How to backup fingerprint?

I have Passbolt in a Docker container running in Synology NAS.
Health check told me that “This installation is not up to date. Currently using 2.8.1 and it should be v2.8.2.” (Later it turned out to be a wrong information, but it doesn’t matter now.)

Well, I exported all the settings of the container by Docker’s export function, and I also made a backup of the GPG keys. (Four files: serverkey_private.asc, serverkey.asc, unsecure_private.key, unsecure.key)

I did not delete the old container (just in case), but created a new one by the new image. (supposed to be v2.8.2)

Then I restored the GPG key files and all the settings (environment variables, etc.) to the new container.
Everything seems to be fine, but Healthchecker in the new instance says:
“The server key fingerprint doesn’t match the one defined in config/passbolt.php.”

I don’t have passpolt.php file (just passpolt.default.php), I set all the settings by environment variables.
If I login, in my profile I still can see the same fingerprint as before. The GPG keys have been recovered.

What exactly should I do to eliminate this error message? From where to where shall I copy fingerprint information?

(I’m quite noob, I’ll appreciate if you can be pretty specific and detailed in your answer.)

Thanks a lot in advance!

Hi @sawwee

That seems to be a false positive as the fingerprint is generated as an env variable on boot from your serverkey files.

We will look into it, thanks!

In the original instance I don’t receive this error message in healthcheck, only the new one is problematic, even though the two instances should be absolutely identical. What makes their to be different?

Do this two instances share the same domain name/ hostname? That could be the certificate mismatch

Same domain / hostname, even same ports. (I set the ports manually before running one or the other, because otherwise docker doesn’t let to set the same ports on both of the containers. At the end of the day the running one always have my original port setup.)

Could you try to source /etc/environment before launching the healthcheck?

Something like su -c "source /etc/environment; /var/www/passbolt/bin/cake passbolt healthcheck" -s /bin/bash www-data

Okay, I did that, launched healthcheck by the command you mentioned.
The two healthchecks are identical, except the fingerprint issue:

Original instance:

/ __ ____ _____ / / ____ / / /
/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///.__/__//_/

Open source password manager for teams

Healthcheck shell

Environment
[PASS] PHP version 7.2.16.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[WARN] The passbolt config file is missing in /var/www/passbolt/config/
[HELP] Copy /var/www/passbolt/config/passbolt.php.default to /var/www/passbolt/config/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://my.host.url
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate

Database

[PASS] The application is able to connect to the database
[PASS] 25 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
[PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server gpg key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.

Application configuration

[FAIL] This installation is not up to date. Currently using 2.8.1 and it should be v2.8.3.
[HELP] See. https://www.passbolt.com/help/tech/update
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

1 error(s) found. Hang in there!

New instance:

/ __ ____ _____ / / ____ / / /
/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///.__/__//_/
Open source password manager for teams

Healthcheck shell

Environment
[PASS] PHP version 7.2.16.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /var/www/passbolt/config/
[HELP] Copy /var/www/passbolt/config/passbolt.php.default to /var/www/passbolt/config/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables

Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://my.host.url
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate

Database

[PASS] The application is able to connect to the database
[PASS] 25 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
[PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server gpg key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[FAIL] The server key fingerprint doesn’t match the one defined in config/passbolt.php.
[HELP] Double check the key fingerprint, example:
[HELP] sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /home/www-data/.gnupg” www-data | grep -i -B 2 ‘SERVER_KEY_EMAIL’
[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature
Application configuration
[FAIL] This installation is not up to date. Currently using 2.8.1 and it should be v2.8.3.
[HELP] See. https://www.passbolt.com/help/tech/update
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

2 error(s) found. Hang in there!

However…
I tried to follow the suggestion of the healthcheck result and double check the key fingerprint by the command mentioned in healthcheck result:

sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /home/www-data/.gnupg” www-data | grep -i -B 2 ‘SERVER_KEY_EMAIL’

I tried it on both of the instances and finally the result was different! However still there were some similarities: there were two codes (I suppose these are the fingerprints) at both of the instances, and the second code of the first instance was the same as the first code of the second instance.

Like this:

Original instance:

pub   rsa2048 2019-04-02 [SC]                                                                                                                                                                                                            
      40-digit code here  ("version A")                                                                                                                                                                              
uid           [ultimate] My Name <my@email.address>                                                                                                                                                                              
--                                                                                                                                                                                                                                       
pub   rsa2048 2019-04-02 [SC]                                                                                                                                                                                                            
      another 40-digit code here ("version B")                                                                                                                                                                                
uid           [ unknown] My Name <my@email.address>          

New instance:

 pub   rsa2048 2019-04-02 [SC]                                                                                                                                                                                                            
      same as "version B" 40 digit code here                                                                                                                                                                                
uid           [ultimate] My Name <my@email.address>                                                                                                                                                                              
--                                                                                                                                                                                                                                       
pub   rsa2048 2019-04-02 [SC]                                                                                                                                                                                                            
      different 40 digit code here ("version C")                                                                                                                                                                                 
uid           [ unknown] My Name <my@email.address>        

Well, how can I properly backup these codes from the original instance and restore it in the new instance? (I suppose this would solve my problem, wouldn’t it?)

Well, could you please help me with it?

Hey there have you been able to solve this issue?

Unfortunately not yet, I would still appreciate any respond to my last question. Thank you in advance!

Hey there,

Let’s dissect this a bit:
I assume on the code you pasted that the first output (the one that doesn’t complain about gpg fingerprint) is the result of executing:
su -c "source /etc/environment; /var/www/passbolt/bin/cake passbolt healthcheck" -s /bin/bash www-data

This happens because on the docker-entrypoint.sh if the GPG_FINGERPRINT is not provided as an env variable the script tries to extract the data from the serverkeys present on the container and exports a variable so passbolt can continue operating normally. However, if you connect to the container using docker exec you won’t have that variable present because the current bash session you are using is not inheriting this particular env var. That’s why you have the fingerprint error and when sourcing /etc/environment you don’t have it, you could also workaround this issue getting the gpg fingerprint and running the container with that variable injected (PASSBOLT_GPG_SERVER_KEY_FINGERPRINT)

If you want to back up your serverkeys from your first instance you can just copy paste the /var/www/passbolt/config/gpg/serverkey*.asc from your first docker instance to your host machine and then mount them as host mounts into your new container (some examples on mounting files from host on the containers here or you could use docker volumes to persist /var/www/passbolt/config/gpg directory like what we propose here, exec on the container and overwrite the files.

Hope all this chunk of text helps you a bit and sorry for the late reply.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.