Yup, sure, will work through that now.
Have completed upgrade to latest and healthcheck reports a pass.
New errors from errors.log
Request URL: /healthcheck/ 2020-03-27 11:58:02 Error: [Cake\Database\Exception] SQLSTATE[42S02]: Base table or view not found: 1146 Table 'passbolt.actions' doesn't exist (/opt/passbolt/vendor/cakephp/cakephp/src/Database/Schema/Collection.php:132) Caused by: [PDOException] SQLSTATE[42S02]: Base table or view not found: 1146 Table 'passbolt.actions' doesn't exist (/opt/passbolt/vendor/cakephp/cakephp/src/Database/Statement/MysqlStatement.php:38) Request URL: /auth/login 2020-03-27 12:00:28 Error: [Cake\Core\Exception\Exception] Could not use the key to sign and encrypt.encrypt-sign failed (/opt/passbolt/src/Utility/OpenPGP/Backends/Gnupg.php:508) Request URL: /auth/login.json?api-version=v1
Ok there may be an issue with this particular user public key. Can you check if it is expired / and/or share it with us here.
If a user key has expired. COuld that be the cause?
Yes, basically gnupg will refuse to encrypt content for expired key.
Is it possible to renew the key on my desktop, and remove the key on the server?
It’s possible to remove the expiry date on your desktop (using gnupg for example) and then update it on the server. See link above.
Note: It’s not possible to rotate for a key that has a different fingerprint.
I’ve changed the expiry using GnuPG on my desktop, how do I import that new public key into the server?
From the other post:
- Edit the public gpg key in the database, make sure you update the modification date so that other users can get the new one
- Remove the old key from the gpg keyring and Import the new key in the server gpg keyring (or alternatively if it doesn’t work you can create a new keyring, import the server key and let the application import the keys for the users as needed).
- Do an account recovery.
To edit the key in the database you need to edit the row for your user in the database. You can see which row belong to you:
select id,fingerprint from gpgkeys where user_id IN ( select id from users where firstname.lastname@example.org' );
The update query would look like:
UPDATE gpgkeys SET armored_key='-----BEGIN PGP PUBLIC KEY BLOCK----- ... -----END PGP PUBLIC KEY BLOCK-----', expires=NULL, modified='2018-03-27 12:30:00' WHERE user_id IN ( select id from users where email@example.com' );
Where you need to replace your username and keys obviously.
Make sure you remove the old user key from the keyring, as the expired key will still be there.
Have followed instructions.
Created new GPG keyring and only imported server keys
Removed Plugin and performed recovery
Updated GPG in DB
Still receving the same error
Can you try to see if encryption with this user key + signing using the server key works using gpg directly? (using www-data user/ keyring)
Can you elaborate more on that please?
I meant try to encrypt something for this user and sign with the server key using gnugp on the server:
sudo su -s /bin/bash -c "gpg --encrypt --sign --armor -r firstname.lastname@example.org name_of_test_file" www-data
Something like that
So I’ve done the whole process again.
- Created new GPG keyring
- Confirmed only Server Key is in keyring
- Updated Public Key in SQL database
- Removed Passbolt plugin
- Performed account recovery
- Still receiving unknown error
As per your question. I was able to create a text file, encrypt the file, and then decrypt the file using said keys.
Woohoo! Fixed it! There was a subkey that had expired that was used for encryption.
Unfortunately on Windows it’s not easily seen, and needed to be done on my Linux desktop.
Good job! Thanks for sharing the solution.
This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.