Still having problems with install (Ubuntu 19.10), GPG challenges

rushlighten · March 20, 2020, 4:43am

Hi,

I’m still having problems with install (Ubuntu 19.10).

My former post was at: 404s after fresh install on Ubuntu 19.10

It was unfortunately locked before I could reply/resolve the issue.

Most recently, here’s my status check/health check:

user@passbolt-server-ubuntu-19-10:/var/www/passbolt$ sudo su -s /bin/bash -c "./bin/cake passbolt healthcheck" www-data

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.11-0ubuntu0.19.10.3.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable.
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://192.168.1.42
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
  [HELP] Check that the domain name is correct in config/passbolt.php
  [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
  [HELP] cURL Error (7) Failed to connect to 192.168.1.42 port 443: Connection refused

 Database

 [PASS] The application is able to connect to the database
 [PASS] 1 tables found
 [FAIL] No default content found
  [HELP] Run the install script to set the default content such as roles and permission types
  [HELP] sudo su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt install" www-data
 [FAIL] The database schema is not up to date.
  [HELP] Run the migration scripts:
  [HELP] sudo su -s /bin/bash -c "/var/www/passbolt/bin/cake migrations migrate --no-lock" www-data
  [HELP] See. https://www.passbolt.com/help/tech/update

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [FAIL] The environment variable GNUPGHOME is set to /home/www-data/.gnupg, but the directory does not exist.
  [HELP] Ensure the keyring location exists and is accessible by the webserver user.
  [HELP] you can try:
  [HELP] sudo mkdir /home/www-data/.gnupg
  [HELP] sudo chown -R www-data:www-data /home/www-data/.gnupg
  [HELP] sudo chmod 700 /home/www-data/.gnupg
  [HELP] You can change the location of the keyring by editing the GPG.env.setenv and GPG.env.home variables in config/passbolt.php.
 [FAIL] The server gpg key is not set
  [HELP] Create a key, export it and add the fingerprint to config/passbolt.php
  [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The public key file is not defined in config/passbolt.php or not readable.
  [HELP] Ensure the public key file is defined by the variable passbolt.gpg.serverKey.public in config/passbolt.php.
  [HELP] Ensure there is a public key armored block in the key file.
  [HELP] Ensure the public key defined in config/passbolt.php exists and is accessible by the webserver user.
  [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The private key file is not defined in config/passbolt.php or not readable.
  [HELP] Ensure the private key file is defined by the variable passbolt.gpg.serverKey.private in config/passbolt.php.
  [HELP] Ensure there is a private key armored block in the key file.
  [HELP] Ensure the private key defined in config/passbolt.php exists and is accessible by the webserver user.
  [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The server key fingerprint doesn't match the one defined in config/passbolt.php.
  [HELP] Double check the key fingerprint, example:
  [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /home/www-data/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
  [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
  [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring
  [HELP] Import the private server key in the keyring of the webserver user.
  [HELP] you can try:
  [HELP] sudo su -s /bin/bash -c "gpg --home /home/www-data/.gnupg --import /var/www/passbolt/config/gpg/serverkey_private.asc" www-data
 [FAIL] The server key does not have a valid email id.
  [HELP] Edit or generate another key with a valid email id.

 Application configuration

 [PASS] Using latest passbolt version (2.12.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

  12 error(s) found. Hang in there!

When I go to re-run the install script with sudo su -s /bin/bash -c "./bin/cake passbolt install --force" www-data in /var/www/passbolt, I get:

user@server:/var/www/passbolt$ sudo su -s /bin/bash -c "./bin/cake passbolt install --force" www-data

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
---------------------------------------------------------------

Running baseline checks, please wait...
The GnuPG config for the server is not available or incomplete
Please run ./bin/cake passbolt healthcheck for more information and help.

