The public key cannot be used to encrypt and sign a message


#1

I have been attempting to set up a new installation of PassBolt following the instructions here.

I am all good, except for the error message in the title “The public key cannot be used to encrypt and sign a message”.

I’m running this on Ubuntu 16.04, Apache 2.4.18, Mysql 14.14 Distrib 5.7.20, PHP 7.0.22, and the latest PassBolt from the git command in the install.

I have seen that this can be due to lack of entropy if running in a virtual machine (which I am, on Hyper-V running on Windows Server 2016), so have tried installing haveged, and have tried also generating a key pair on a different, physical machine (GPG running on Windows 10).

Regardless, I end up with this error.

The healthcheck:

Healthcheck shell
---------------------------------------------------------------

Environment

[PASS] PHP version 7.0.22-0ubuntu0.16.04.1
[PASS] PCRE compiled with unicode support
[PASS] The temporary directory and its content are writable
[PASS] The public image directory and its content are writable

Config files

[PASS] The core config file is present
[PASS] The database config file is present
[PASS] The email config file is present
[PASS] The application config file is present

Core config

[FAIL] Debug mode is on.
[HELP] Set Configure::write('debug', 0); in app/Config/core.php
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Unique value set for security.cipherSeed
[PASS] Full base url is set to https://servername
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
stream_socket_client(): Failed to enable crypto
stream_socket_client(): unable to connect to ssl://servername:443 (Unknown error)

Database

[PASS] Configured to use a supported database backend
[PASS] The application is able to connect to the database
[PASS] Not using a prefix for database tables
[PASS] 20 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded
[PASS] The server gpg key is not the default one
[PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg
[PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the user the webserver is running as.
[PASS] The public key file is defined in app/config.php and readable.
[PASS] The private key file is defined in app/config.php and readable.
[PASS] The server key fingerprint matches the one defined in app/config.php.
[PASS] The server key defined in the app/Config.php is in the keyring.
[PASS] There is a valid email id defined for the server key.
[FAIL] The public key cannot be used to encrypt and sign a message
[HELP] Make sure that the server public key is valid and that there is no passphrase.

Application configuration

[PASS] Using latest passbolt version (1.6.5)
[PASS] Passbolt is configured to force SSL use
[PASS] App.fullBaseUrl is set to HTTPS
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

Development Tools (optional)

[PASS] Phpunit is installed
[PASS] Phpunit version is 3.7.38

4 error(s) found. Hang in there!

The private key cannot be used to decrypt a message
#2

See. InitKeyring failed to load


#3

Sorry, that thread doesn’t really help me much - the “fix” at the end says they imported the keys into pgp2? (which I’m guessing is a typo of gpg2?).

I’ve tried importing the key with gpg2 and can encrypt a file with the command (whilst su’d as www-data)

gpg2 --recipient FC0A133E --encrypt --sign unenc.file

Only thing I get is a warning as below:

It is NOT certain that the key belongs to the person named
in the user ID. If you really know what you are doing,
you may answer the next question with yes.

Here is the output from each gpg and gpg2 --list-secret-keys:

www-data@cent-help-02:~$ gpg --list-secret-keys
/home/www-data/.gnupg/secring.gpg
---------------------------------
sec   2048R/FC0A133E 2017-12-06
uid                  WSAT IT <it@email.org.uk>
ssb   2048R/A2F44FE1 2017-12-06

www-data@cent-help-02:~$ gpg2 --list-secret-keys
/home/www-data/.gnupg/pubring.kbx
---------------------------------
sec   rsa2048/FC0A133E 2017-12-06 [SC]
uid         [ unknown] WSAT IT <it@email.org.uk>
ssb   rsa2048/A2F44FE1 2017-12-06 [E]

#4

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.


