Passbolt First Install : The OpenPGP server key defined in the config cannot be used to decrypt

Installation Issues
1

Hi All,

I’m attempting to install passbolt for testing but keep hitting a wall with the following error:

"Error: [Cake\Http\Exception\InternalErrorException] The OpenPGP server key defined in the config cannot be used to decrypt. Could not import the key. (/var/www/passbolt/src/Auth/GpgAuthenticate.php:284)
Request URL: /auth/verify.json?api-version=v1"

I’ve read through similar experiences on this forum which were the result of incorrect GPG versions or keyfile references for GPG keys, both of which I think do not apply to my case.

The build environment I’m using is:
Virtual Machine
Red Hat v7.9
Passbolt v2.12.1 (intended as I’d like to work with this previous version initially)
gpg (GnuPG) v2.0.22
PHP v7.2.34

Following the build (which includes SELinux updates and 600 perms to “/usr/share/httpd/.gnupg/” I am able to register a new user and access the website but am presented with the following page when I attempt to login:

passbolt_gpg_fail
passbolt_gpg_fail1583×885 111 KB

When I inspect the GPG keys as the apache user I get the following:

[root@dev-passbolt passbolt]# su -s /bin/bash -c "gpg --list-keys --with-finger" apache
/usr/share/httpd/.gnupg/pubring.gpg
-----------------------------------
pub   2048R/EDC6CC8D 2020-10-29
      Key fingerprint = E068 B649 F85B 8A3E 13F7  4EBF 2B03 4FA5 EDC6 CC8D
uid                  dev-passbolt <dev-passbolt@OMITTED>
sub   2048R/0037CA8E 2020-10-29
[root@dev-passbolt passbolt]# su -s /bin/bash -c "gpg --list-secret-keys --with-finger" apache
/usr/share/httpd/.gnupg/secring.gpg
-----------------------------------
sec   2048R/EDC6CC8D 2020-10-29
      Key fingerprint = E068 B649 F85B 8A3E 13F7  4EBF 2B03 4FA5 EDC6 CC8D
uid                  dev-passbolt <dev-passbolt@OMITTED>
ssb   2048R/0037CA8E 2020-10-29

Both keys were exported to the following files:

su -s /bin/bash -c "gpg --armor --export-secret-keys dev-passbolt@OMITTED > /var/www/passbolt/config/gpg/serverkey_private_ecc.asc" apache

su -s /bin/bash -c "gpg --armor --export dev-passbolt@OMITTED > /var/www/passbolt/config/gpg/serverkey_ecc.asc" apache

and I compared that to the passbolt.php entry:

// Main server key.
            'serverKey' => [
                // Server private key fingerprint.
                'fingerprint' => 'E068B649F85B8A3E13F74EBF2B034FA5EDC6CC8D',
                'public' => CONFIG . 'gpg' . DS . 'serverkey_ecc.asc',
                'private' => CONFIG . 'gpg' . DS . 'serverkey_private_ecc.asc',

I also ran the healthcheck which provides the following report:

passbolt_health_2of2
passbolt_health_2of21254×703 117 KB

I’m at a bit of a loss and could use some guidance please.

I’ll snapshot the current state and move on to building the latest release (using the installation scripts which are available instead of building from source-ish).

Thanks in advance,

Dave

2

Hi @DaveG33, ECC keys are not officially supported at the moment, it should work if you create a key with RSA algorithm.

3

Hi Remy,

Thanks for your reply, somewhat oddly I believe I am using RSA keys:

gpg --gen-key
RSA and RSA
2048

I’ve just exported them to a confusingly named file which doesn’t represent the key type (in the vain hope of utilising the existing references in the passbolt.php file).

Prior to this build attempt I’d exported them to two new files named private.key and public.key but the problem remained.

Best,

Dave

4

Hmm, that is strange. My guess is that there is an issue with gnupg operation from the context of the web server (apache or nginx). It works fine when you call it from PHP, so it could be maybe some SELinux policies for this context, or maybe the GNUPGHOME is different in this context.

Can you try adding the following to rule the last one out:

'serverKey' => [
            // add these
            'keyring' => '/usr/share/httpd/.gnupg',
            'putenv' => true,
5

Thanks Remy,

I tried as suggested and then created a new user but the same problem occured.

Actions taken:

  1. Updated passbolt.php:
    ‘passbolt’ => [
    ‘gpg’ => [
    ‘keyring’ => ‘/usr/share/httpd/.gnupg’,
    ‘putenv’ => true,
    // Main server key.
    ‘serverKey’ => [
    // Server private key fingerprint.
    ‘fingerprint’ => ‘E068B649F85B8A3E13F74EBF2B034FA5EDC6CC8D’,
    ‘public’ => CONFIG . ‘gpg’ . DS . ‘serverkey_ecc.asc’,
    ‘private’ => CONFIG . ‘gpg’ . DS . ‘serverkey_private_ecc.asc’,
    ],
    ],
    ],

  2. Created a new user:
    su -s /bin/bash -c “./bin/cake passbolt register_user -u test@test.com -f test -l test” apache

  3. Followed the URL provided from Step2 to complete the user setup, defined a password and backed up the GPG user key to be redirected to the https://<>/auth/login page for Passbolt and receive the “Could not verify server key. The OpenPGP server key defined in the config cannot be used to decrypt. Could not import the key.” error - the same error is produced in the passbolt/logs/error.log file too.

The SELinux contexts I added (which I didn’t share in my OP) were:
> semanage fcontext -a -t httpd_sys_rw_content_t ‘/usr/share/httpd/.gnupg(/.)?’
> restorecon -Rv /usr/share/httpd/.gnupg
> semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/passbolt/tmp(/.)?’
> semanage fcontext -a -t httpd_sys_rw_content_t “/var/www/passbolt/webroot/img/public(/.*)?”
> restorecon -Rv /var/www/passbolt/
> setsebool -P httpd_can_network_connect 1

Thanks again for your help, still puzzling this one out.

Best,

Dave

6

Summoning @diego, who did manage to make it run on RHEL a while back.

7

Thanks Remy,

Best,

Dave

8

Sorry for the late reply I will try to reproduce locally today.

9

Hi diego,

No problem - I’ve solved it! :slight_smile:

The issue was SElinux contexts, the following describes the contexts that worked:

correct SELinux contexts on new files and dirs:

> semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/httpd/.gnupg(/.*)?'
> restorecon -Rv /usr/share/httpd/.gnupg

> semanage fcontext -a -t httpd_sys_content_t '/var/www/passbolt/(/.*)?'
> semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/passbolt/tmp(/.*)?'
> semanage fcontext -a -t httpd_sys_content_t '/var/www/passbolt/app/tmp(/.*)?'
> semanage fcontext -a -t httpd_sys_rw_content_t  "/var/www/passbolt/webroot/img/public(/.*)?"

> restorecon -Rv /var/www/passbolt/
> setsebool -P httpd_can_network_connect 1

Thanks both for your help in this one, much appreciated.

Dave

1 Like
10

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.