Server key found by health check but not by auth page


#1

I installed passbolt on FreeBSD 11.2 running inside a jail. After getting the webserver config right and installing a couple of php extensions that I didn’t have because I skipped the dependencies list and I’m up and running. I can create the initial admin user, activate the account, generate the admin keys, and get back to the main login screen, but when I attempt to login the authentication box says

Error: [Cake\Network\Exception\InternalErrorException] The OpenPGP server key defined in the config could not be found in the GnuPG keyring.
Request URL: /auth/verify.json?api-version=v1

From what I’ve read so far, this is usually a key not on the webserver keyring issue, but I’ve triple checked the keyring. Nginx and php-fpm are both running as the www user. The keyring is owned by www:www and both the public and secret keys are visible when I list the keys as the www user. Running the health check as www also passes with no error, even explicitly saying [PASS] The server public key defined in the config/passbolt.php is in the keyring. My best guess is that maybe the php process is trying to use someone else’s keyring, but I’ve confirmed that its running as www and that the keyring location config value is set properly.

Any thoughts would be grately appreciated!

Private keys on www keyring

$sudo -u www gpg -K
gpg: Warning: using insecure memory!
/home/www/.gnupg/pubring.kbx
----------------------------
sec   rsa2048 2019-01-08 [SC] [expires: 2021-01-07]
      4430975797C671AC57CEB42E3690B8772301BDFB
uid           [ unknown] Passbolt <passbolt@example.com>
ssb   rsa2048 2019-01-08 [E] [expires: 2021-01-07]

Public keys on www keyring

$sudo -u www gpg -k
gpg: Warning: using insecure memory!
/home/www/.gnupg/pubring.kbx
----------------------------
pub   rsa2048 2019-01-08 [SC] [expires: 2021-01-07]
      4430975797C671AC57CEB42E3690B8772301BDFB
uid           [ unknown] Passbolt <passbolt@anderson.network>
sub   rsa2048 2019-01-08 [E] [expires: 2021-01-07]

Healthcheck

$sudo -u www bin/cake passbolt healthcheck
     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell       
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.2.13.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable.
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.anderson.network
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 18 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /home/www/.gnupg.
 [PASS] The directory /home/www/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server gpg key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (2.5.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 No error found. Nice one sparky!

#2

I poked through some of the PHP and confirmed that the keyring is being accessed by www, and that GNUPGHOME is not defined the line before the keyring is accessed. The error persists even if I hard code the correct keyring location in.

It looks like this line is failing with the error could not init keylist as reported by gnupg_geterror. This stack overflow question appears to describe a similar issue, but the suggested fixes there didn’t work in this case.


#3

After some more poking, it seems the issue is that the PATH was not being used by the FPM worker. Adding env[PATH] = /usr/local/bin:/usr/bin:/bin to the pool config (/usr/local/etc/php-fpm.d/www.conf on my machine) resolved the issue.


#4

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.