Summary: The /bin/cake passbolt healthcheck routine executes and shows some [FAIL] status (see below). In particular, it fails to recognize the fingerprint equivalence in the keyring of www-data and in the /gpg/ folder. Quick debugging hacks of the healthcheck.php page suggests that the string in config/passbolt.php is not read appropriately by PhP.
Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
- My installation steps mostly rely on this tutorial. I am stuck at step 8.
I provide relevant information about my server (component names and versions, etc.)
- Virtual machine with Debian 10 (buster).
- Apache 2 installed and fully functional with other software.
- Mysql interacting appropriately with
cake. - gpg1 and gpg2 are installed. gpg1 is used as keys with empty. I generated the key with gpg1, as it does not seem to be possible to generate keys with infinite length and no passphrase with gpg2.
- Letsencrypt certificates sucessfully installed for the base URL. http redirects to https.
I provide a copy of my logs and healthcheck
Healthcheck status:
Open source password manager for teams --------------------------------------------------------------- Healthcheck shell...... --------------------------------------------------------------- Environment [PASS] PHP version 7.3.14-1~deb10u1. [PASS] PCRE compiled with unicode support. [PASS] The temporary directory and its content are writable. [PASS] The public image directory and its content are writable. [PASS] The logs directory and its content are writable. [PASS] GD or Imagick extension is installed. [PASS] Intl extension is installed. [PASS] Mbstring extension is installed. Config files [PASS] The application config file is present [PASS] The passbolt config file is present Core config [PASS] Debug mode is off. [PASS] Cache is working. [PASS] Unique value set for security.salt [PASS] Full base url is set to https://base.url [PASS] App.fullBaseUrl validation OK. [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl [HELP] Check that the domain name is correct in config/passbolt.php [HELP] Check the network settings SSL Certificate [FAIL] SSL peer certificate does not validate [FAIL] Hostname does not match when validating certificates. [WARN] Using a self-signed certificate [HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate Database [PASS] The application is able to connect to the database [PASS] 23 tables found [PASS] Some default content is present [PASS] The database schema up to date. GPG Configuration [PASS] PHP GPG Module is installed and loaded. [PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg. [PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user. [PASS] The server gpg key is not the default one [PASS] The public key file is defined in config/passbolt.php and readable. [PASS] The private key file is defined in config/passbolt.php and readable. [FAIL] The server key fingerprint doesn't match the one defined in config/passbolt.php. [HELP] Double check the key fingerprint, example: [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /home/www-data/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL' [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key. [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg [FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring [HELP] Import the private server key in the keyring of the webserver user. [HELP] you can try: [HELP] sudo su -s /bin/bash -c "gpg --home /home/www-data/.gnupg --import /var/www/crypte/config/gpg/serverkey_private.asc" www-data [PASS] There is a valid email id defined for the server key. Application configuration [PASS] Using latest passbolt version (2.12.1). [PASS] Passbolt is configured to force SSL use. [PASS] App.fullBaseUrl is set to HTTPS. [PASS] Selenium API endpoints are disabled. [PASS] Search engine robots are told not to index content. [PASS] Registration is closed, only administrators can add users. [PASS] Serving the compiled version of the javascript app [PASS] All email notifications will be sent. 5 error(s) found. Hang in there!
The tail of the error log in /var/www/[specific_folder]/logs/error.log:
2020-05-23 05:31:22 Error: [Cake\Routing\Exception\MissingRouteException] A route matching “s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1]=HelloThinkPHP” could not be found. (/var/www/[specific_folder]/vendor/cakephp/cakephp/src/Routing/RouteCollection.php:216)
Request URL:
s=/Index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=HelloThinkPHP?s=/Index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=md5&vars%5B1%5D%5B%5D=HelloThinkPHP
I describe the steps I have taken to trouble shoot the problem
-
I have done the suggested steps found in the healtcheck messages (which corrected some [FAILS] that are not reported).
-
Since the fail message says that the fingerprint is different in the www-data keyring and in the
config/passbolt.phpfile, I hacked thesrc/Utility/Healthcheck/GpgHealthchecks.phpfile to add the two following lines:
L162: echo $privateKeyInfo[‘fingerprint’].‘\n’;
L163: echo Configure::read(‘passbolt.gpg.serverKey.fingerprint’);
This is meant to check what the application reads in terms of fingerprint (and will obviously be erased when the bug is fixed). The first line yields the complete fingerprint found in both the passbolt.php config file and in the keyring. Strangely, the second line yields only a partial print of the fingerprint: the last five hexadecimals are missing.
When I add five random letters to the fingerprint in the config/passbolt.php file, I get an accurate echo of the fingerprint in both cases, but it still yields a [FAIL] status when running the healthcheck.
What can perhaps help in the troubleshooting is the fact that when I enter the base URL in a navigator, it successfully redirects to [base-url]/auth/login, but it yields a 404 message. This may be normal as I have not completed the installation.
I describe the steps on how to reproduce the issue
- Reproduce the steps one to seven in the aforementionned tutorial on Debian 10, apache 2 and the use of gpg1.
I would welcome any suggestions or help to find how to resolve such problem.
Best,
Pier-André