Keep Getting Could not import the key even if healthcheck is ok

Hi, I installed Passbolt on a Ubuntu Server machine.
I’m running apache2 and php7.4 with other websites, everything is managed throu ispconfig.
Every time I try to install passbolt again, I get this error message while configuring the first user account:

I checked all the folder and keys priviledges, and everything is owned by web2, the apache user.

This is my healthcheck status:

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 7.4.16.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://psw.samuelepetrin.cf
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] cURL Error (60) SSL: no alternative certificate subject name matches target host name ‘psw.samuelepetrin.cf’

Database

[PASS] The application is able to connect to the database
[PASS] 25 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/www/clients/client0/web2/home/default_psw/.gnupg.
[PASS] The directory /var/www/clients/client0/web2/home/default_psw/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server gpg key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.

Application configuration

[PASS] Using latest passbolt version (3.1.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

1 error(s) found. Hang in there!

This is the guide I followed: https://www.howtoforge.com/install-and-configure-passbolt-password-manager-on-ubuntu-2004/
I would be glad if you could help me in any way, I am really hyped by Passbolt, and unfortunaly did’t even passed the login screen.

Hi @TheSam,

You can get this issue for several reasons:

• The time on the server (or client) is not set correctly, GnuPG will refuse to import keys that are created “in the future”. You can solve this by installing NTP on your server and double checking the client time.
• The permissions on the GnuPG keyring are too lax, GnuPG will refuse to function if the permissions are not set correctly. You need to locate the GnuPG keyring for this user (web2?) and double check the permissions (you can do a ls -la here if you need help with this).
• Something else I cannot think of…

Hi, Thanks for the quick answer.

I checked the Server and client Dates, and everything is syncronized. NTP was already installed on the server.

Then I also checked the folder permissions, and everything seems to be ok (am I wrong here?):

The only thing I noted during install, was that Passbolt really never gave me a configuration wizard like the one described in all the guides, I was only able to login with the newly created user in the cli.

Hope this can give you some more context.

@TheSam so I guess you followed the “from source” installation method. The wizard will only launch if you have not created the passbolt.php yourself (that’s how the installer knows how to launch).

My guess would be to check your configuration in passbolt.php to make sure you’re pointing at the right location for the keyring (it could be that this keyring is fine, but the web application is using another one at another location):

 'passbolt' => [
        // GPG Configuration.
        // The keyring must to be owned and accessible by the webserver user.
        // Example: www-data user on Debian
        'gpg' => [
            'keyring' => '/home/web2/.gnupg', // or wherever this is 
            'putenv' => true, // this will override any preset 

Then check the server key is listed:

sudo -H -u www-data bash -c "gpg --list-keys --home=/home/web2/.gnupg"

@TheSam oh I can see you used https://www.howtoforge.com/install-and-configure-passbolt-password-manager-on-ubuntu-2004/ . There are some mistakes in this tutorial after glancing through it quickly, like the section about the key is in the wrong place in the file…

I recommend following the official methods to install passbolt, as they are garanteed to work all the time: Passbolt Help | Installation

Thanks, the last suggestion solved the issue.
Regards