Checklist
[x] I have read intro post: About the Installation Issues category
[x] I have read the tutorials, help and searched for similar issues
[x] I provide relevant information about my server (component names and versions, etc.)
[x] I provide a copy of my logs and healthcheck
[x] I describe the steps I have taken to trouble shoot the problem
[x] I describe the steps on how to reproduce the issue
Hey all,
So recently we had a hypervisor fail, and thus caused our Passbolt server to crash. It came backup, the Passbolt server, with no issues.
However, now when trying to login, we are getting “An internal error has occurred” after entering our passwords.
From the logs, we can see the following in the error.log file.
2020-03-27 10:22:52 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/auth/is-authenticated.json” could not be found.
Request URL: /auth/is-authenticated.json
2020-03-27 10:22:57 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “/auth/is-authenticated.json” could not be found.
Request URL: /auth/is-authenticated.json
2020-03-27 11:10:11 Error: [Exception] encrypt-sign failed
Request URL: /auth/login.json?api-version=v1
2020-03-27 11:13:02 Error: [Exception] encrypt-sign failed
Request URL: /auth/login.json?api-version=v1
No other errors can be found at present, all keys are valid. I have tried performing an account recovery, and still the same problem.
This would most likely point to an issue with the server key and/or keyring. The server public key could be expired, or not in the keyring, or the file permission on the gnupg keyring could be not be set properly, or SE Linux policy have changed, etc.
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
---------------------------------------------------------------
Healthcheck shell
---------------------------------------------------------------
Environment
[PASS] PHP version 7.0.33-0ubuntu0.16.04.9.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[PASS] The passbolt config file is present
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passwords.takeshi.nz
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate
Database
[PASS] The application is able to connect to the database
[PASS] 19 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The server gpg key is not the default one
[PASS] The environment variable GNUPGHOME is set to /var/www/.gnupg.
[PASS] The directory /var/www/.gnupg containing the keyring is writable by the webserver user.
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[FAIL] The server public key defined in the config/passbolt.php is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c "gpg --home /var/www/.gnupg --import /opt/passbolt/config/gpg/noexpire.key" www-data
[PASS] There is a valid email id defined for the server key.
Application configuration
[FAIL] This installation is not up to date. Currently using 2.0.7 and it should be v2.12.0.
[HELP] See. https://www.passbolt.com/help/tech/update
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.
2 error(s) found. Hang in there!
Actually, ran healthcheck using sudo and now all is well?
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
---------------------------------------------------------------
Healthcheck shell
---------------------------------------------------------------
Environment
[PASS] PHP version 7.0.33-0ubuntu0.16.04.9.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[PASS] The passbolt config file is present
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passwords.takeshi.nz
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate
Database
[PASS] The application is able to connect to the database
[PASS] 19 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The server gpg key is not the default one
[PASS] The environment variable GNUPGHOME is set to /var/www/.gnupg.
[PASS] The directory /var/www/.gnupg containing the keyring is writable by the webserver user.
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The public key can be used to sign a message.
[PASS] The public key can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
Application configuration
[FAIL] This installation is not up to date. Currently using 2.0.7 and it should be v2.12.0.
[HELP] See. https://www.passbolt.com/help/tech/update
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.
1 error(s) found. Hang in there!
You should run the healthcheck using the webserver user:
sudo su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt healthcheck" www-data
All keyring operations should be done with this user, and also by providing your keyring location defined in your passbolt.php config (unless it’s using the default one, e.g. /var/www/ on debian).
Keyring permissions should look something like that
drwxrwx--- 9 www-data www-data 4096 Oct 30 06:52 ..
-rw-r--r-- 1 www-data www-data 25 Nov 26 13:18 .#lk0x0000559aa53ea6b0.passbolt.test.3153
drwx------ 2 www-data www-data 4096 Dec 5 14:45 private-keys-v1.d
-rw-r--r-- 1 www-data www-data 63112 Dec 18 11:30 pubring.kbx
-rw-r--r-- 1 www-data www-data 61789 Dec 6 12:29 pubring.kbx~
-rwx------ 1 www-data www-data 600 Mar 24 19:08 random_seed
-rw-r--r-- 1 www-data www-data 49152 Nov 26 13:24 tofu.db
-rwx------ 1 www-data www-data 1200 Oct 30 07:03 trustdb.gpg
Too lax permissions would trigger gnugp to refuse to do some operations (like signing).
Is it possible for you to migrate to the last version? It will be harder to debug as you’re running a version that is almost 2 year old. (some work have been done on the auth / gnupg integration part since then)
Request URL: /healthcheck/
2020-03-27 11:58:02 Error: [Cake\Database\Exception] SQLSTATE[42S02]: Base table or view not found: 1146 Table 'passbolt.actions' doesn't exist (/opt/passbolt/vendor/cakephp/cakephp/src/Database/Schema/Collection.php:132)
Caused by: [PDOException] SQLSTATE[42S02]: Base table or view not found: 1146 Table 'passbolt.actions' doesn't exist (/opt/passbolt/vendor/cakephp/cakephp/src/Database/Statement/MysqlStatement.php:38)
Request URL: /auth/login
2020-03-27 12:00:28 Error: [Cake\Core\Exception\Exception] Could not use the key to sign and encrypt.encrypt-sign failed (/opt/passbolt/src/Utility/OpenPGP/Backends/Gnupg.php:508)
Request URL: /auth/login.json?api-version=v1
