V2 Update issues. Server Key not loading. Healthcheck says keys are fine, but other things broken

This is a repost of a question that I incorrectly concluded was related to a previously asked question: Site not loading post 1.6.10 to 2.0.5 upgrade

I followed the upgrade instructions to go from v1 to v2. I was on 1.6.9 before the upgrade but followed the v1 minor update procedure to 1.6.10 before trying v2 updates.

For completeness, here are all the steps I took, with extra steps I determined I needed to take with reasons. Most of these commands were actually run as passbolt user: sudo -iu passbolt-src

  • Take site offline with nginx config
  • Move old v1 folder to /var/lib/passbolt.v1
  • Create new user to own passbolt source passbolt-src (v1 was installed as root)
  • git clone
  • Upgrade to php7 (from 5.4)
  • composer install
  • cp -R ../passbolt.v1/app/webroot/img/public/* webroot/img/public/
  • mv webroot/img/public/images/{Profile,}Avatar
  • cp ../passbolt.v1/app/Config/gpg/* config/gpg/
  • cp config/passbolt.{default.,}php
  • vim config/passbolt.php
    • Application URL
    • database user & password
    • email settings
    • OpenPGP fingerprint. This is the first confusion I faced. app/Config/default.php had one fingerprint and app/Config/app.php had a different one. I assume the latter is the correct one.
  • bin/cake passbolt migrate --backup
  • Re-enable nginx
  • bin/cake passbolt healthcheck
    [FAIL] The public key file is not defined in config/passbolt.php or not readable.
     [HELP] Ensure the public key file is defined by the variable passbolt.gpg.serverKey.public in config/passbolt.php.
     [HELP] Ensure the public key defined in config/passbolt.php exists and is accessible by the webserver user.
     [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
    [FAIL] The public key file is not defined in config/passbolt.php or not readable.
     [HELP] Ensure the private key file is defined by the variable passbolt.gpg.serverKey.private in config/passbolt.php.
     [HELP] Ensure the private key defined in config/passbolt.php exists and is accessible by the webserver user.
     [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
    [FAIL] The server key fingerprint doesn't match the one defined in config/passbolt.php.
     [HELP] Double check the key fingerprint, example:
     [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/www/passbolt/.gnupg" passbolt-src | grep -i -B 2 'SERVER_KEY_EMAIL'
     [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
     [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
    [PASS] The server public key defined in the config/passbolt.php is in the keyring.
    [FAIL] The server key does not have a valid email id.
     [HELP] Edit or generate another key with a valid email id.
    
  • cp -R /root/.gnupg ~/ I actually copied the .gnupg folder out of /root separately so that permissions wouldn’t be an issue. This is the main step that I’m not 100% confident about but it seems to have fixed the GPG configuration issues. Regardless, once that is fixed, I still have the same healthcheck issues:
cameron@server /var/www/passbolt $ sudo -u passbolt-src bin/cake passbolt healthcheck

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.0.29.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable.
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.domain.com
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
  [HELP] Check that the domain name is correct in config/passbolt.php
  [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 19 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The server gpg key is not the default one
 [PASS] The environment variable GNUPGHOME is set to /var/www/passbolt/.gnupg.
 [PASS] The directory /var/www/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The public key can be used to sign a message.
 [PASS] The public key can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (2.0.7).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

  3 error(s) found. Hang in there!

Looking into the what I believe is the healthcheck source code, it looks like it actually tries to hit /healthcheck/status.json. A local curl shows an error:

cameron@server /var/www/passbolt $ curl https://passbolt.domain.com/healthcheck/status.json
{"header":{"id":"6c2fb460-1316-49d9-9ebe-e58cf30af3ec","status":"error","servertime":1525989870,"title":"app_healthcheck_status_error","message":"An Internal Error Has Occurred.","url":"\/healthcheck\/status.json","code":500},"body":null}

Interestingly, the http version of the status page gives a 404 page.

Maybe related, but healthcheck is also weirdly complaining about my https certificates. I’m using real, non-self signed, https certificates provided by certbot. What is the healthcheck actually testing?

To top it all off, I still cannot log into my passbolt instance. I get the following at the login page.

Could not verify server key. The OpenPGP server key defined in the config could not be found in the GnuPG keyring.

