Passbolt First Install : The OpenPGP server key defined in the config cannot be used to decrypt

DaveG33 · October 29, 2020, 12:57pm

Hi All,

I’m attempting to install passbolt for testing but keep hitting a wall with the following error:

"Error: [Cake\Http\Exception\InternalErrorException] The OpenPGP server key defined in the config cannot be used to decrypt. Could not import the key. (/var/www/passbolt/src/Auth/GpgAuthenticate.php:284)
Request URL: /auth/verify.json?api-version=v1"

I’ve read through similar experiences on this forum which were the result of incorrect GPG versions or keyfile references for GPG keys, both of which I think do not apply to my case.

The build environment I’m using is:
Virtual Machine
Red Hat v7.9
Passbolt v2.12.1 (intended as I’d like to work with this previous version initially)
gpg (GnuPG) v2.0.22
PHP v7.2.34

Following the build (which includes SELinux updates and 600 perms to “/usr/share/httpd/.gnupg/” I am able to register a new user and access the website but am presented with the following page when I attempt to login:

When I inspect the GPG keys as the apache user I get the following:

[root@dev-passbolt passbolt]# su -s /bin/bash -c "gpg --list-keys --with-finger" apache
/usr/share/httpd/.gnupg/pubring.gpg
-----------------------------------
pub   2048R/EDC6CC8D 2020-10-29
      Key fingerprint = E068 B649 F85B 8A3E 13F7  4EBF 2B03 4FA5 EDC6 CC8D
uid                  dev-passbolt <dev-passbolt@OMITTED>
sub   2048R/0037CA8E 2020-10-29
[root@dev-passbolt passbolt]# su -s /bin/bash -c "gpg --list-secret-keys --with-finger" apache
/usr/share/httpd/.gnupg/secring.gpg
-----------------------------------
sec   2048R/EDC6CC8D 2020-10-29
      Key fingerprint = E068 B649 F85B 8A3E 13F7  4EBF 2B03 4FA5 EDC6 CC8D
uid                  dev-passbolt <dev-passbolt@OMITTED>
ssb   2048R/0037CA8E 2020-10-29

Both keys were exported to the following files:

su -s /bin/bash -c "gpg --armor --export-secret-keys dev-passbolt@OMITTED > /var/www/passbolt/config/gpg/serverkey_private_ecc.asc" apache

su -s /bin/bash -c "gpg --armor --export dev-passbolt@OMITTED > /var/www/passbolt/config/gpg/serverkey_ecc.asc" apache

and I compared that to the passbolt.php entry:

// Main server key.
            'serverKey' => [
                // Server private key fingerprint.
                'fingerprint' => 'E068B649F85B8A3E13F74EBF2B034FA5EDC6CC8D',
                'public' => CONFIG . 'gpg' . DS . 'serverkey_ecc.asc',
                'private' => CONFIG . 'gpg' . DS . 'serverkey_private_ecc.asc',

I also ran the healthcheck which provides the following report:

I’m at a bit of a loss and could use some guidance please.

I’ll snapshot the current state and move on to building the latest release (using the installation scripts which are available instead of building from source-ish).

Thanks in advance,

Dave

remy · October 29, 2020, 1:04pm

Hi @DaveG33, ECC keys are not officially supported at the moment, it should work if you create a key with RSA algorithm.

DaveG33 · October 29, 2020, 1:22pm

Hi Remy,

Thanks for your reply, somewhat oddly I believe I am using RSA keys:

gpg --gen-key
RSA and RSA
2048

I’ve just exported them to a confusingly named file which doesn’t represent the key type (in the vain hope of utilising the existing references in the passbolt.php file).

Prior to this build attempt I’d exported them to two new files named private.key and public.key but the problem remained.

Best,

Dave

remy · October 29, 2020, 2:20pm

Hmm, that is strange. My guess is that there is an issue with gnupg operation from the context of the web server (apache or nginx). It works fine when you call it from PHP, so it could be maybe some SELinux policies for this context, or maybe the GNUPGHOME is different in this context.