So clearly something is wrong with my GnuPG set-up. I believe this relates back to my problems explained in the previous post (404s after fresh install on Ubuntu 19.10).

rushlighten · March 20, 2020, 4:48am

Few other points:

mariadb version:

user@server:/var/www/passbolt$ mariadb --version
mariadb  Ver 15.1 Distrib 10.3.22-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

I’m on Ubuntu 19.10:

user@server:/var/www/passbolt$ cat /etc/*release*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=19.10
DISTRIB_CODENAME=eoan
DISTRIB_DESCRIPTION="Ubuntu 19.10"
NAME="Ubuntu"
VERSION="19.10 (Eoan Ermine)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 19.10"
VERSION_ID="19.10"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=eoan
UBUNTU_CODENAME=eoan

rushlighten · March 20, 2020, 4:49am

Also, this seems to be failing:

$ sudo su -s /bin/bash -c "gpg --list-keys" www-data
gpg: Fatal: can't create directory '/home/www-data/.gnupg': No such file or directory

rushlighten · March 20, 2020, 5:02am

So, I managed to fix (I think) a bunch of the GPG errors.

Here’s some of the logs:

Seems we had some weird problems with the keys. I regenerated them with gpg, then imported them (I think):

[myusername]@passboltserver:~$ sudo su -s /bin/bash -c "gpg --list-keys" www-data
/home/www-data/.gnupg/pubring.kbx
---------------------------------
pub   ed25519 2019-06-06 [SC]
      E304DDB800A6E459EE7C9BC4F8413BD53BB4D5A4
uid           [ unknown] Ada Lovelace ECC <ada+ecc@passbolt.com>
sub   cv25519 2019-06-06 [E]

[myusername]@passboltserver:~$ sudo su -s /bin/bash -c "gpg --home /home/www-data/.gnupg --import /var/www/passbolt/config/gpg/serverkey_private.asc" www-data
gpg: key 2A523605D07DE09F: public key "[My Full Name] <[firstname]@[companydomain].com.au>" imported
gpg: key 2A523605D07DE09F: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
[myusername]@passboltserver:~$ sudo su -s /bin/bash -c "gpg --list-keys" www-data
/home/www-data/.gnupg/pubring.kbx
---------------------------------
pub   ed25519 2019-06-06 [SC]
      E304DDB800A6E459EE7C9BC4F8413BD53BB4D5A4
uid           [ unknown] Ada Lovelace ECC <ada+ecc@passbolt.com>
sub   cv25519 2019-06-06 [E]

pub   rsa3072 2020-03-20 [SC] [expires: 2022-03-20]
      08687866F4D3EF8836A0D9CA2A523605D07DE09F
uid           [ unknown] [My Full Name] <[firstname]@[companydomain].com.au>
sub   rsa3072 2020-03-20 [E] [expires: 2022-03-20]

I’m now getting:

user@passboltserver:/var/www/passbolt$ sudo su -s /bin/bash -c "./bin/cake passbolt healthcheck" www-data

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell......Exception: Could not use key  for signing. get_key failed in [/var/www/passbolt/src/Utility/OpenPGP/Backends/Gnupg.php, line 240]

rushlighten · March 20, 2020, 5:52am

OK. So I managed to solve those GPG errors.

Now healthcheck looks better.

I am able to re-run:

 sudo su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt install --force" www-data

It completes successfully and I get:


     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
---------------------------------------------------------------

Running baseline checks, please wait...
Critical healthchecks are OK

Cleaning up existing tables if any.
---------------------------------------------------------------
Dropping table action_logs
Dropping table actions
Dropping table authentication_tokens
Dropping table comments
Dropping table email_queue
Dropping table entities_history
Dropping table favorites
Dropping table file_storage
Dropping table gpgkeys
Dropping table groups
Dropping table groups_users
Dropping table organization_settings
Dropping table permissions
Dropping table permissions_history
Dropping table phinxlog
Dropping table profiles
Dropping table resources
Dropping table roles
Dropping table secret_accesses
Dropping table secrets
Dropping table secrets_history
Dropping table user_agents
Dropping table users
23 tables dropped

Install the schema and default data.
---------------------------------------------------------------
using migration paths
 - /var/www/passbolt/config/Migrations
using seed paths
 - /var/www/passbolt/config/Seeds
using environment default
using adapter mysql
using database passbolt

 == 20170830064410 V162InitialMigration: migrating
 == 20170830064410 V162InitialMigration: migrated 9.5023s

 == 20170830065037 V200ActiveMustBeBoolean: migrating
 == 20170830065037 V200ActiveMustBeBoolean: migrated 3.5555s

 == 20170830065038 V200DropUnusedProfileFields: migrating
 == 20170830065038 V200DropUnusedProfileFields: migrated 1.8981s

 == 20170830065039 V200IncreaseEmailSize: migrating
 == 20170830065039 V200IncreaseEmailSize: migrated 2.3630s

