User cannot signing after v3.6 upgrade - Docker

Announcements
1

What is the problem?

With the latest v3.6.0 release, some users encountered issues connecting to their passbolt. While reaching the passbolt home page, the application is displaying an unexpected error: Could not verify the server key.

From there it’s impossible to sign-in to the application as well as register a new account or recover an existing one.

This problem is relative to a previous version of the docker image which aggregated a new gpg server key to the existing gpg server key after each reboot. This behavior has been fixed on the docker image but the already persisted gpg server keys are not supported by the new browser extension v3.6.0.

Who is affected?

This issue concerns mainly docker users, but other installation flavors may be subject to it.

You can verify if you are affected by this problem by connecting to your docker container and check your server key.

Connect to your container

docker exec -it YOUR_PASSBOLT_CONTAINER_NAME bash

Check your server key

gpg --show-keys /etc/passbolt/gpg/serverkey.asc

If you are seeing more than one key like below, you are affected by the problem.

pub rsa2048 2021-01-20 [SC]
177C1516F9C1957ABC157CA592D946CDEF1F7583
uid [ unknown] Passbolt default user <passbolt@yourdomain.com>
sub rsa2048 2021-01-20 [E]

pub rsa2048 2021-01-20 [SC]
DA5D26D04A2D7558EEF60E69C8DA4B7205E6E47F
uid [ unknown] Passbolt default user <passbolt@yourdomain.com>
sub rsa2048 2021-01-20 [E]

pub rsa2048 2021-01-20 [SC]
545F22A36F0380984D828F6BE5E5090C6FD6738A
uid [ unknown] Passbolt default user <passbolt@yourdomain.com>
sub rsa2048 2021-01-20 [E]

pub rsa2048 2021-01-20 [SC]
F9D5F72A0D7DB5118FE7146E9A1F3AC2510004EB
uid [ unknown] Passbolt default user <passbolt@yourdomain.com>
sub rsa2048 2021-01-20 [E]

What is the solution?

To fix the problem, you must rotate your gpg server key as described in this online admin documentation.

You will then need to accept the new server key on the client. A fix is currently rolled out with the browser extension v3.6.1 that will allow you to accept the new server key.

If you cannot wait, and you have access to your recovery kit (private key backup) you can perform a recover of your account, go to https://YOUR_PASSBOLT_URL/users/recover.

Browser extension v3.6.2 fix status

  • Firefox :white_check_mark:
  • Edge in progress
  • Chrome :white_check_mark:

Sorry for the inconvenience