Server Key Verification after TimeZone Correction

Installation Issues
1

We recently noticed that we couldn’t create any new users as we kept getting an authentication issue. We realised that the timezone was wrong and it was changed to the correct timezone which made the time match the client time.

Although after the timezone change we are now receiving “Could not verify the server key. Server internal error.”

In the error log we’re also receiving:

[Cake\Http\Exception\InternalErrorException] The OpenPGP server key defined in the config cannot be used to decrypt. Could not import the key. (/var/www/passbolt/src/Auth/GpgAuthenticate.php:284)
Request URL: /auth/verify.json?api-version=v2

Any help would be great!

2

Hi @Mikel

You’ll want to run the healthcheck on the server and look for notes regarding failures and steps to remediate. If you need further help please provide your install version/method and healthcheck results thanks.

3

Hi Garrett,

Apologies in delay. How do i run a health check? I’m completely new to Passbolt and haven’t found finding documentation that easy.

4

@Mikel
Lots of changes in the past 12 months so documentation is a work in progress! :slight_smile:

As you didn’t mention your installation method, I can only provide the general command which is executed from the passbolt project root folder: sudo su -s /bin/bash -c "./bin/cake passbolt healthcheck" www-data. Regarding the location of your passbolt root folder, hopefully you know this.

If this is successful, post the results while obfuscating what you need to, thanks.

We also have a help site with installation instructions if you are trying to learn more about your install (assuming you did not install it yourself and are following someone else who did). The version of your passbolt is found on the login page, by hovering over the heart in the lower right-hand corner. Knowing this helps us as well when others are trying to assist.

5

@garrett thanks for your help.

Our Passbolt version is:
‘version’ => ‘2.13.5’,
‘name’ => ‘Stomp’

I installed Passbolt straight onto Ubuntu manually. The health check is below, the only thing i’d is that the site works for current users with no error around certificates:

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
fopen(): Failed to enable crypto
fopen(/healthcheck/status.json): failed to open stream: operation failed

Database

[PASS] The application is able to connect to the database
[PASS] 23 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
[PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server gpg key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.

Application configuration

[FAIL] Could not connect to passbolt repository to check versions. It is not possible check if your version is up to date.
[HELP] Check the network configuration to allow this script to check for updates.
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

3 error(s) found. Hang in there!

6

@Mikel
This is helpful, thanks.

OK, so the error started occurring after changing timezones on the server to match the client. Typically, the client needs to be adjusted. For example, I had the right time noted on my Windows client, but the timezone was set to Pacific instead of Eastern. Changing the timezone then changed my time - which I then corrected, and this resolved a similar issue.

The server timezone can be set to whatever, but the actual time on the server should be accurate.

Did you verify this is not helpful? Passbolt First Install : The OpenPGP server key defined in the config cannot be used to decrypt

7

@garrett just double checked the time and they both match.

If it helps from the error.log when trying to setup a new user (After the user recieves an email will a link to configure there account. Every step works then errors after choosing password and security ID)

2021-09-07 12:59:19 Error: [Cake\Http\Exception\ForbiddenException] You need to login to access this location. (/var/www/passbolt/src/Auth/GpgAuthenticate.php:85)
Request URL: /auth/is-authenticated.json

2021-09-07 12:59:29 Error: [Cake\View\Exception\MissingTemplateException] Template file “/Setup/json/start.ctp” is missing. (/var/www/passbolt/vendor/cakephp/cakephp/src/View/View.php:1583)
Request URL: /setup/install/8831363a-2656-422e-9087-9c3356fd7bfd/8cf960fe-939f-4242-b8d8-fe461f480d9b.json?api-version=v2

2021-09-07 12:59:57 Error: [Cake\Http\Exception\ForbiddenException] You need to login to access this location. (/var/www/passbolt/src/Auth/GpgAuthenticate.php:85)
Request URL: /users/csrf-token.json?api-version=v2

8

@Mikel We could also inspect the console of the extension.

  • If you are using Google Chrome you can go to: chrome://extensions, then activate the Developer mode in the top right corner. Look for the Passbolt card and click details button. Look for the Inspect views and the index.html link. A new window will appear - this is the debugger of the browser extension. Try to reproduce the error and post the results.

  • On Firefox, you can go to: about:debugging#/runtime/this-firefox. Then locate Passbolt and click Inspect. A new tab for the console of the browser extension will appear.

9

@garrett

I used Edge, hopefully that isn’t an issue. index log below from console:

Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID
8Unchecked runtime.lastError: The extensions gallery cannot be scripted.
index.html:1 Unchecked runtime.lastError: The extensions gallery cannot be scripted.
index.html:1 Unchecked runtime.lastError: The extensions gallery cannot be scripted.
index.html:1 Unchecked runtime.lastError: The extensions gallery cannot be scripted.
index.html:1 Unchecked runtime.lastError: The extensions gallery cannot be scripted.
index.html:1 Unchecked runtime.lastError: The extensions gallery cannot be scripted.
index.html:1 Unchecked runtime.lastError: The extensions gallery cannot be scripted.
index.html:1 Unchecked runtime.lastError: The extensions gallery cannot be scripted.
index.html:1 Unchecked runtime.lastError: The extensions gallery cannot be scripted.
index.min.js:37573 GET https://FQDN/setup/install/329e021e-fb33-4177-ad3c-b488322bcdf0/390dd329-e748-4912-a1ff-14be3ea7fba3.json?api-version=v2 500 (Internal Server Error)
fetchAndHandleResponse @ index.min.js:37573
findSetupInfo @ index.min.js:39137
findSetupInfo @ index.min.js:33455
retrieveSetupInfo @ index.min.js:10633
async function (async)
retrieveSetupInfo @ index.min.js:10630
(anonymous) @ index.min.js:13603
(anonymous) @ index.min.js:36464
index.min.js:37573 GET https://FQDN/users/csrf-token.json?api-version=v2 403 (Forbidden)
fetchAndHandleResponse @ index.min.js:37573
findCsrfToken @ index.min.js:39720
User.retrieveAndStoreCsrfToken @ index.min.js:34404
login @ index.min.js:14680
async function (async)
login @ index.min.js:14678
complete @ index.min.js:10760
async function (async)
complete @ index.min.js:10757
(anonymous) @ index.min.js:13706
(anonymous) @ index.min.js:36464
index.min.js:13709 Error: There was an error during authentication. Enable debug mode for more information
at GpgAuthHeader.__validateCommonAllStage (index.min.js:29955)
at GpgAuthHeader.__validate (index.min.js:29914)
at new GpgAuthHeader (index.min.js:29899)
at GpgAuth.stage1 (index.min.js:30324)
at async GpgAuth.login (index.min.js:30295)
at async AuthModel.login (index.min.js:14681)
at async SetupController.complete (index.min.js:10760)
at async Port. (index.min.js:13706)

10

@Mikel As part of troubleshooting:

  1. Does the problem also occur on Chrome and Firefox?
  2. Since the healthcheck noted it could not reach the internet for update checks, if you are running an internally-only site, does the problem occur if you do not use https? Your self-signed certs are throwing an error.
  3. You can also enable debug for additional logging in the passbolt.php config file:
return [
    debug => true,
    'App' => [
        ...
    ]