Our server key was expired (and btw it was not clear following the installation guide 2 years ago that no expiration was to be set…). We removed the expiration date on the server key, but now old users when try to recover their account they get the following error: “This key doesn’t match any account”. We tested the creation of a new account, and new accounts seems to work… Any help?
The server expiration key management is something that is on our roadmap. The feature will enable to change the server key seamlessly, for the admin and without much constraint for the users.
Regarding the issue you are facing, could you check the following points:
- Is the key which is uploaded during the recovery the same as the one used by the user doing the recovery? To check that, you can go to the users workspace, click on the user and see his public key details in the sidebar.
- Are you uploading the user private key? What can lead to an error sometimes is having a user trying to do a recovery with his public key rather than his private key. Also, make sure that the block uploaded only contains the private key and not a mix of public + private.
Keep us posted.
actually, i reported uncorrectly:
new users after the key update logs in correctly via the plugin. within the browser I still read “Could not verify server key. Unable to encrypt the verify token. Error encrypting message: Could not find valid key packet for encryption in key xxx” while the healthchecks says everything is fine the login from plugin is the part that works for new users.
for old users, i can confirm that 1) finger print match 2) its a private key.
After changing the gpg server key expiry date, did you replace your server private key into the gnupg keyring of the webserver user ?
What you can do is :
- Ensure your replaced the old gpg keys in config/gpg with the new ones.
- Remove the webserver gnupg keyring
rm -fr /home/www-data/.gnupg
/home/www-data/.gnupg could vary regarding your environment.
- Import the new gpg key in the webserver gnupg keyring
su -s /bin/bash -c “gpg --import /var/www/passbolt/config/gpg/serverkey_private.asc”
we use an hosted shared server, which means we have only access to our account which is what you would consider the webserver user. anyhow, i did as you asked, no change
(edited: to be clear, the original change was done already in the keyring of the “webserver” user, since that’s the only user we have access to)
after restoring the previous keyring, now everything seems fine not sure then what was the actual problem, maybe some weird caching