[FAIL] The server public key defined in the config/passbolt.php is not in the keyring - issue


#1

Dear community

I’ve tried setting up a fresh installation of passbolt for 2 days but I am simply not able to get the server public key into the keyring of my apache web server. I have tried every single workaround I could find but I still get the GPG configuration FAIL when I run the passbolt healthcheck with the www-data user - and when I try to log in on the server I get “Could not verify server key. The OpenPGP server key defined in the config could not be found in the GnuPG keyring”. Note that the healthcheck passes on everything when running it as the root user!

The steps I followed:

gpg --gen-key
gpg --armor --export-secret-keys roman.attinger@bluewin.ch > /var/www/vhosts/test.ch/passbolt.test.ch/passbolt/config/gpg/serverkey_private.asc
gpg --armor --export roman.attinger@bluewin.ch > /var/www/vhosts/test.ch/passbolt.test.ch/passbolt/config/gpg/serverkey.asc
chown www-data:www-data serverkey_private.asc serverkey.asc
sudo mkdir /var/www/.gnupg
sudo chown www-data:www-data /var/www/.gnupg
sudo chmod 700 /var/www/.gnupg
sudo su -s /bin/bash -c “gpg --home /var/www/.gnupg --import /var/www/vhosts/test.ch/passbolt.test.ch/passbolt/config/gpg/serverkey_private.asc” www-dat

which results in

gpg: keyring /var/www/.gnupg/secring.gpg' created gpg: keyring/var/www/.gnupg/pubring.gpg’ created
gpg: key FA7426AF: secret key imported
gpg: /var/www/.gnupg/trustdb.gpg: trustdb created
gpg: key FA7426AF: public key “Roman Attinger roman.attinger@bluewin.ch” imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: secret keys read: 1
gpg: secret keys imported: 1

I have put the correct key in the passbolt.php configuration file

I also tried to do everything with gpg2 but do no avail. Anyways, does passbolt use gpgv1 or gpgv2? Did I make a mistake when importing the keys? If anyone could point me into the right direction I would be extremely thankful!

The healcheck:

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/www/.gnupg.
[PASS] The directory /var/www/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server gpg key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[FAIL] The server public key defined in the config/passbolt.php is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c “gpg --home /var/www/.gnupg --import /var/www/vhosts/test.ch/passbolt.test.ch/passbolt/config/gpg/serverkey_private.asc” www-data
[PASS] There is a valid email id defined for the server key.

The server:
gpg (GnuPG) 1.4.20
gpg (GnuPG) 2.1.11
‪Ubuntu 16.04.5 LTS
‬PHP 7.2.14
Plesk Onyx 17.8.11

Threads I carefully followed:



#2

Hello, All!
Having this issue too. After fresh install on Centos 7 I have to manually copy passbolt.php, fill in database credentials, then healthcheck from console started working. No web interface is available. And when i followed instructions about GPG keys console health check stopped working with:
Healthcheck shell......Exception: data signing failed in [/var/www/passbolt/src/Utility/Healthchecks/GpgHealthchecks.php, line 304]
Best regards, Eugene.


#3

Hi all,

Sorry to hear you had this experience with passbolt. Could you provide information on which steps you followed to install passsbolt?
Even if it is a dumb question, is the fingerprint correctly formatted on the config/passbolt.php (i.e. spaces removed)?


#6

You should be able to access passbolt web installer at this point, there is no need to edit config/passbolt.php.
The way it works after the install scripts run is that you point to the host provided during the installation and you will face a web installer that will ask you some questions, create a gpg key and write a customized config/passbolt.php for you. There is no need to edit manually passbolt.php. (Actually if passbolt.php exists the webinstaller won’t kick in so you might want to remove the file and remove also the serverkey.asc and serverkey_private.asc from config/gpg)
What I think is happening is that you have the firewalld service running and filtering the requests to your centos box on port 80. Could you please try to disable firewall (just for testing, then you should re enable it whitelisting port 80 and or port 443, depending on your setup).
Stop firewalld (keep in mind it will start again when reboot):
systemctl stop firewalld
Try to access again http://192.168.28.254

Hope this helps


#7

Diego, thank you very much, after stopping firewall http://192.168.28.254 is accessible.
I will revert VM to clean saved state to make clean install since I have tried many things while was trying to fix things that what was working and should not be fixed :slight_smile:
Centos was installed without security profile and I was thinking that firewall was turned off too.
So that is my mistake.
PS: May be it will be good to mention firewall in Install Guide for new-to-linux-people like me :slight_smile:


#8

Nice!

