This key does not match any account

@gewurzt The private key for the user is unique and should not be the private key for the server. The public key(s) for the user(s) are found in the server db and server keyring but the private key for a user is not stored on the server. It must be kept safe by the user after it’s created for them to download in the setup process.

Hi @garrett,
Thanks for your quick answer.
I confirm the user key is not the server key. The server key is 3072bits and the user key is 2048bits.
May be you got confused because I obfuscated my server key id by the same way in another of my post. Sorry about that.

$ gpg --list-keys
/home/www-data/.gnupg/pubring.kbx
---------------------------------
→ this is the server key
pub rsa3072 2019-09-28 [SC]
uid [ ultime ] Passbolt server admin@mail.com
sub rsa3072 2019-09-28 [E]

→ this is the user key

pub rsa2048 2019-10-02 [SC]
XXXXXXXXXXXXXXXXXXXXXXXX0123456789ABCDEF
uid [ ultime ] My user my@mail.com
sub rsa2048 2019-10-02 [E]

The user key found in the server keyring contains only the public key, which I find normal.
As a proof of that, I can export the public key from the keyring :

$ gpg --export --armor XXXXXXXXXXXXXXXXXXXXXXXX0123456789ABCDEF
-----BEGIN PGP PUBLIC KEY BLOCK-----

[…]
-----END PGP PUBLIC KEY BLOCK-----

But not the private key :

$ gpg --export-secret-key --armor XXXXXXXXXXXXXXXXXXXXXXXX0123456789ABCDEF
gpg: Attention : rien n’a été exporté

(btw, now you now I’m French :wink: )

Thanks.

I am able to get the error This key does not match any account if the related .gnupg folders for the webserver user is not properly permissioned. Maybe check ownership permissions. For example, if the directory looks like:

root@server:/home/www-data/.gnupg# ll
total 56
drwx------ 4 www-data www-data  4096 Jul 20 14:27 ./
drwxr-xr-x 3 www-data www-data  4096 Dec 21  2021 ../
drwx------ 2 www-data www-data  4096 Dec 20  2021 openpgp-revocs.d/
drwx------ 2 root     root      4096 Dec 20  2021 private-keys-v1.d/
-rw-rw-r-- 1 www-data www-data 15110 Dec 20  2021 pubring.kbx
-rw-rw-r-- 1 www-data www-data 13739 Dec 20  2021 pubring.kbx~
-rw------- 1 www-data www-data   600 Jul 19 17:31 random_seed
srwx------ 1 www-data www-data     0 Jul 17 18:23 S.gpg-agent=
srwx------ 1 www-data www-data     0 Jul 17 18:23 S.gpg-agent.browser=
srwx------ 1 www-data www-data     0 Jul 17 18:23 S.gpg-agent.extra=
srwx------ 1 www-data www-data     0 Jul 17 18:23 S.gpg-agent.ssh=
-rw------- 1 www-data www-data  1280 Dec 20  2021 trustdb.gpg

They were all owned by www-data before I modified for the example.

Thanks for for time. I have already checked that, unfortunately, I don’t see any issues with the ownership :

> root@server:/home/www-data/.gnupg# ls -al
> total 104
> drwx------ 3 www-data www-data  4096 juil. 21 00:03 .
> drwxr-xr-x 7 www-data www-data  4096 juil. 18 15:34 ..
> drwx------ 2 www-data www-data  4096 sept. 28  2019 private-keys-v1.d
> -rw-r--r-- 1 www-data www-data  6604 juil. 18 16:18 pubring.kbx
> -rw-r--r-- 1 www-data www-data  4685 juil. 18 16:18 pubring.kbx~
> -rw------- 1 www-data www-data   600 juil. 20 20:26 random_seed
> srwx------ 1 www-data www-data     0 juil. 19 10:45 S.gpg-agent
> srwx------ 1 www-data www-data     0 juil. 19 10:45 S.gpg-agent.browser
> srwx------ 1 www-data www-data     0 juil. 19 10:45 S.gpg-agent.extra
> srwx------ 1 www-data www-data     0 juil. 19 10:45 S.gpg-agent.ssh
> -rw-r--r-- 1 www-data www-data 49152 sept. 28  2021 tofu.db
> -rw------- 1 www-data www-data  1440 juil. 13 17:44 trustdb.gpg

Besides from that, the server is working fine and I can access my passwords with a previously configured laptop.
I’ve also tried to re-export my private key from the web ui and it matches perfectly the one I used to configure the new laptop.

One thing that has been bugging me is that the public key in the keyring is different from the public key recorded in the gpgkeys table for my user. Yet, if I save the key recorded in the table to a file and ask for its keyid (with gpg --list-packets), it is the same as the one in the keyring. Since I am not a gpg expert, is that normal ?
Apart from that, the other fields in the database seem ok. And if they weren’t, I wouldn’t be able to use the account on my previous laptop, would I ?

This is okay. It’s probably pretty much the same in the middle of it. There are probably minor differences in the beginning or end, but the fingerprint should be the same.

That’s correct. At this point, don’t get rid of your laptop! :slight_smile:

What version gpg are you running? Mine:

sudo su -s /bin/bash -c "gpg --home=/home/www-data/.gnupg --version" www-data
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/www-data/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Also, what browser/version are you running? Can you also verify extension version?

