The OpenPGP server key defined in the config could not be found in the GnuPG keyring

Hello,

I just upgrade our company server from Passbolt v1 to v2, and I’m having issues recovery accounts and logging in.

I do the normal account recovery and I try to import my private key, but I keep getting this error message:

This key doesn't match any account.

When I look at the /logs/error.log log, it keeps coming up with the following error message:

2018-07-24 19:38:36 Error: [Cake\Network\Exception\InternalErrorException] The OpenPGP server key defined in the config could not be found in the GnuPG keyring.
Request URL: /auth/verify.json?api-version=v1

When I run the Healthcheck command to see if there are any error messages, it shows that everything passes besides the Debug mode being on:

[admin@server passbolt]$ sudo -u nginx ./bin/cake passbolt healthcheck

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell       
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.0.30.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable.
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [FAIL] Debug mode is on.
  [HELP] Set debug = false; in config/passbolt.php
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.mawcom.com
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 19 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The server gpg key is not the default one
 [PASS] The environment variable GNUPGHOME is set to /var/cache/nginx/.gnupg.
 [PASS] The directory /var/cache/nginx/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (2.1.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

  1 error(s) found. Hang in there!

I also checked the GnuPG keyring just to be sure that the keys have been imported.
Here is the result of that:

[admin@server passbolt]$ sudo -su nginx gpg --list-keys --fingerprint
/var/cache/nginx/.gnupg/pubring.gpg
-----------------------------------
pub   4096R/CC5D8AB2 2017-07-03 [expires: 2023-07-23]
      Key fingerprint = 6432 53B8 D6C9 E8FE F9B0  CC67 4214 9EF0 CC5D 8AB2
uid                  Company, Inc. <passbolt@company.com>
sub   4096R/CBFCE064 2017-07-03 [expires: 2023-07-23]

Also the Key fingerprint has been added to the config/passbolt.php file.

    // Main server key.
    'serverKey' => [
        // Server private key fingerprint.
        'fingerprint' => '643253B8D6C9E8FEF9B0CC6742149EF0CC5D8AB2',
        'public' => CONFIG . DS . 'gpg' . DS . 'serverkey.asc',
        'private' => CONFIG . DS . 'gpg' . DS . 'serverkey_private.asc',

I have removed/imported the keying multiple times, deleted the ‘/var/cache/nginx/.gnupg’ directory as well, and I have also generated a new keys multiple times, but I keep getting the same error message, which is:

The OpenPGP server key defined in the config could not be found in the GnuPG keyring.

Not sure what else there is to check.

Your help would be appreciated.

Thanks

Can you tell us which operating system you are using and which version(s) of Gpg are available? On ubuntu both are available and Gpg2 is used by php-gnupg, so you will need to check that the gpg2 keyring also has access to the key. Also, let us know how you installed php-gnupg, sometimes, the version shipped with the OS has issues and you will need to install it manually.

Sorry, I forgot to mention that.

The server is running CentOS 7.5.1804 with GPG 2.0.22. The PHP files come from the webtatic.com repository.

I went back to the backed up server that still has Passbolt v1 on it and tried to recovery my account. I’m getting the same error message.

It looks like the issue was there before I even upgraded to v2, and it seems that it started when the server certificate expired.

When I upgraded Passbolt to v2, I also extended the expiration date for the server certificate just to make sure that wasn’t the issue

I wonder if this could be a bug with Passbolt and expired server certificates.

Do you mean the expiration date of the server OpenPGP key or SSL certificate?

The self singed server OpenPGP key.

Nginx is using a Let’s Encrypt cert.

@slav what do you get when checking for private keys (–list-secret-keys) in the keyring? Is it the same fingerprint and new expiry date?

[admin@passbolt ~]$ sudo -su nginx gpg -k
/var/cache/nginx/.gnupg/pubring.gpg
-----------------------------------
pub   4096R/CC5D8AB2 2017-07-03 [expires: 2023-07-23]
uid                  Company, Inc. <passbolt@company.com>
sub   4096R/CBFCE064 2017-07-03 [expires: 2023-07-23]

[admin@passbolt ~]$ sudo -su nginx gpg -K
/var/cache/nginx/.gnupg/secring.gpg
-----------------------------------
sec   4096R/CC5D8AB2 2017-07-03 [expires: 2023-07-23]
uid                  Company, Inc. <passbolt@company.com>
ssb   4096R/CBFCE064 2017-07-03

2018-07-25_01-39-46.png578×607 32.2 KB

@slav I’ll try to reproduce the issue, will come back will more info later.