I tried various config settings for the serverKey.public/private to no avail. I’ve tried removing the config/gpg folder to confirm passbolt was really using them. healthcheck also seems to have complained until I moved the original root keys to the new dedicated passbolt-src user’s ~/.gnupg which indicates that passbolt is using both locations which seems redundant and potentially confusing. Maybe this is causing our problems?

To add some information I missed previously:

CentOS Linux release 7.5.1804 (Core)
nginx version: nginx/1.12.2
mysql  Ver 15.1 Distrib 5.5.56-MariaDB, for Linux (x86_64) using readline 5.1
PHP 7.0.29 (cli) (built: Mar 30 2018 08:06:59) ( NTS )
Passbolt: v2.0.7 1c07f215b57a7a47dc8addb177b031782b62b8f7

I checked the gpgauth/database encoding issue. [v2.0.0] That version of GPGAuth is not supported

SELECT table_schema, table_name, column_name, character_set_name, collation_name
FROM information_schema.columns
WHERE collation_name = 'utf8mb4_general_ci';
# Empty set (0.02 sec)

I believe my https certificates are setup correctly and signed by a 3rd party. curl is happy:

cameron@myserver /var/www/passbolt $ curl -v https://passbolt.domain.com
* About to connect() to passbolt.domain.com port 443 (#0)
*   Trying 2607:5300:201:3100::3c13...
* Connected to passbolt.domain.com (2607:5300:201:3100::3c13) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=passbolt.domain.com
*       start date: May 10 07:26:50 2018 GMT
*       expire date: Aug 08 07:26:50 2018 GMT
*       common name: passbolt.domain.com
*       issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: passbolt.domain.com
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: nginx/1.12.2
< Date: Sat, 12 May 2018 22:41:49 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=5
< X-Powered-By: PHP/7.0.29
< Set-Cookie: CAKEPHP=mjek06q0cia1c7f8u1m0mb5mu4; path=/; secure; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< strict-transport-security: max-age=31536000; includeSubDomains
< Location: https://passbolt.domain.com/auth/login
< x-permitted-cross-domain-policies: all
< referrer-policy: same-origin
< x-frame-options: sameorigin
< x-xss-protection: 1; mode=block
< x-download-options: noopen
< x-content-type-options: nosniff
< X-GPGAuth-Version: 1.3.0
< X-GPGAuth-Login-URL: /auth/login
< X-GPGAuth-Logout-URL: /auth/logout
< X-GPGAuth-Verify-URL: /auth/verify
< X-GPGAuth-Pubkey-URL: /auth/verify.json
< Access-Control-Expose-Headers: X-GPGAuth-Verify-Response, X-GPGAuth-Progress, X-GPGAuth-User-Auth-Token, X-GPGAuth-Authenticated, X-GPGAuth-Refer, X-GPGAuth-Debug, X-GPGAuth-Error, X-GPGAuth-Pubkey, X-GPGAuth-Logout-Url, X-GPGAuth-Version,X-GPG-Body-Signature
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000; includeSubdomains;
<
* Connection #0 to host passbolt.domain.com left intact

I’m confused why healthcheck is reporting that I’m using self signed keys. I’m betting it’s something in how healthcheck tests the ssl as it gets the wrong hostname, according to this:

[FAIL] Hostname does not match when validating certificates.


I’m betting my server GPGkey issues has something to do with how I moved keys from root. I’m however unsure how this would the the case. When I installed v1 (1.6.9), I’m pretty sure I created the keys as root. I remember running these commands and exporting the keys to a passbolt config location:

gpg --armor --export-secret-keys root@myserver.domain.com > /var/www/passbolt/config/gpg/serverkey_private.asc
gpg --armor --export root@myserver.domain.com > /var/www/passbolt/config/gpg/serverkey.asc

I also noticed two different fingerprints in my v1 configuration files:

cameron@myserver /var/www/passbolt $ grep "'fingerprint'" ../passbolt.v1/app/Config/*
../passbolt.v1/app/Config/app.php:                      'fingerprint' => '0DEF6E8D3011558C242476A5A37EAF8B3C29B2BC',
../passbolt.v1/app/Config/app.php.default:                      'fingerprint' => '2FC8945833C51946E937F9FED47B0811573EE67E',
../passbolt.v1/app/Config/default.php:                  'fingerprint' => '2FC8945833C51946E937F9FED47B0811573EE67E',

