Private Key is not defined or not readable

Checklist
[ X ] I have read intro post
[ X ] I have read the tutorials, help and searched for similar issues
[ X ] I provide relevant information about my server (component names and versions, etc.)
[ X ] I provide a copy of my logs and healthcheck
[ X ] I describe the steps I have taken to trouble shoot the problem
[ X ] I describe the steps on how to reproduce the issue

Hello! I’ve been a big fan of Passbolt since implementing it in early 2019. It works great, thank you for making a fantastic product! :grinning:

In preparation for upgrading to 3.0.1, I decided to do a healthcheck to make sure I had a clean “bill of health” before proceeding. I’m encountering one GPG error. Everything else checks out fine other than the obvious “Hey, you should update me” error. It seems a bit strange to me, as the Passbolt installation has been running fantastically for our team of about 60 users without any issues.

System is currently running the following. Let me know if I missed anything relevant. :slight_smile:

  • Ubuntu 18.04.5 LTS
  • mysql Ver 15.1 Distrib 10.1.47-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
  • nginx version: nginx/1.14.0 (Ubuntu)
  • PHP 7.2.24-0ubuntu0.18.04.7 (cli) (built: Oct 7 2020 15:24:25) ( NTS )
    Copyright © 1997-2018 The PHP Group
    Zend Engine v3.2.0, Copyright © 1998-2018 Zend Technologies
    with Zend OPcache v7.2.24-0ubuntu0.18.04.7, Copyright © 1999-2018, by Zend Technologies

Healthcheck results:

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 7.2.24-0ubuntu0.18.04.7.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://[redacted]
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate

Database

[PASS] The application is able to connect to the database
[PASS] 26 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
[PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server gpg key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[FAIL] The private key file is not defined in config/passbolt.php or not readable.
[HELP] Ensure the private key file is defined by the variable passbolt.gpg.serverKey.private in config/passbolt.php.
[HELP] Ensure there is a private key armored block in the key file.
[HELP] Ensure the private key defined in config/passbolt.php exists and is accessible by the webserver user.
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.

Application configuration

[FAIL] This installation is not up to date. Currently using 2.13.5 and it should be v3.0.1.
[HELP] See. https://www.passbolt.com/help/tech/update
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

2 error(s) found. Hang in there!

I am confused at how passbolt would even be working if the server couldn’t read its own private key file. Here is the relevant portion of passbolt.php:

'passbolt' => [
    // GPG Configuration.
    // The keyring must to be owned and accessible by the webserver user.
    // Example: www-data user on Debian
    'gpg' => [
        // Main server key.
        'serverKey' => [
            // Server private key fingerprint.
            'fingerprint' => '[redacted]',
            'public' => CONFIG . DS . 'gpg' . DS . 'serverkey.asc',
            'private' => CONFIG . DS . 'gpg' . DS . 'serverkey_private.asc',

And, www-data seem so to have no problems accessing serverkey_private.asc:

$ sudo -H -u www-data bash -c “cat /var/www/passbolt/config/gpg/serverkey_private.asc”
-----BEGIN PGP PRIVATE KEY BLOCK-----
[redacted]
-----END PGP PRIVATE KEY BLOCK-----

www-data seems to be able to list the key and get the fingerprint properly too:

$ sudo su -s /bin/bash -c “gpg --list-keys” www-data
/home/www-data/.gnupg/pubring.kbx

pub rsa2048 2018-10-26 [SC]
[redacted, but matches key fingerprint in passbolt.php]
uid [ultimate] passbolt <bryan@[redacted].com>
sub rsa2048 2018-10-26 [E]
[all the user keys here, but redacted]

Any ideas what to troubleshoot next?

Many thanks for any and all assistance. :slight_smile:

Hello @brywhi,

Can you confirm you are also running the healthcheck as www-data?

This checks currently encompass three items in the code:

$checks['gpg']['gpgKeyPrivate'] = (Configure::read('passbolt.gpg.serverKey.private') !== null);
$checks['gpg']['gpgKeyPrivateReadable'] = is_readable(Configure::read('passbolt.gpg.serverKey.private'));
if ($checks['gpg']['gpgKeyPrivateReadable']) {
    $privateKeydata = file_get_contents(Configure::read('passbolt.gpg.serverKey.private'));
    $blockStart = '-----BEGIN PGP PRIVATE KEY BLOCK-----';
     $checks['gpg']['gpgKeyPrivateBlock'] = (strpos($privateKeydata, $blockStart) === 0);
}

Most likely this is the “is_readable” that is failing (can you show us the permissions on this file?), or the check for the block start (maybe there is a \n at the start?).

Haha, you are a genius @Remy! I just had a new line at the start of serverkey_private.asc. :rofl:

Got rid of it via nano, and now all is well.

For future readers (if any) of this thread, I just did cat -v serverkey_private.asc to see non-printable characters, and removed them from the start of the file with nano.

Many thanks for your help, @Remy! I will be testing the upgrade path next.

1 Like

@brywhi as a heads up if you want to stay on Ubuntu 18, you will need to upgrade to php7.3. It’s probably best in my opinion to go for a Ubuntu 20.

Thanks! Yeah, I am planning on moving to 20.04- we have several other boxes in our environment running it. Thanks again for all your help.