Yes, we will add your feedback to the docs! Thanks!


#9

How about you create your own thread next time please? Your issue is completely unrelated to mine so the solution given neither helps me or people with the same problem…


#10

Hi @speedbre4ker,

Yeah you are right we got caught in the heat of the moment, sorry about that!
In any case the information I was requesting about the installation steps you followed still applies. You installed passbolt using install scripts? Manually from source? Have you been able to access the webinstaller?


#11

Thank you for the reply @diego and sorry for not realizing that you referred to me before.

I installed passbolt manually from source as I already have an instance of openproject running on the same server which I didn’t want to compromise.
I was able to follow the setup steps online (i.e. setting up a master password for the new user created during installation) but then I get the red warning message “Could not verify server key. The OpenPGP server key defined in the config could not be found in the GnuPG keyring” when I try to log-in.


#12

Hi @speedbre4ker

As I mentioned also before the format of the fingerprint defined in config/passbolt.php is correct (no spaces)

Seems to me that you are not using the default www-data gnupg home directory. Looks like you are using /var/www/.gnupg instead of /var/lib/nginx/.gnupg

I would recommend you to switch to the default one and reimport keys. If you want to continue using that custom path for the keyring you should update the config/passbolt.php and modify the following values:

 'keyring' => 'your_custom_path',
 // Replace GNUPGHOME with above value even if it is set.
 'putenv' => true,

Let me know if this works for you


#13

Hi @diego

Yes the fingerprint in the config/passbolt.php is correct and has no spaces.

Hmm this is somehow confusing to me. I do not use nginx as webserver but apache2, therefore the default folder for the gnupg keyring for the www-data user should be /var/www/.gnupg or not?

I have made the changes you suggested to passbolt.php, which now specifically defines the keyring location - although I belive this is somewhat redundant (obviously not the actual key):

‘gpg’ => [
‘keyring’ => ‘/var/www/.gnupg’,
‘putenv’ => true,
‘serverKey’ => [
‘fingerprint’ => ‘12secretXYZ’
],
],

When I now run the healcheck I get a PASS on everything :slight_smile: However, I still can not log in online :frowning: and the error.log shows

2019-01-30 10:33:13 Error: [Cake\Network\Exception\InternalErrorException] The OpenPGP server key defined in the config could not be found in the GnuPG keyring.
Request URL: /auth/verify.json?api-version=v1
2019-01-30 10:33:13 Warning: Warning (512): /var/www/vhosts/test.ch/passbolt.test.ch/passbolt/tmp/cache/persistent/ is not writable in [/var/www/vhosts/test.ch/passbolt.test.ch/passbolt/
vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]


#14

Hello @speedbre4ker,

At some point a command as been executed with another user than www-data. It has compromised the access on the cache files. You can solve this by executing the following command as root

chown www-data:www-data -R /var/www/vhosts/test.ch/passbolt.test.ch/passbolt/tmp/cache

Here either the fingerprint defined in the passbolt.php is not correct or the server gpg key is not present in the gpg keyring of the www-data user.

  1. Can you confirm that the folder /var/www/.gnupg exists and that the www-data user is the owner? To create a new gpg keyring for the www-data user, execute the following command :
    su -s /bin/bash -c "gpg --list-keys --with-fingerprint" www-data
  2. When you list the keys present in your keyring, do you find your server key? You can list the key with the same command as above :
    su -s /bin/bash -c "gpg --list-keys --with-fingerprint" www-data
  3. If you don’t find your server key you can import it with the following command:
    su -s /bin/bash -c "gpg --import YOU_SERVER_GPG_PRIVATE_KEY_PATH" www-data
    List again the key to retrieve your key fingerprint
    su -s /bin/bash -c "gpg --list-keys --with-fingerprint" www-data
  4. The fingerprint is given to you following this format: 2FC8 9458 33C5 1946 E937 F9FE D47B 0811 573E E67E but it should be defined without space in the passbolt.php as following 2FC8945833C51946E937F9FED47B0811573EE67E
    Confirm that the fingerprint is the same than in your passbolt.php

Let us know how it goes


closed #15

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.