Looks like the 2FC... is some random fingerprint that comes with the source and 0DEF... is the fingerprint of the key I generated for root:

cameron@myserver /var/www/passbolt $ sudo gpg --list-keys --fingerprint
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/3C29B2BC 2018-02-10
      Key fingerprint = 0DEF 6E8D 3011 558C 2424  76A5 A37E AF8B 3C29 B2BC
uid                  MyOrg - myserver <root@myserver.domain.com>
sub   2048R/472E030E 2018-02-10

And so I copied /root/.gnupg to /var/www/passbolt/ (which is $HOME for passbolt-src user). As I described above, this fixed the healthcheck [FAIL]s. As far as I can tell, the following is exactly what is expected:

cameron@myserver /var/www/passbolt $ sudo -u passbolt-src gpg --list-keys --fingerprint
/var/www/passbolt/.gnupg/pubring.gpg
------------------------------------
pub   2048R/3C29B2BC 2018-02-10
      Key fingerprint = 0DEF 6E8D 3011 558C 2424  76A5 A37E AF8B 3C29 B2BC
uid                  MyOrg - myserver <root@myserver.domain.com>
sub   2048R/472E030E 2018-02-10

I also copied the keys from the old v1 config and believe I have set the configuration to load those files specifically:

cameron@myserver /var/www/passbolt $ grep "'fingerprint'" -A 2 config/passbolt.php
                'fingerprint' => '0DEF6E8D3011558C242476A5A37EAF8B3C29B2BC',
                'public' => CONFIG . 'gpg' . DS . 'serverkey.asc',
                'private' => CONFIG . 'gpg' . DS . 'serverkey_private.asc',
cameron@myserver /var/www/passbolt $ ls -l config/gpg
total 20
-rw-r--r-- 1 passbolt-src nginx    0 May 10 22:52 empty
-rw-r--r-- 1 passbolt-src nginx 1739 May 10 22:52 serverkey.asc
-rw-r--r-- 1 passbolt-src nginx 3505 May 10 22:52 serverkey_private.asc
-rw-r--r-- 1 passbolt-src nginx 3147 May 10 22:52 unsecure.key
-rw-r--r-- 1 passbolt-src nginx 6647 May 10 22:52 unsecure_private.key

Maybe GPG is refusing to use keys that have read permissions for all users?

I just realized that while the passbolt-src user has a keychain with the right key, nginx is the actual user running the PHP. Maybe it needs its own copy of the keys?


To summarize and clarify, I believe I am currently seeing 3 issues that might be related:

  • [FAIL] on /healthcheck/status check. Likely because passbolt api is refusing to run because of GPGkey issues.
  • [FAIL] on https for issues that I know are not true.
  • No indication of GPGkey failure on healthcheck when website reports:

    Could not verify server key. The OpenPGP server key defined in the config could not be found in the GnuPG keyring.

@cinderblock thank you for the detailed report, and sorry for the leaving your hanging for the last two days.

The user that needs keyring is indeed nginx, and the default location unless you set $GNUPGHOME for that user is ‘/var/lib/nginx/.gnupg’. Also in my experience there are issues when re-using a gnupg keyring created by the root user (gnupg is very opiniated on what rights and ownership its wants on the keyring).

Could you try to delete the keyring in /var/www (if that’s the one you’re setting in the GNUPGHOME or passbolt config), then re-create it with your web server user and import the keys using the nginx user?

This should do:

$ sudo su -s /bin/bash -c "gpg --list-keys" nginx
$ sudo su -s /bin/bash -c "gpg --import-key /var/www/passbolt/config/gpg/serverkey_private.asc" nginx

If that doesn’t cut it, also check if SE Linux is giving you an errors.

Thank you for the reply. No worries on the slow reply, I hope you enjoyed your weekend :slight_smile:

I’m pretty sure $GNUPGHOME is not set:

cameron@myserver /var/www/passbolt $ sudo su -s /bin/bash -c 'echo $USER:$GNUPGHOME:$HOME' nginx
nginx::/var/lib/nginx
cameron@myserver /var/www/passbolt $ sudo su -s /bin/bash -c 'echo $USER:$GNUPGHOME:$HOME' passbolt-src
passbolt-src::/var/www/passbolt

It is my preference, for daemons/services, to not rely on configuration files that are in some location relative to a user’s $HOME as this imho always leads to confusion.