#5

#6

Hi, I’m having a similar problem. I’ve just tried installing Passbolt onto a new Ubuntu 16.04 instance with Apache 2.4.18, PHP 7.0.22 and MySQL 5.7.20. When I run the health check, there is only ONE item which is failing:

[FAIL] The public key cannot be used to encrypt and sign a message
[HELP] Make sure that the server public key is valid and that there is no passphrase.

I have followed the instructions on the documentations page but I have no idea how to resolve this.

I’d appreciate it if someone here could help.

I’ve noticed someone else has the same problem on an earlier post which was not resolved:

Thanks in advance,
Majid


#7

Hi @majid,
Does your server private key have a passphrase ? Passbolt currently doesn’t support passphrases in server keys.
If it’s not that, then try to generate another key pair on another system maybe. We have seen this problem occasionally but have never been able to reproduce it.
If it’s your key that is faulty, and if it’s one that you have generated specifically for passbolt, then it would be great if you could share it with us by email so that we can run some tests.


#8

Hi @kevin,

Thanks for the prompt reply. The key does not have a passphrase.

I’ll try generating a new one using another machine and let you know if I have any further problems.

Kind regards,
Majid


#9

@majid can you send us the key that didn’t work at contact@passbolt.com. We need this to know if it’s a configuration or a key triggering this issue to help other users with the same problem.


#10

Hi Remy,

Do you need both private and public keys?

Kind regards,
Majid

Majid Hussain

Head of Support & Delivery

Tel: +44 (0) 1133 200 346

Twitter: @TitusLearning https://twitter.com/tituslearning

LinkedIn: MajidHussain https://www.linkedin.com/in/majid-hussain-3221a89


#11

Yes both keys so we can check. (Edit: received, thanks!)


#12

Hi @remy

Would you be able to give me an update on this issue?

Thanks,
Majid


#13

Hello @majid,

We’ve tried your keys and it works fine on our testing environment. I suspect it could come from the trust settings, as your key is marked as “unknown” trust. Could you generate a new key and mark it as ultimate trust (since you created it, it should be trusted).

In the meantime I will install an ubuntu server see if I can reproduce the issue on this OS.


#14

@majid I was able to reproduce the issue on ubuntu. I noticed that this issue is linked to the secret key not being present in the keyring. Somehow, when importing the key in an empty keyring on ubuntu the secret key fails to be added (the public key is imported fine). It seems that there is some quirks between gpg and gpg2 key generation / keyring management.

This did the trick:

  • Delete the keyring
  • Recreate it using gpg2
  • Import the key using the passbolt install

In commands are as follow assuming your keyring is in /var/www/.gnupg, the default location on ubuntu to make things simpler :

$ sudo mkdir /var/www/.gnupg
$ sudo chown www-data:www-data /var/www/.gnupg
$ sudo chmod 700 /var/www/.gnupg
$ sudo su -s /bin/bash -c "gpg2 --list-secret-keys" www-data
$ sudo su -s /bin/bash -c "gpg2 --list-keys" www-data
$ sudo su -s /bin/bash -c "app/Console/cake install" www-data

If after the last step you still don’t have the secret key in your keyring you can try importing it manually:

$ sudo su -s /bin/bash -c "gpg2 --import-key /var/www/passbolt_api/app/Config/gpg/private.key" www-data

[SOLVED] Passbolt server shows "Could not verify server key. " message after kreatin first user
#15

Hi Remy,

Thanks for the update. I’ve tried your suggestion and I’m not getting
anywhere at the moment.

Still seeing “Installation Failed” when running the install.

Would you be able to provide me with your SSH key and I can then give you
SSH access to my PassBolt instance?

Kind regards,
Majid

Majid Hussain

Head of Support & Delivery

Tel: +44 (0) 1133 200 346

Twitter: @TitusLearning https://twitter.com/tituslearning

LinkedIn: MajidHussain https://www.linkedin.com/in/majid-hussain-3221a89


#16

@majid you can get in touch with us at contact@passbolt.com if you need professional support / installation services.


#17

Thanks for the information.