Checklist
[x] I have read intro post: About the Installation Issues category
[x] I have read the tutorials, help and searched for similar issues
[x] I provide relevant information about my server (component names and versions, etc.)
[ ] I provide a copy of my logs and healthcheck
[x] I describe the steps I have taken to trouble shoot the problem
[x] I describe the steps on how to reproduce the issue
Server is Apache2, OS is Debian 9.
When healthchecking my passbolt installation, I’m getting some FAILs with my private key:
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The server gpg key is not the default one
[PASS] The environment variable GNUPGHOME is set to /var/www/.gnupg.
[PASS] The directory /var/www/.gnupg containing the keyring is writable by the webserver user.
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[FAIL] The private key cannot be used to sign a message
[HELP] Make sure that the server private key is valid and that there is no passphrase.
[HELP] Make sure you imported the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c "gpg --home /var/www/.gnupg --import /var/www/passbolt/config/gpg/serverkey_private.asc" www-data
[FAIL] The public and private keys cannot be used to encrypt and sign a message
[FAIL] The private key cannot be used to decrypt a message
[FAIL] The private key cannot be used to decrypt and verify a message
[FAIL] The public key cannot be used to verify a signature.
There is a problem with your private key. Could you check:
that your private key is in your keyring: sudo su -s /bin/bash -c "gpg --home /var/www/.gnupg --import /var/www/passbolt/config/gpg/serverkey_private.asc" www-data
that your private key is not encrypted with a password.
that your version of gpg is v2: gpg --version. We have seen similar issues with the keyring being managed by gpg2 while the keys were imported by gpg1.
if it’s still not working, then try to generate another keypair, don’t forget to update the fingerprint in passbolt.php and try again.
I just generated a new unencrypted private key. The original error message now is gone, but another one appears: “Could not verify server key. Decryption failed.” Any ideas about that?
• Deleted /var/www/passbolt/config/gpg/serverkey_private.asc and /var/www/passbolt/config/gpg/serverkey.asc
• Generated new OpenPGP Key
• Copied the public and private keys to the passbolt config location (which have been deleted before)
• Chmodded the keys to 640
• Deleted /var/www/.gnupg with all its content
• Created a new keyring via sudo su -s /bin/bash -c "gpg --list-keys" www-data
• Updated the key fingerprint in passbolt.php
You need to perform a user account recover (or create a new user and follow the setup) for the new server key to be taken into account by the user browser extension.