From reading the configurations, it’s not 100% clear when passbolt will use one from ~/.gnupg or one specified in the config. I’m not sure familiar with gpg but I’m confused why the key’s fingerprint is needed when a key is specified. I can understand why it is needed when a key file is not specified and passbolt loads all of the user’s gpg keys and needs some way to pick the right one. But when I tell passbolt specifically to load certain specific public/private key files, is there more than one key in there?

I’m scared to delete anything - I’d rather not lose my saved passwords. I have backups but they’re a pain to use.

I tried the commands you suggested:

cameron@myserver /var/www/passbolt $ sudo su -s /bin/bash -c "gpg --list-keys" nginx
cameron@myserver /var/www/passbolt $

Maybe I’m on a different version of gpg because I don’t have the --import-key option.

cameron@myserver /var/www/passbolt $ gpg --version
gpg (GnuPG) 2.0.22

I do have --import however:

cameron@myserver /var/www/passbolt $ sudo su -s /bin/bash -c "gpg --import /var/www/passbolt/config/gpg/serverkey_private.asc" nginx
gpg: key 3C29B2BC: secret key imported
gpg: key 3C29B2BC: public key "myserver <root@myserver.domain.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

This seems to have fixed the issues I was previously facing. healthcheck is all green and web interface does not complain about server keys.

Unfortunately, I’m not out of the woods yet. Now I cannot log in. If I try a wrong passphrase, the interface tells me as much. If I try the correct passphrase, the login box is replaced with the following message:

There was a server error. No additional information provided(502)

Hi @cinderblock,

There is 502 http code like the server is over capacity. I have never seen this error before in relation to passbolt.

Can you check the extension background page debug console sees if there is any more information?
You need to go to chrome://extensions/ and click on index.html in “inspect views”.

Also check for anything in your server web logs for any information. Check if there are anything related to Linux SE warnings.

Concerning your question as of why passbolt request the fingerprint is because once the key is imported in the keyring it is identified for later user using the fingerprint. We could indeed read it once that from the armored key and temporary save it for somewhere for later use.

But when I tell passbolt specifically to load certain specific public/private key files, is there more than one key in there?

The keyring also contains the users keys, they are imported on the fly at login if they are not already in there.

From index.html console during failed login:

vendors.min.js:82340 POST https://passbolt.mydomain.com/auth/login.json?api-version=v1 502 (Bad Gateway)
index.min.js:1455 There was a server error. No additional information provided(502)

There is a small chance SE linux is stomping on things but I don’t think it has before. Wait no, it is disabled:

cameron@myserver /var/www/passbolt $ sudo sestatus
SELinux status:                 disabled

Just noticed the nginx error logs during failed login:

