I’m the administrator and I have made any changes to the way it’s setup in the last couple of months. What causes a server key change? Is this a false positive? how can I check?
Hi @VHMC41 welcome to the community forum 
The “server key has changed” can happen when the server key has changed but also in some rare cases when the server verification fails, or in case of network temporary failure.
As said in out Security White Paper at page 24: https://help.passbolt.com/assets/files/Security%20White%20Paper%20-%20Passbolt%20Pro%20Edition.pdf
This server identity verification should not be understood as an end to end server authentication, e.g. it does not protect against an attacker performing a man in the middle attack.
However it can help in certain unlikely scenarios such as when a domain name is seized.
If you want to compare the fingerprint displayed in your web browser with the one defined on your Passbolt server, you can check the one defined in the Passbolt configuration file (843D2B185A337858D2EE5C1041E7852AEACC2DD9 for my case):
$ sudo grep fingerprint /etc/passbolt/passbolt.php
'fingerprint' => '843D2B185A337858D2EE5C1041E7852AEACC2DD9',
You can check also the gpg files located on /etc/passbolt/gpg/ folder:
$ sudo gpg /etc/passbolt/gpg/serverkey.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa2048 2021-09-14 [SC]
843D2B185A337858D2EE5C1041E7852AEACC2DD9
uid Passbolt default user <passbolt@yourdomain.com>
sub rsa2048 2021-09-14 [E]
$ sudo gpg /etc/passbolt/gpg/serverkey_private.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa2048 2021-09-14 [SC]
843D2B185A337858D2EE5C1041E7852AEACC2DD9
uid Passbolt default user <passbolt@yourdomain.com>
sub rsa2048 2021-09-14 [E]
So if the fingerprint displayed in the browser matches with the one defined on Passbolt server, you can go ahead and continue.
Let me know if you have other questions.
Best,
I am getting the same response
sudo -H -u www-data bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck”
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/
Open source password manager for teams
Healthcheck shell
Environment
[PASS] PHP version 7.4.30.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[PASS] The passbolt config file is present
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to http://
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in config/passbolt.php
[HELP] Check the network settings
SSL Certificate
[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check Passbolt Help | Troubleshoot SSL
[HELP] fopen(http:///healthcheck/status.json): failed to open stream: Connection timed out
Database
[PASS] The application is able to connect to the database
[PASS] 27 tables found
[PASS] Some default content is present
[FAIL] The database schema is not up to date.
[HELP] Run the migration scripts:
[HELP] sudo su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake migrations migrate --no-lock” www-data
[HELP] See. Passbolt Help | Update
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[FAIL] The server key fingerprint doesn’t match the one defined in config/passbolt.php.
[HELP] Double check the key fingerprint, example:
[HELP] sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg” www-data | grep -i -B 2 ‘SERVER_KEY_EMAIL’
[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
[HELP] See. Passbolt Help | Installation
[FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt//gpg/serverkey_private.asc” www-data
[PASS] There is a valid email id defined for the server key.
Application configuration
[FAIL] Could not connect to passbolt repository to check versions It is not possible check if your version is up to date.
[HELP] Check the network configuration to allow this script to check for updates.
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in config/passbolt.php.
[FAIL] App.fullBaseUrl is not set to HTTPS.
[HELP] Check App.fullBaseUrl url scheme in config/passbolt.php.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found
[FAIL] 9 error(s) found. Hang in there!
This is the health check
the passbolt.php file has a fingerprint which matches the one show on the output
sudo gpg /etc/passbolt/gpg/serverkey.asc does not match
i have migrated the servers
Do this so your db schema is aligned with the code.
/etc/passbolt# sudo su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake migrations migrate --no-lock” www-data
su: unrecognized option ‘–no-lock”’
Try ‘su --help’ for more information.
i am running this on debian server
@garrett
PDOException: SQLSTATE[42S01]: Base table or view already exists: 1050 Table ‘account_settings’ already exists in /usr/share/php/passbolt/vendor/robmorgan/phinx/src/Phinx/Db/Adapter/PdoAdapter.php:193
Stack trace:
#0 /usr/share/php/passbolt/vendor/robmorgan/phinx/src/Phinx/Db/Adapter/PdoAdapter.php(193): PDO->exec()
#1 /usr/share/php/passbolt/vendor/robmorgan/phinx/src/Phinx/Db/Adapter/MysqlAdapter.php(345): Phinx\Db\Adapter\PdoAdapter->execute()
#2 /usr/share/php/passbolt/vendor/robmorgan/phinx/src/Phinx/Db/Adapter/AdapterWrapper.php(356): Phinx\Db\Adapter\MysqlAdapter->createTable()
#3 /usr/share/php/passbolt/vendor/robmorgan/phinx/src/Phinx/Db/Adapter/TimedOutputAdapter.php(113): Phinx\Db\Adapter\AdapterWrapper->createTable()
#4 /usr/share/php/passbolt/vendor/robmorgan/phinx/src/Phinx/Db/Adapter/AdapterWrapper.php(356): Phinx\Db\Adapter\TimedOutputAdapter->createTable()
#5 /usr/share/php/passbolt/vendor/robmorgan/phinx/src/Phinx/Db/Plan/Plan.php(146): Phinx\Db\Adapter\AdapterWrapper->createTable()
#6 /usr/share/php/passbolt/vendor/robmorgan/phinx/src/Phinx/Db/Table.php(715): Phinx\Db\Plan\Plan->execute()
#7 /usr/share/php/passbolt/vendor/robmorgan/phinx/src/Phinx/Db/Table.php(611): Phinx\Db\Table->executeActions()
#8 /usr/share/php/passbolt/vendor/cakephp/migrations/src/Table.php(138): Phinx\Db\Table->create()
#9 /etc/passbolt/Migrations/20180503135810_V210InstallAccountSettingsPlugin.php(56): Migrations\Table->create()