Can you try adding the following to rule the last one out:

'serverKey' => [
            // add these
            'keyring' => '/usr/share/httpd/.gnupg',
            'putenv' => true,

DaveG33 · October 29, 2020, 3:02pm

Thanks Remy,

I tried as suggested and then created a new user but the same problem occured.

Actions taken:

Updated passbolt.php:
‘passbolt’ => [
‘gpg’ => [
‘keyring’ => ‘/usr/share/httpd/.gnupg’,
‘putenv’ => true,
// Main server key.
‘serverKey’ => [
// Server private key fingerprint.
‘fingerprint’ => ‘E068B649F85B8A3E13F74EBF2B034FA5EDC6CC8D’,
‘public’ => CONFIG . ‘gpg’ . DS . ‘serverkey_ecc.asc’,
‘private’ => CONFIG . ‘gpg’ . DS . ‘serverkey_private_ecc.asc’,
],
],
],
Created a new user:
su -s /bin/bash -c “./bin/cake passbolt register_user -u test@test.com -f test -l test” apache
Followed the URL provided from Step2 to complete the user setup, defined a password and backed up the GPG user key to be redirected to the https://<>/auth/login page for Passbolt and receive the “Could not verify server key. The OpenPGP server key defined in the config cannot be used to decrypt. Could not import the key.” error - the same error is produced in the passbolt/logs/error.log file too.

The SELinux contexts I added (which I didn’t share in my OP) were:
> semanage fcontext -a -t httpd_sys_rw_content_t ‘/usr/share/httpd/.gnupg(/.)?’
> restorecon -Rv /usr/share/httpd/.gnupg
> semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/passbolt/tmp(/.)?’
> semanage fcontext -a -t httpd_sys_rw_content_t “/var/www/passbolt/webroot/img/public(/.*)?”
> restorecon -Rv /var/www/passbolt/
> setsebool -P httpd_can_network_connect 1

Thanks again for your help, still puzzling this one out.

Best,

Dave

remy · October 29, 2020, 3:54pm

Summoning @diego, who did manage to make it run on RHEL a while back.

DaveG33 · November 2, 2020, 8:42am

Thanks Remy,

Best,

Dave

diego · November 3, 2020, 9:42am

Sorry for the late reply I will try to reproduce locally today.

DaveG33 · November 3, 2020, 11:04am

Hi diego,

No problem - I’ve solved it!

The issue was SElinux contexts, the following describes the contexts that worked:

correct SELinux contexts on new files and dirs:

> semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/httpd/.gnupg(/.*)?'
> restorecon -Rv /usr/share/httpd/.gnupg

> semanage fcontext -a -t httpd_sys_content_t '/var/www/passbolt/(/.*)?'
> semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/passbolt/tmp(/.*)?'
> semanage fcontext -a -t httpd_sys_content_t '/var/www/passbolt/app/tmp(/.*)?'
> semanage fcontext -a -t httpd_sys_rw_content_t  "/var/www/passbolt/webroot/img/public(/.*)?"

> restorecon -Rv /var/www/passbolt/
> setsebool -P httpd_can_network_connect 1

Thanks both for your help in this one, much appreciated.

Dave

system · November 8, 2020, 11:04am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
The OpenPGP server key defined in the config could not be found in the GnuPG keyring Installation Issues	15	4501	August 4, 2018
[FAIL] The server public key defined in the config/passbolt.php is not in the keyring - issue Installation Issues	12	6520	February 5, 2019
The GnuPG key for the user could not be imported Installation Issues	5	1183	January 11, 2018
Could not verify server key. The OpenPGP server key defined in the config could not be found in the GnuPG keyring Installation Issues	30	10434	July 28, 2018
2.0.0-rc2 Upgrade Issue (Key Not Found) Installation Issues	7	905	March 24, 2018

Passbolt First Install : The OpenPGP server key defined in the config cannot be used to decrypt

correct SELinux contexts on new files and dirs:

Related topics