==> /var/log/nginx/error.log <==
2018/05/17 10:17:13 [error] 847#0: *228598 FastCGI sent in stderr: "PHP message: PHP Warning:  file_put_contents(/var/www/passbolt/logs/error.log): failed to open stream: Permission denied in /var/www/passbolt/vendor/cakephp/cakephp/src/Log/Engine/FileLog.php on line 133
PHP message: PHP Warning:  file_put_contents(/var/www/passbolt/logs/error.log): failed to open stream: Permission denied in /var/www/passbolt/vendor/cakephp/cakephp/src/Log/Engine/FileLog.php on line 133
PHP message: PHP Warning:  file_put_contents(/var/www/passbolt/logs/error.log): failed to open stream: Permission denied in /var/www/passbolt/vendor/cakephp/cakephp/src/Log/Engine/FileLog.php on line 133
PHP message: PHP Warning:  file_put_contents(/var/www/passbolt/logs/error.log): failed to open stream: Permission denied in /var/www/passbolt/vendor/cakephp/cakephp/src/Log/Engine/FileLog.php on line 133
PHP message: PHP Warning:  file_put_contents(/var/www/passbolt/logs/error.log): failed to open stream: Permission denied in /var/www/passbolt/vendor/cakephp/cakephp/src/Log/Engine/FileLog.php on line 133
PHP message: PHP Warning:  file_put_contents(/var/www/passbolt/logs/error.log): failed to open stream: Permission denied in /var/www/passbolt/vendor/cakephp/cakephp/src/Log/Engine/FileLog.php on line 133
PHP message: PHP Warning:  file_put_contents(/var/www/passbolt/logs/error.log): failed to open stream: Permission denied in /var/www/passbolt/vendor/cakephp/cakephp/src/Log/Engine/FileLog.php on line 133
PHP message: PHP Warning:  file_put_contents(/var/www/passbolt/logs/error.log): failed to open stream: Permission denied in /var/www/passbolt/vendor/cakephp/cakephp/src/Log/Engine/FileLog.php on line 133
PHP message: PHP Warning:  file_put_contents(/var/www/passbolt/logs/error.log): failed to open stream: Permission denied in /var/www/passbolt/vendor/cakephp/cakephp/src/Log/Engine/FileLog.php on line 133" while reading response header from upstream, client: 12.34.56.789, server: passbolt.mydomain.com, request: "POST /auth/login.json?api-version
2018/05/17 10:17:13 [error] 847#0: *228598 upstream sent too big header while reading response header from upstream, client: 12.34.56.789, server: passbolt.mydomain.com, request: "POST /auth/login.json?api-version=v1 HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", host: "passbolt.mydomain.com"

So, when I switched the user accounts around, I didn’t fix permissions with regards to nginx.

cameron@myserver ~ $ ls -l /var/www/passbolt/logs
total 0
cameron@myserver ~ $ ls -l /var/www/passbolt/logs -d
drwxr-xrwx 2 passbolt-src nginx 4096 May 10 22:48 /var/www/passbolt/logs

Fix that real quick

cameron@myserver ~ $ sudo chmod g+w,o-w /var/www/passbolt/logs

Now I don’t get the 502 error but I get bumped right back to the login page.