Regarding this, you can debug the extension:
On Chrome:
New tab > go to chrome://extensions > look for passbolt card > (click Developer Mode if not enabled) > details > inspect views section > click index.html > unfold and copy errors under console tab

On Firefox:
New tab > go to about:debugging#/runtime/this-firefox > look for passbolt card > Click inspect > unfold and copy errors under console tab

You should see something like
image

And a call in the NGINX logs showing POST /auth/verify.json?api-version=v2

I have the same result as you :

$ sudo su -s /bin/bash -c "gpg --home=/home/www-data/.gnupg --version" www-data
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/www-data/.gnupg
Algorithmes pris en charge :
Clef publique : RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Chiffrement : IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256,
              TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256
Hachage : SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression : Non compressé, ZIP, ZLIB, BZIP2

I’m using Firefox with extension v3.6.2 on Firefox 102.0 (64 bits) :

## [3.6.2] - 2022-06-03
### Improved
- PB-16651 As LU I want to get a clear message if I enroll to a disabled account recovery program
- PB-15677 As LU I want to see openpgp assertions messages translated into my language

### Fixed
- PB-16736 Fix as AN I can accept a new server key([GITHUB-150]([https://github.com/passbolt/passbolt_browser_extension/issues/150](https://outgoing.prod.mozaws.net/v1/dfe26e176d5324fd99bffc61d979a5515ffe8210aa2d1bea07d7bc5960c04010/https%3A//github.com/passbolt/passbolt_browser_extension/issues/150)))

Yes, I see a GpgKeyError :

No, I don’t see any POST, neither in the debug console nor in the logs and neither before the GpgKeyError nor after. My webserver is Apache v2.4.41.

$ apache2 -v
Server version: Apache/2.4.41 (Ubuntu)
Server built:   2022-06-14T13:30:55

Below are the logs. These logs appear when the recovery page loads. There is nothing afterwards :

192.168.1.64 - - [21/Jul/2022:11:53:57 +0200] "GET /setup/recover/x-x-x-x-x/x-x-x-x-x?case=default HTTP/1.1" 200 2737 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
192.168.1.64 - - [21/Jul/2022:11:53:58 +0200] "GET /js/app/api-recover.js?v=3.6.0 HTTP/1.1" 200 36999 "https://passbolt.domain.com/setup/recover/x-x-x-x-x/x-x-x-x-x?case=default" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" 
192.168.1.64 - - [21/Jul/2022:11:53:58 +0200] "GET /settings.json?api-version=v2 HTTP/1.1" 200 2617 "https://passbolt.domain.com/setup/recover/x-x-x-x-x/x-x-x-x-x?case=default" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" 
192.168.1.64 - - [21/Jul/2022:11:53:58 +0200] "GET /users/csrf-token.json?api-version=v2 HTTP/1.1" 200 1966 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
192.168.1.64 - - [21/Jul/2022:11:53:58 +0200] "GET /settings.json?api-version=v2 HTTP/1.1" 200 2293 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
192.168.1.64 - - [21/Jul/2022:11:53:59 +0200] "GET /auth/verify.json?api-version=v2 HTTP/1.1" 200 4114 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
192.168.1.64 - - [21/Jul/2022:11:53:59 +0200] "GET /setup/recover/start/x-x-x-x-x/x-x-x-x-x.json?api-version=v2 HTTP/1.1" 200 2438 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
192.168.1.64 - - [21/Jul/2022:11:53:59 +0200] "GET /setup/recover/x-x-x-x-x/x-x-x-x-x.json?api-version=v2 HTTP/1.1" 200 2431 "https://passbolt.domain.com/setup/recover/x-x-x-x-x/x-x-x-x-x?case=default" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"

Hope this helps.

@gewurzt Here is the relevant extension code passbolt_browser_extension/importRecoverPrivateKeyController.js at f66ca3f5a440c5b6bd1288ca69ec79016a891d72 · passbolt/passbolt_browser_extension · GitHub

It suggests that the message is generic at the moment but a timeout or failed call will produce this result, as you are describing.

Since you are attempting to establish connection on a new machine I think reinstalling the extension is a next step.

If that does not work and you are open to it, try installing the extension on Chrome or Edge to see if you can get past this point. I normally use FF but my extension was installed already. Chrome was working on for me yesterday.

My other thought is what other extension (or something in the network) might be interfering.

Thanks for pointing to the code. I’m not a dev so I apologize in advance for any clumsiness.
Am I right in assuming that
this.legacyAuthModel.verify(domain, serverPublicArmoredKey, fingerprint);
should be calling GpgAuth.verify here : passbolt_browser_extension/gpgauth.js at 73c06104b159fb0ba6d2450516754881007ff75d · passbolt/passbolt_browser_extension · GitHub
And since all errors are handled in there and I don’t get any of them, GpgAuth.verify is somehow not called ?

It unfortunately gives the same result : error right away after Next and no POST.

Chrome (freshly installed with .deb file) gives the same error and no POST.

Since Chrome was freshly installed, Passbolt is the only extension in there :frowning:

The new laptop is on the same LAN as the server, so nothing in between, no iptables rules…

According to my records, the last time I imported successfully the key on a new computer was in May 2021. Would something have changed on this recovery part since then, on the server or on the extension ?

@gewurzt If the private key was in bad format it would catch that and tell you, so I believe it attempts to make the call at the bottom of the page of that linked code… but cannot, and returns the error.

Can you try Chrome on the old laptop and see if that works?

Nope, still the same error without POST.

I’ve also tried with FF on the old laptop, after having logged out, same error :frowning:

Thanks to @garrett hard work, we’ve figured out that :

  • the server key in keyring matched the server key used by passbolt,
  • but the server key used by passbolt was expired
  • althought the server key was expired, logging in the extension and using it was still operational

You can see how I checked the server key files and renewed them in this post :

1 Like