Low entropy pool and gpg server key problem

Installation Issues
1

Hey there,

i am working with a docker setup.

this is my error:

passbolt | Your entropy pool is low. This situation could lead GnuPG to not
passbolt | be able to create the gpg serverkey so the container start process will hang
passbolt | until enough entropy is obtained.
passbolt | Please consider installing rng-tools and/or virtio-rng on your host as the
passbolt | preferred method to generate random numbers using a TRNG.
passbolt | If rngd (rng-tools) does not provide enough or fast enough randomness you could
passbolt | consider installing haveged as a helper to speed up this process.
passbolt | Using haveged as a replacement for rngd is not recommended. You can read more
passbolt | about this topic here: https://lwn.net/Articles/525459/
passbolt | ==================================================================================
passbolt | gpg: revocation certificate stored as ‘/var/lib/passbolt/.gnupg/openpgp-revocs.d/79021B8BD9E21C45B09972205E541B45E55249031.rev’
passbolt | -bash: line 1: /var/lib/passbolt/gpg/privat.key: No such file or directory
mysql | 2024-07-04 11:06:14 11 [Warning] Aborted connection 11 to db: ‘unconnected’ user: ‘unauthenticated’ host: ‘172.20.0.3’ (This connection closed normally without authentication)

I have generated gpg keys myself and put them into my env
the dir is 100% there!
used this, i didn’t set a pw

I did everything with rng-tools and haveged - no resulst
I don’t use the “latest” flag in my compose
I checked the permission - it’s set to shown 33:33
I cannt run passbolt healthcheck, since the container crashes immediately.

Does anyone have a clue?

2

Could you share your docker compose file to show how you mounted these? It looks like there might be an “e” missing on private somewhere

3

It’s not the missing “e” i wish it would be just a typo.

if i change the name of the key file and in env still got this error

passbolt | Your entropy pool is low. This situation could lead GnuPG to not
passbolt | be able to create the gpg serverkey so the container start process will hang
passbolt | until enough entropy is obtained.
passbolt | Please consider installing rng-tools and/or virtio-rng on your host as the
passbolt | preferred method to generate random numbers using a TRNG.
passbolt | If rngd (rng-tools) does not provide enough or fast enough randomness you could
passbolt | consider installing haveged as a helper to speed up this process.
passbolt | Using haveged as a replacement for rngd is not recommended. You can read more
passbolt | about this topic here: LCE: Don't play dice with random numbers [LWN.net]
passbolt | ==================================================================================
passbolt | gpg: revocation certificate stored as ‘/var/lib/passbolt/.gnupg/openpgp-revocs.d/F77A2A2BE7CU762B3CE807F5A5208EABF83B0D68.rev’
passbolt | -bash: line 1: /var/lib/passbolt/gpg/private.key: No such file or directory

version: “3.9”
services:
db:
image: mariadb:10.11
container_name: mysql
restart: unless-stopped
environment:
MARIADB_ROOT_PASSWORD: ${ROOT_PASSWORD}
MARIADB_DATABASE: “passbolt”
MARIADB_USER: ${DB_USER}
MARIADB_PASSWORD: ${DB_PASSWORD}
volumes:
- ${DISK}/mysql:/var/lib/mysql

passbolt:
image: passbolt/passbolt:4.8.0-1-ce
#Alternatively you can use rootless:
#image: passbolt/passbolt:latest-ce-non-root
container_name: passbolt
restart: unless-stopped
depends_on:
- db
environment:
APP_FULL_BASE_URL: https://passbolt.mydomian.to
DATASOURCES_DEFAULT_HOST: mysql
DATASOURCES_DEFAULT_USERNAME: ${DB_USER}
DATASOURCES_DEFAULT_PASSWORD: ${DB_PASSWORD}
DATASOURCES_DEFAULT_DATABASE: “passbolt”
EMAIL_DEFAULT_FROM_NAME: “passwort-server-mydomain”
EMAIL_DEFAULT_FROM: ${EMAIL_DEFAULT_FROM}
EMAIL_TRANSPORT_DEFAULT_HOST: ${EMAIL_TRANSPORT_HOST}
EMAIL_TRANSPORT_DEFAULT_PORT: ${EMAIL_TRANSPORT_PORT}
EMAIL_TRANSPORT_DEFAULT_USERNAME: ${EMAIL_TRANSPORT_USERNAME}
EMAIL_TRANSPORT_DEFAULT_PASSWORD: ${EMAIL_TRANSPORT_PASSWORD}
EMAIL_TRANSPORT_DEFAULT_TLS: null
PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: ${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT}
PASSBOLT_GPG_SERVER_KEY_PUBLIC: ${PASSBOLT_GPG_SERVER_KEY_PUBLIC}
PASSBOLT_GPG_SERVER_KEY_PRIVATE: ${PASSBOLT_GPG_SERVER_KEY_PRIVATE}
volumes:
- ${DISK}/gpg:/etc/passbolt/gpg
- ${DISK}/jwt:/etc/passbolt/jwt:ro
- ${DISK}/certs/mydomain.crt:/etc/ssl/certs/certificate.crt
- ${DISK}/certs/mydomainkey:/etc/ssl/certs/certificate.key
command:
[
“/usr/bin/wait-for.sh”,
“-t”,
“0”,
“mysql:3306”,
“–”,
“/docker-entrypoint.sh”,
]
ports:
- 80:80
- 443:443

and my .env

DB_USER=“admin”
DB_PASSWORD=“XYZZZ”
ROOT_PASSWORD=“XYZZZ”

DATASOURCES_USERNAME=“admin”
DATASOURCES_PASSWORD=“XYZZZ”
DATASOURCES_DATABASE=“passbolt”

EMAIL_TRANSPORT_HOST=“mydomian.com”
EMAIL_TRANSPORT_PORT=XYZZZ
EMAIL_TRANSPORT_USERNAME="my@domian.com"
EMAIL_TRANSPORT_PASSWORD=“XYZZZ”
EMAIL_TRANSPORT_DEFAULT_TLS=null
EMAIL_DEFAULT_FROM=“noreply@mydomain.to”

DISK=“/var/lib/passbolt”

PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=“XYZZZ”
PASSBOLT_GPG_SERVER_KEY_PUBLIC=“/var/lib/passbolt/gpg/public.key”
PASSBOLT_GPG_SERVER_KEY_PRIVATE=“/var/lib/passbolt/gpg/private.key”

The directory is there! Not missing or smth.
image

Thank you for your fast reply :slight_smile:

4

Aah I think I see the issue here. You have it mounted correctly but you are referring to the location on the host for it and not the location in the container where it is mounted. On your container these should be in /etc/passbolt/gpg so try with that instead for these two values

5

you are truly my knight in shiny amor… THANKS A MILLION!

1 Like
6

Hi.
First message here, be kind :wink:.

I’m trying to setup PB with Docker on a Synology NAS as well, and I’m facing the very same issue.

I read the documentation before starting and didn’t see and get if some secrets must be created before the setup or if this is just part of the automatic process.

Any help would be great, thanks.