 == 20170830065040 V200DropUnusedCreatedBy: migrating
 == 20170830065040 V200DropUnusedCreatedBy: migrated 6.8742s

 == 20170830065041 V200MigrateUUID: migrating
 == 20170830065041 V200MigrateUUID: migrated 26.3114s

 == 20170830065042 V200MigrateKeyField: migrating
 == 20170830065042 V200MigrateKeyField: migrated 0.1758s

 == 20171002061834 V200DropUnusedResourceFields: migrating
 == 20171002061834 V200DropUnusedResourceFields: migrated 1.4008s

 == 20171006141922 V200AddFavoriteModifiedField: migrating
 == 20171006141922 V200AddFavoriteModifiedField: migrated 0.2079s

 == 20171009093000 V200DropUnusedPermissionTypesTable: migrating
 == 20171009093000 V200DropUnusedPermissionTypesTable: migrated 0.0714s

 == 20171009093001 V200MigrateEmailsTable: migrating
 == 20171009093001 V200MigrateEmailsTable: migrated 1.7296s

 == 20171009093002 V200MigrateFileStorageTable: migrating
 == 20171009093002 V200MigrateFileStorageTable: migrated 2.7638s

 == 20171025154754 V200AddCommentsUserIdField: migrating
 == 20171025154754 V200AddCommentsUserIdField: migrated 0.2463s

 == 20180102065042 V200MigrateForeignIdField: migrating
 == 20180102065042 V200MigrateForeignIdField: migrated 0.1488s

 == 20180102180000 V200DropUnusedTables: migrating
 == 20180102180000 V200DropUnusedTables: migrated 0.0536s

 == 20180102221500 V200AddMissingTablesIndexes: migrating
 == 20180102221500 V200AddMissingTablesIndexes: migrated 0.0578s

 == 20180413171600 V202ForceColumnsCharset: migrating

(...)

Import the server private key in the keyring
---------------------------------------------------------------
Importing /var/www/passbolt/config/gpg/serverkey_private.asc
Keyring init OK

Registering the admin user
---------------------------------------------------------------
User email (also called username)
[myemail]
First name
> [firstname]
Last name
> [lastname]
User saved successfully.
To start registration follow the link in provided in your mailbox or here:
http://192.168.1.42/setup/install/33cf4c5e-c900-4209-9c42-35a45d81e23e/490f1806-73d6-48f7-a47e-9b0d7501e7be

Passbolt installation success! Enjoy! ☮

However, when I visit the URL, I get a 404. I’m pretty sure my config is OK (Apache/document root setup correctly etc).

rushlighten · March 20, 2020, 5:54am

This is my latest health check:


     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.11-0ubuntu0.19.10.3.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable.
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to http://192.168.1.42
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
  [HELP] Check that the domain name is correct in config/passbolt.php
  [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 23 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
 [PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server gpg key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (2.12.0).
 [PASS] Passbolt is configured to force SSL use.
 [FAIL] App.fullBaseUrl is not set to HTTPS.
  [HELP] Check App.fullBaseUrl url scheme in config/passbolt.php.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

  4 error(s) found. Hang in there!

cedric · March 20, 2020, 9:01am

Hello @rushlighten,

It looks like an apache configuration issue though.
Can you please share your configuration with us?

rushlighten · March 24, 2020, 2:50pm

Finally got this working. Apparently the .htaccess in /var/www/html was:

root@mamabear:/var/www/passbolt# cat /var/www/passbolt/.htaccess
# Uncomment the following to prevent the httpoxy vulnerability
# See: https://httpoxy.org/
#<IfModule mod_headers.c>
#    RequestHeader unset Proxy
#</IfModule>

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteRule    ^$    webroot/    [L]
    RewriteRule    (.*) webroot/$1    [L]
</IfModule>

I then noticed that the Apache set-up on this Ubuntu box happened to have no mod_rewrite, so I enabled it with:

root@server:/var/www/passbolt# sudo a2enmod rewrite
Enabling module rewrite.
To activate the new configuration, you need to run:
  systemctl restart apache2
root@server:/var/www/passbolt#
root@server:/var/www/passbolt#   systemctl restart apache2

Then, the site started loading! I’m running through the install now. Yay.

system · March 29, 2020, 2:50pm

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.