New account creation fails with "OpenPGP key cannot be used for encryption."

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

This error occurs when a new user tries to create an account from his link (this happens AFTER he choses a passphrase, and security token).
Please note that “La clé OpenPGP ne peut pas être utilisée pour crypter.” is French for “OpenPGP key cannot be used for encryption.”

{
    "code": 400,
    "body": {
        "gpgkey": {
            "armored_key": "La clé OpenPGP ne peut pas être utilisée pour crypter."
        }
    }
}

It worked a month ago. There were no changes on the server to my knowledge.
Everything else works (authentication, emails, creating new password, updating passwords, …)
The server is using NTP, and the date and time are correct.
I tried to follow the instructions on this very similar issue but it did not help : Issue with new account creation - Oracle Linux 8.5 - v3.11 - OpenPGP key can not be used to encrypt [SELINUX]
I tried to update every package (including Passbolt to 3.12.0), but still had the same issue
I also tried to create a new server PGP key, but failed to make it work, I ultimately had to restore the server to before the update.

Server : RedHat 8.7
Passbolt : 3.8.3 (localization : French)
PHP : 7.4.33-2.el8.remi
Nginx : 1:1.14.1-9.module+el8.0.0+4108+af250afe

HealthCheck (please do not mind the SSL FAIL) :

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.33.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://[REDACTED FQDN]
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
 [HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [FAIL] This installation is not up to date. Currently using 3.8.3 and it should be v3.12.0.
 [HELP] See. https://www.passbolt.com/help/tech/update
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [PASS] The SMTP Settings source is: database.

 [FAIL] 3 error(s) found. Hang in there!

Logs :
/var/log/passbolt/error.log

[DATE] error: [App\Error\Exception\CustomValidationException] La clé OpenPGP ne peut pas être utilisée pour crypter. in /usr/share/php/passbolt/src/Service/Setup/SetupCompleteService.php on line 93
Request URL: /setup/complete/2308301b-edef-464e-91da-5e89ab5d5643
Client IP: [SOME IP]

/var/log/passbolt/debug.log
[SAME DATE] debug: La clé OpenPGP ne peut pas être utilisée pour crypter.

Hello,

Are you still able to login with other users?
Are you still able to create another user (e.g. a test one, for yourself, on another browser profile)?

If yes, this indicates that only this new user key is not working. In this case can you check the time on the user machine (maybe the key is created “in the future” from the server perspective, even if server time is correct)? Can you also checked that the key is created by passbolt (and not imported by the user, for example that imported an expired/unsafe key)?

Cheers,

Are you still able to login with other users?

Yes no issue with login for all users that are already created

Are you still able to create another user (e.g. a test one, for yourself, on another browser profile)?

No, every new user created have the same error, I reproduced the issue myself.

If yes, this indicates that only this new user key is not working. In this case can you check the time on the user machine (maybe the key is created “in the future” from the server perspective, even if server time is correct)? Can you also checked that the key is created by passbolt (and not imported by the user, for example that imported an expired/unsafe key)?

I checked one of the key generated by passbolt, they seem valid. I even tried to import a previously generated key, and got the same issue.
Here is one the key imported with gpg and displayed :
image
I checked the timestamp, it’s not in the future, even from the server perspective.

Hello,

Passbolt have been updated, and we fixed the SSL certificate.
Now the healthcheck only shows a few warning but the issue is still there : Everything works fine, except new user registration.

New healthcheck :


     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.33.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://[SOME FQDN]
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 30 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (3.12.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [WARN] The deprecated self registration public setting was found in /etc/passbolt/passbolt.php.
 [HELP] You may remove the "passbolt.registration.public" setting.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [PASS] The SMTP Settings source is: database.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

 [PASS] No error found. Nice one sparky!

However, once in a while, the healthcheck fails on one of the private key check.
It happens less than 1/10 of healthchecks, but it still happens, and it’s not the same check every time.
Here is an exemple (the reste of the healthcheck is identical) :
[FAIL] The private key cannot be used to decrypt a message

Last update.

We were able to import the current database in an older (and functional) backup of the server.
Therefore we decided to create a new server from the ground up, and import the database.

If any one have the same issue, it should work for you too. No special method, just follow the doc " Migrate an existing Passbolt CE to a new ##### server"
Simply make sure to keep the current server operational until all the users are able to log in to the new server.

Thank you for the help remy,
Have a great day

1 Like