Gpg throws 'could not init keylist' on login page, but healthcheck has no errors


#1

Checklist
[x] I have read intro post: h ttps://community.passbolt.com/t/about-the-installation-issues-category/12
[x] I have read the tutorials, help and searched for similar issues
[x] I provide relevant information about my server (component names and versions, etc.)
[x] I provide a copy of my logs and healthcheck
[x] I describe the steps I have taken to trouble shoot the problem
[x] I describe the steps on how to reproduce the issue

I’m getting ‘The OpenPGP server key defined in the config could not be found in the GnuPG keyring.’ on login page.
Healthcheck shows no errors:

sudo su -s /bin/bash -c "./bin/cake passbolt healthcheck" apache

    ____                  __          ____  
   / __ \____  _____ ____/ /_  ____  / / /_ 
  / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
 / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
/_/    \__,_/____/____/_.___/\____/_/\__/   

Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell......string(28) "ENV: / usr/share/httpd/.gnupg"
       
---------------------------------------------------------------

 Environment

[PASS] PHP version 7.2.14.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

[FAIL] Debug mode is on.
 [HELP] Set debug = false; in config/passbolt.php
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.break-media.net
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate

Database

[PASS] The application is able to connect to the database
[PASS] 18 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /usr/share/httpd/.gnupg.
[PASS] The directory /usr/share/httpd/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server gpg key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.

Application configuration

[PASS] Using latest passbolt version (2.5.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

1 error(s) found. Hang in there!

I added some debug lines to GpgAuthenticate::_initKeyring():

    $this->_gpg = new \gnupg();
    $info = $this->_gpg->keyinfo($keyid);
    $this->_gpg->seterrormode(\gnupg::ERROR_EXCEPTION);
    var_dump($this->_gpg->geterror());

Error is: ‘could not init keylist’.

Configuration is Centos 7, php7.2, php-fpm, apache2.

  • In both ways (cli and fpm) script is executed from ‘apache’ user.

  • /usr/share/httpd/.gnupg is writable and with SELinux permissions

  • getenv(‘GNUPGHOME’) is /usr/share/httpd/.gnupg in both ways

  • ‘sudo ausearch -m AVC,USER_AVC -ts recent’ returns

  • GPGme Version => 1.3.2 for both cli and fpm

  • gpg --version

     gpg (GnuPG) 2.0.22
     libgcrypt 1.5.3 
    Copyright (C) 2013 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.  
    There is NO WARRANTY, to the extent permitted by law.
    
    Home: ~/.gnupg
    Supported algorithms: 
    Pubkey: RSA, ?, ?, ELG, DSA
    Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
       CAMELLIA128, CAMELLIA192, CAMELLIA256
    Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
    Compression: Uncompressed, ZIP, ZLIB, BZIP2
    

What else I forgot to check?


#2

Hello,

What do you get when doing:

sudo su -s /bin/bash -c "gpg --list-keys" apache

How did you install php-gnupg? Using PECL packages?


#3

Hi @remy, thanks for support.

Here is output of list-keys:

 $ sudo su -s /bin/bash -c "gpg --list-keys --fingerprint" apache
 /usr/share/httpd/.gnupg/pubring.gpg
 -----------------------------------
 pub   2048R/FB61BC74 2019-02-10
       Key fingerprint = 9F9C EB2C 85D8 732E CB82  35A9 B9F7 DD16 FB61 BC74
 uid                  Bogdan <bogdan.p******i@b********a.com>
 sub   2048R/7FF8933D 2019-02-10

Installation was done in this way:

sudo yum install php72-php-pecl-gnupg.x86_64

#4

So, after your comment I removed php-gnupg and installed it again using PECL, and it works now. I really can’t understand how that could happen, considering phpinfo shows me absolutely same version was installed previously and also considering there were no problems with old installation with CLI.

Anyway, now I’m happy to get it successfully installed and also I do not regret I spent few days debugging it, because it helped me to saw project’s sources and I really like this project.


#5

Thank you for your kind comments @Bogdan, it’s much appreciated.