Suddenly I can’t use my working passbolt installation anymore, since the chrome passbolt extension has been updated to 3.6.0.
Passbolt returns the following error message, when I try to log in:
Er ging iets mis.
De bewerking is mislukt door de volgende fout:
De serversleutel kon niet worden geverifieerd. Interne serverfout. Neem contact op met uw beheerder.
The message is in dutch. Translation:
Something went wrong.
The serverkey couldn’t be verified. Internal server error. Please contact system administrator.
Healthcheck response:
su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell
-------------------------------------------------------------------------------
Environment
[PASS] PHP version 7.4.25.
[PASS] PCRE compiled with unicode support.
[FAIL] The temporary directory and its content are not writable, or are executable.
[HELP] Ensure the temporary directory and its content are writable by the webserver user.
[HELP] you can try:
[HELP] sudo chown -R www-data:www-data /var/lib/passbolt/tmp/
[HELP] sudo chmod -R 775 $(find /var/lib/passbolt/tmp/ -type d)
[HELP] sudo chmod -R 664 $(find /var/lib/passbolt/tmp/ -type f)
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://password-manager.XXXX.com
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate
Database
[PASS] The application is able to connect to the database
[PASS] 26 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[FAIL] The public key cannot be used to encrypt a message
[HELP] Make sure that the server private key is valid and that there is no passphrase.
[HELP] Make sure you imported the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
[PASS] The private key can be used to sign a message.
[FAIL] The public and private keys cannot be used to encrypt and sign a message
[FAIL] The private key cannot be used to decrypt a message
[FAIL] The private key cannot be used to decrypt and verify a message
[FAIL] The public key cannot be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.
Application configuration
[FAIL] This installation is not up to date. Currently using 3.5.0 and it should be v3.6.0.
[HELP] See. https://www.passbolt.com/help/tech/update
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found
[FAIL] 7 error(s) found. Hang in there!
I tried running this, but didn’t work:
su -s /bin/bash -c "gpg --import-key /etc/passbolt/gpg/serverkey_private.asc" www-data
List existing keys:
gpg --list-keys --fingerprint | grep frederick -B 2
gpg: WARNING: unsafe ownership on homedir '/var/lib/passbolt/.gnupg'
pub rsa4096 2022-02-07 [SC]
78AE FD86 BAE9 B0F5 C145 558B 27BB 85A2 89C4 8FA8
uid [ unknown] Frederick XXXX<frederick.XXXX@XXXX.com>
--
pub rsa2048 2022-02-10 [SC]
5D17 6821 029E 41E2 D251 9D07 E728 110E DC95 A7F0
uid [ unknown] Frederick XXXX<frederick.XXXX@XXXX.com>
Env PASSBOLT_GPG_SERVER_KEY_FINGERPRINT variable:
printenv | grep -i finger
PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=78AEFD86BAE9B0F5C145558B27BB85A289C48FA8