[ X ] I have read intro post
[ X ] I have read the tutorials, help and searched for similar issues
[ X ] I provide relevant information about my server (component names and versions, etc.)
[ X ] I provide a copy of my logs and healthcheck
[ X ] I describe the steps I have taken to trouble shoot the problem
[ X ] I describe the steps on how to reproduce the issue
Hello! I’ve been a big fan of Passbolt since implementing it in early 2019. It works great, thank you for making a fantastic product!
In preparation for upgrading to 3.0.1, I decided to do a healthcheck to make sure I had a clean “bill of health” before proceeding. I’m encountering one GPG error. Everything else checks out fine other than the obvious “Hey, you should update me” error. It seems a bit strange to me, as the Passbolt installation has been running fantastically for our team of about 60 users without any issues.
System is currently running the following. Let me know if I missed anything relevant.
- Ubuntu 18.04.5 LTS
- mysql Ver 15.1 Distrib 10.1.47-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
- nginx version: nginx/1.14.0 (Ubuntu)
- PHP 7.2.24-0ubuntu0.18.04.7 (cli) (built: Oct 7 2020 15:24:25) ( NTS )
Copyright © 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright © 1998-2018 Zend Technologies
with Zend OPcache v7.2.24-0ubuntu0.18.04.7, Copyright © 1999-2018, by Zend Technologies
Open source password manager for teams
[PASS] PHP version 7.2.24-0ubuntu0.18.04.7.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
[PASS] The application config file is present
[PASS] The passbolt config file is present
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://[redacted]
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate
[PASS] The application is able to connect to the database
[PASS] 26 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
[PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server gpg key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[FAIL] The private key file is not defined in config/passbolt.php or not readable.
[HELP] Ensure the private key file is defined by the variable passbolt.gpg.serverKey.private in config/passbolt.php.
[HELP] Ensure there is a private key armored block in the key file.
[HELP] Ensure the private key defined in config/passbolt.php exists and is accessible by the webserver user.
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[FAIL] This installation is not up to date. Currently using 2.13.5 and it should be v3.0.1.
[HELP] See. https://www.passbolt.com/help/tech/update
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] All email notifications will be sent.
2 error(s) found. Hang in there!
I am confused at how passbolt would even be working if the server couldn’t read its own private key file. Here is the relevant portion of passbolt.php:
'passbolt' => [ // GPG Configuration. // The keyring must to be owned and accessible by the webserver user. // Example: www-data user on Debian 'gpg' => [ // Main server key. 'serverKey' => [ // Server private key fingerprint. 'fingerprint' => '[redacted]', 'public' => CONFIG . DS . 'gpg' . DS . 'serverkey.asc', 'private' => CONFIG . DS . 'gpg' . DS . 'serverkey_private.asc',
And, www-data seem so to have no problems accessing serverkey_private.asc:
$ sudo -H -u www-data bash -c “cat /var/www/passbolt/config/gpg/serverkey_private.asc”
-----BEGIN PGP PRIVATE KEY BLOCK-----
-----END PGP PRIVATE KEY BLOCK-----
www-data seems to be able to list the key and get the fingerprint properly too:
$ sudo su -s /bin/bash -c “gpg --list-keys” www-data
pub rsa2048 2018-10-26 [SC]
[redacted, but matches key fingerprint in passbolt.php]
uid [ultimate] passbolt <bryan@[redacted].com>
sub rsa2048 2018-10-26 [E]
[all the user keys here, but redacted]
Any ideas what to troubleshoot next?
Many thanks for any and all assistance.