_private.asc’,
],

I run health check again, and the same errors.

What am I doing wrong this time?

Thanks.

Do you have spaces in your fingerprint in your configuration file? If so try removing them.

@remy I removed all the spaces.

You can check other existing solutions for this new issue:

I cannot say for certain what fixed the issue.

I deleted all keys, and started the key generation process over again.

All is fixed, I successfully updated the software. No errors from healthcheck.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.