#10 /usr/share/php/passbolt/vendor/robmorgan/phinx/src/Phinx/Migration/Manager/Environment.php(111): V210InstallAccountSettingsPlugin->up()
#11 /usr/share/php/passbolt/vendor/robmorgan/phinx/src/Phinx/Migration/Manager.php(385): Phinx\Migration\Manager\Environment->executeMigration()
#12 /usr/share/php/passbolt/vendor/robmorgan/phinx/src/Phinx/Migration/Manager.php(359): Phinx\Migration\Manager->executeMigration()
#13 /usr/share/php/passbolt/vendor/robmorgan/phinx/src/Phinx/Console/Command/Migrate.php(122): Phinx\Migration\Manager->migrate()
#14 /usr/share/php/passbolt/vendor/cakephp/migrations/src/Command/Phinx/CommandTrait.php(37): Phinx\Console\Command\Migrate->execute()
#15 /usr/share/php/passbolt/vendor/cakephp/migrations/src/Command/Phinx/Migrate.php(85): Migrations\Command\Phinx\Migrate->parentExecute()
#16 /usr/share/php/passbolt/vendor/symfony/console/Command/Command.php(298): Migrations\Command\Phinx\Migrate->execute()
#17 /usr/share/php/passbolt/vendor/symfony/console/Application.php(1024): Symfony\Component\Console\Command\Command->run()
#18 /usr/share/php/passbolt/vendor/symfony/console/Application.php(299): Symfony\Component\Console\Application->doRunCommand()
#19 /usr/share/php/passbolt/vendor/symfony/console/Application.php(171): Symfony\Component\Console\Application->doRun()
#20 /usr/share/php/passbolt/vendor/cakephp/migrations/src/Command/MigrationsCommand.php(126): Symfony\Component\Console\Application->run()
#21 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Console/BaseCommand.php(179): Migrations\Command\MigrationsCommand->execute()
#22 /usr/share/php/passbolt/vendor/cakephp/migrations/src/Command/MigrationsCommand.php(198): Cake\Console\BaseCommand->run()
#23 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Console/BaseCommand.php(271): Migrations\Command\MigrationsCommand->run()
#24 /usr/share/php/passbolt/src/Command/DatabaseAwareCommandTrait.php(62): Cake\Console\BaseCommand->executeCommand()
#25 /usr/share/php/passbolt/src/Command/MigrateCommand.php(77): App\Command\MigrateCommand->runMigrationsMigrateCommand()
#26 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Console/BaseCommand.php(179): App\Command\MigrateCommand->execute()
#27 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Console/CommandRunner.php(334): Cake\Console\BaseCommand->run()
#28 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Console/CommandRunner.php(172): Cake\Console\CommandRunner->runCommand()
#29 /usr/share/php/passbolt/bin/cake.php(13): Cake\Console\CommandRunner->run()
#30 {main}
i ran this code
sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake passbolt migrate"
Maybe will help.
Now, this is the new health check and still those gpg key are different in passbolt.php and secretkey
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/
Open source password manager for teams
Healthcheck shell
Environment
[PASS] PHP version 7.4.30.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[PASS] The passbolt config file is present
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to http://
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in config/passbolt.php
[HELP] Check the network settings
SSL Certificate
[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check Passbolt Help | Troubleshoot SSL
[HELP] fopen(http:///healthcheck/status.json): failed to open stream: Connection timed out
Database
[PASS] The application is able to connect to the database
[PASS] 26 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[FAIL] The server key fingerprint doesn’t match the one defined in config/passbolt.php.
[HELP] Double check the key fingerprint, example:
[HELP] sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg” www-data | grep -i -B 2 ‘SERVER_KEY_EMAIL’
[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
[HELP] See. Passbolt Help | Installation
[FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt//gpg/serverkey_private.asc” www-data
[PASS] There is a valid email id defined for the server key.
Application configuration
[FAIL] Could not connect to passbolt repository to check versions It is not possible check if your version is up to date.
[HELP] Check the network configuration to allow this script to check for updates.
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in config/passbolt.php.
[FAIL] App.fullBaseUrl is not set to HTTPS.
[HELP] Check App.fullBaseUrl url scheme in config/passbolt.php.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found
[FAIL] 8 error(s) found. Hang in there!
@yash There are three things needed regarding keys.
- The public and private server keys need to be in the
.gnupgdirectory noted - The
.gnupgdirectory needs to be owned by the webserver user - The public key’s fingerprint needs to be in
passbolt.php
should i change the passbolt.php fingerprint to the serverkey.asc gpg?
Does it matter if i just click ACCEPT NEW key button? Does ir change anything?
If it does, can you let me know how does this works please
@garrett
Yes, fingerprint of serverkey.asc in passbolt.php
The message is expected anytime the server key is changed, and since we know you changed it, it’s OK (and necessary) to accept. The displayed fingerprint is public and should match what you expect.
ok, i have changed the passbolt.php it worked, does it mean that the migration is done? and can i create a admin user with any command? if yes can you let me know the command please @garrett
i have created the user with this command and it worked sudo -H -u www-data bash -c “/usr/share/php/passbolt/bin/cake passbolt register_user -u text@text.com -f text -l Demo -r admin” nginx
Does this mean the migration was successful and will the old users be able to access their old passwords? @garrett
@yash You’ve done quite a bit to get to those point, so I’m hoping so. If the healthcheck issues are resolved and you are able to log in, other users should be able to as well.