Unspecified error while "Generating the secret and public key" for new users

Checklist
[x] I have read intro post: About the Installation Issues category
[x] I have read the tutorials, help and searched for similar issues
[x] I provide relevant information about my server (component names and versions, etc.)
[x] I provide a copy of my logs and healthcheck
[x] I describe the steps I have taken to trouble shoot the problem
[x] I describe the steps on how to reproduce the issue

Hi, I have succesfully setup the docker version of passbot in a rancher cluster.
I could create the admin user and set him up afterwards in the brother extension.

During the next step, I created new users, who received their email invitations.
They install the browser extension then try to setup their account.
After chosing their password, the process fails on the " Generating the secret and public key" step. The debug info is the following :

{
  "error": {},
  "setup": {
"stepId": "secret",
"stepsHistory": "domain_check/define_key",
"user": {
  "username": "user@domain.com",
  "firstname": "user",
  "lastname": "username",
  "id": "47ed3e82-3f1a-4e19-88ee-e0334148bac6"
},
"key": {
  "ownerName": "user username",
  "ownerEmail": "user@domain.com",
  "comment": "",
  "length": "2048",
  "algorithm": "RSA-DSA",
  "passphrase": ""
},
"settings": {
  "token": "85660c5e-8d3f-49a9-8aa5-d633eae9a6fc",
  "domain": "https://my.passbot.url",
  "workflow": "install",
  "armoredServerKey": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n
(blah blah blah)-----END PGP PUBLIC KEY BLOCK-----\n"
}
  }
} 

I have checked (and fixed a few things) following healthcheck.
Here is the current one :

 ____                  __          ____  
/ __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell       
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.17.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable.
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /var/www/passbolt/config/
  [HELP] Copy /var/www/passbolt/config/passbolt.php.default to /var/www/passbolt/config/passbolt.php
  [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [FAIL] Debug mode is on.
  [HELP] Set debug = false; in config/passbolt.php
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://my.passbolt.url
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
  [HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 23 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
 [PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server gpg key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (2.12.1).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

  3 error(s) found. Hang in there!

Besides the SSL Warnings that I can’t explain and often are dismissed in troubleshootings I could see in other posts, I really don’t understand what can be wrong and the error message doesn’t help much.

My last idea is regarding this warning at the end of the docker hub passbot page :

rng-tools or haveged are required on host machine to speed up entropy generation on containers. This way gpg key creation on passbolt container will be faster.

I am not quite sure this could have anything to do with my problem but since it deals with key generation I looked it up and can’t think of any way to add this packages wether to the docker image itself nor the rancher/kubernet node hosting the workload.

Any wizard feels like helping me out ?

Hi @d0nd we’re going to need the info listed in the checklist, as well as some logs from the browser.

Thanks a lot, I didn’t realize I published the post.
I just fixed that up :slight_smile:

It could come from two things:

  • Maybe some time issues (like keys are created in the future for some time setting reason): you can double check that the time is accurate on both server and clients.
  • Client specific issue, which browser / OS are they using? Is it different from you? Are they running other plugins on the side?

Time was off by two hours on the server but I fixed it and tried again, with no luck.
Certificate is a week old and server and clients are on the same date and time.

Regarding the clients, I’ve tried on two different W10 1909 PCs with both latest Chrome and Firefox browsers.

Do you know of any detailed logs that could show what exactly is going on during the key generation step ?

Do you know of any detailed logs that could show what exactly is going on during the key generation step ?

Yes you can check for errors in the browser console (specific to extension, not the regular one):

I can’t see anything special besides warnings linked to password check.
Do you mean the key generation for clients is computed client side ?
I thought it’d be server side.

Do you mean the key generation for clients is computed client side ?

Yes, passbolt does end to end encryption so the private/public key is generated (or imported) client side using OpenPGP.js and then the public key sent to the server that then validates it, save it in DB and import it the Gnupg keyring of the server.

There should be an error in the “background page” (index.html) or setup page (in setup.html), if the key generation fails in the client.

Can you confirm that the user chooses a passphrase, then click next and see an error. Or do they get to choose a color / letter combo and then it fails on the last step. It’s quite important to understand which step precisely is failing (client or server side).

I get no error (besides password check) + it doesnt seem to interact with the server in the network tab. Error comes the second after the passphrase is entered, before the salt thing.
You can see it in action here : https://www.loom.com/share/b34d7cd83ce4482980ef022e132ec2a9

Thanks for this, so yes it’s the key generation that fails. Is there anything specific with this user email or user name, like accents, or something like this?

I am waiting for feedback from my users but from my own tests, I think you’ve nailed it : users did have old school emoticons instead of their lastnames cause we’re a small team, don’t like those, don’t use those. I’ll let you know as soon they send me updates.

Much tanks Remy, everything is working perfectly now.
I can confirm the issue was the use of special characters in the lastname field of the users.

The dev team should update the browser extensions to either :
a) warn against the use of special characters in this field
b) - better - prevent the use of special characters in this field
c) - even better - work something out so that special characters can be used in this field.

Anyway everything is working fine now thanks to your help, so much, much thanks !

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.