@slav we just tested here the following scenario:

• Setup a passbolt server with an expired key
• Setup a web extension client with the expired server key
• Verify that it is not possible to login (error on encrypt token shown)
• Update the server key and set it to not expire
• Delete the keyring
• Import the new secret key that is not expired
• Perform a recover on the client

For us it worked, so i’m not sure where the problem lies at the point. We only know it’s failing when trying to read the key info from gnupg. What do you get when you run this manually:

<?php
$res = gnupg_init();
$info = gnupg_keyinfo($res, '643253B8D6C9E8FEF9B0CC6742149EF0CC5D8AB2');
print_r($info);
?>

It seems to come up blank.

> [admin@passbolt ~]$ php -f php_test.php
> Array
> (
> )
> [admin@passbolt ~]$

Also, just to make sure php is working fine, I made a file with the following code in it and then ran it as well.

<?php phpinfo(); ?>

Result:

[admin@passbolt ~]$ php -f infophp.php
phpinfo()
PHP Version => 7.0.30

System => Linux passbolt 3.10.0-862.9.1.el7.x86_64 #1 SMP Mon Jul 16 16:29:36 UTC 2018 x86_64
Build Date => Apr 28 2018 08:13:47
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /etc
Loaded Configuration File => /etc/php.ini
Scan this dir for additional .ini files => /etc/php.d
Additional .ini files parsed => /etc/php.d/bz2.ini,
/etc/php.d/calendar.ini,
/etc/php.d/ctype.ini,
/etc/php.d/curl.ini,
/etc/php.d/dom.ini,
/etc/php.d/exif.ini,
/etc/php.d/fileinfo.ini,
/etc/php.d/ftp.ini,
…

I just updated gpg (GnuPG) to the latest version 2.2.9. Ran the same PHP script again and this time it does find the gpg key fingerprint.

[admin@passbolt ~]$ php -f phpgpg.php
Array
(
    [0] => Array
        (
            [disabled] =>
            [expired] =>
            [revoked] =>
            [is_secret] =>
            [can_sign] => 1
            [can_encrypt] => 1
            [uids] => Array
                (
                    [0] => Array
                        (
                            [name] => Company, Inc.
                            [comment] =>
                            [email] => passbolt@company.com
                            [uid] => Company, Inc. <passbolt@company.com>
                            [revoked] =>
                            [invalid] =>
                        )

                )

            [subkeys] => Array
                (
                    [0] => Array
                        (
                            [fingerprint] => 643253B8D6C9E8FEF9B0CC6742149EF0CC5D8AB2
                            [keyid] => 42149EF0CC5D8AB2
                            [timestamp] => 1499104401
                            [expires] => 1690098496
                            [is_secret] =>
                            [invalid] =>
                            [can_encrypt] =>
                            [can_sign] => 1
                            [disabled] =>
                            [expired] =>
                            [revoked] =>
                        )

                    [1] => Array
                        (
                            [fingerprint] => 76ECD0E906F01089B4E65D76501B1578CBFCE064
                            [keyid] => 501B1578CBFCE064
                            [timestamp] => 1499104401
                            [expires] => 1690098512
                            [is_secret] =>
                            [invalid] =>
                            [can_encrypt] => 1
                            [can_sign] =>
                            [disabled] =>
                            [expired] =>
                            [revoked] =>
                        )

                )

        )

)

But the issue still has not been resolved. Still getting the same error message even after GnuPG update.

I have also removed php70, reinstalled and made sure that everything installed without an error, but still the error is not going away.

Hi @Slav,

If you want we could try to dig into it together.
Could you send a mail support@passbolt.com with your availabilities for a call ?

Cheers

I gave up on the server that issues and made a new server from scratch. Exported the database from the old server and imported it into the new server. Everything works fine now.

While doing all of that work I realized that SELinux could be causing the issue on the old server. I went back to the old server, disabled SELinux and now it works fine as well.

In the end SELinux was most likely blocking PHP code from working properly.

Glad to hear you could get it to work at the end!

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.