cameron@myserver ~ $ cat /var/www/passbolt/logs/error.log | egrep -v '^\s*$'
2018-05-17 07:23:25 Warning: Warning (512): /var/www/passbolt/tmp/cache/persistent/ is not writable in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]
2018-05-17 07:23:26 Warning: Warning (512): /var/www/passbolt/tmp/cache/persistent/ is not writable in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]
2018-05-17 07:23:26 Warning: Warning (512): /var/www/passbolt/tmp/cache/models/ is not writable in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]
2018-05-17 07:23:26 Warning: Warning (512): _cake_model_ cache was unable to write 'default_users' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:26 Warning: Warning (512): _cake_model_ cache was unable to write 'default_gpgkeys' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:26 Warning: Warning (512): _cake_model_ cache was unable to write 'default_roles' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:26 Warning: Warning (512): _cake_model_ cache was unable to write 'default_groups_users' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:26 Warning: Warning (512): _cake_model_ cache was unable to write 'default_profiles' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:26 Warning: Warning (512): _cake_model_ cache was unable to write 'default_file_storage' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:26 Warning: Warning (512): /var/www/passbolt/tmp/cache/persistent/ is not writable in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]
2018-05-17 07:23:26 Warning: Warning (2): session_start(): open(/var/lib/php/session/sess_op2eq0d7gjqavho0kvnpju8f01, O_RDWR) failed: Permission denied (13) in [/var/www/passbolt/vendor/cakephp/cakephp/src/Network/Session.php, line 335]
2018-05-17 07:23:26 Warning: Warning (2): session_write_close(): open(/var/lib/php/session/sess_op2eq0d7gjqavho0kvnpju8f01, O_RDWR) failed: Permission denied (13) in [Unknown, line 0]
2018-05-17 07:23:26 Warning: Warning (2): session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in [Unknown, line 0]
2018-05-17 07:23:31 Warning: Warning (512): /var/www/passbolt/tmp/cache/persistent/ is not writable in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]
2018-05-17 07:23:31 Warning: Warning (512): /var/www/passbolt/tmp/cache/models/ is not writable in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]
2018-05-17 07:23:31 Warning: Warning (512): _cake_model_ cache was unable to write 'default_users' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:31 Warning: Warning (512): _cake_model_ cache was unable to write 'default_gpgkeys' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:31 Warning: Warning (512): _cake_model_ cache was unable to write 'default_roles' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:31 Warning: Warning (512): _cake_model_ cache was unable to write 'default_groups_users' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:31 Warning: Warning (512): _cake_model_ cache was unable to write 'default_profiles' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:31 Warning: Warning (512): _cake_model_ cache was unable to write 'default_file_storage' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:31 Warning: Warning (512): _cake_model_ cache was unable to write 'default_authentication_tokens' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:32 Warning: Warning (512): /var/www/passbolt/tmp/cache/persistent/ is not writable in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]
2018-05-17 07:23:32 Warning: Warning (512): /var/www/passbolt/tmp/cache/models/ is not writable in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]
2018-05-17 07:23:32 Warning: Warning (512): _cake_model_ cache was unable to write 'default_users' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:32 Warning: Warning (512): _cake_model_ cache was unable to write 'default_gpgkeys' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:32 Warning: Warning (512): _cake_model_ cache was unable to write 'default_roles' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:32 Warning: Warning (512): _cake_model_ cache was unable to write 'default_groups_users' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:32 Warning: Warning (512): _cake_model_ cache was unable to write 'default_profiles' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:32 Warning: Warning (512): _cake_model_ cache was unable to write 'default_file_storage' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:32 Warning: Warning (512): _cake_model_ cache was unable to write 'default_authentication_tokens' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:32 Warning: Warning (2): session_start(): open(/var/lib/php/session/sess_op2eq0d7gjqavho0kvnpju8f01, O_RDWR) failed: Permission denied (13) in [/var/www/passbolt/vendor/cakephp/cakephp/src/Network/Session.php, line 335]
2018-05-17 07:23:32 Warning: Warning (2): session_regenerate_id(): open(/var/lib/php/session/sess_qus91rhrbj7j5jr85uuunoj9u6, O_RDWR) failed: Permission denied (13) in [/var/www/passbolt/vendor/cakephp/cakephp/src/Network/Session.php, line 578]
2018-05-17 07:23:32 Warning: Warning (4096): session_regenerate_id(): Failed to create(read) session ID: files (path: /var/lib/php/session) in [/var/www/passbolt/vendor/cakephp/cakephp/src/Network/Session.php, line 578]
2018-05-17 07:23:32 Warning: Warning (512): /var/www/passbolt/tmp/cache/persistent/ is not writable in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]
2018-05-17 07:23:32 Warning: Warning (512): /var/www/passbolt/tmp/cache/persistent/ is not writable in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]
2018-05-17 07:23:33 Warning: Warning (2): session_start(): open(/var/lib/php/session/sess_hjo3799hsopum7bamo9nc8c7v7, O_RDWR) failed: Permission denied (13) in [/var/www/passbolt/vendor/cakephp/cakephp/src/Network/Session.php, line 335]
2018-05-17 07:23:33 Warning: Warning (2): session_write_close(): open(/var/lib/php/session/sess_hjo3799hsopum7bamo9nc8c7v7, O_RDWR) failed: Permission denied (13) in [Unknown, line 0]
2018-05-17 07:23:33 Warning: Warning (2): session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in [Unknown, line 0]
2018-05-17 07:23:33 Warning: Warning (512): /var/www/passbolt/tmp/cache/persistent/ is not writable in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]
2018-05-17 07:23:33 Warning: Warning (512): /var/www/passbolt/tmp/cache/persistent/ is not writable in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]
2018-05-17 07:23:33 Warning: Warning (512): /var/www/passbolt/tmp/cache/models/ is not writable in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]
2018-05-17 07:23:33 Warning: Warning (512): _cake_model_ cache was unable to write 'default_users' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:33 Warning: Warning (512): _cake_model_ cache was unable to write 'default_gpgkeys' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:33 Warning: Warning (512): _cake_model_ cache was unable to write 'default_roles' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:33 Warning: Warning (512): _cake_model_ cache was unable to write 'default_groups_users' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:33 Warning: Warning (512): _cake_model_ cache was unable to write 'default_profiles' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:33 Warning: Warning (512): _cake_model_ cache was unable to write 'default_file_storage' to Cake\Cache\Engine\FileEngine cache in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Cache.php, line 286]
2018-05-17 07:23:33 Warning: Warning (512): /var/www/passbolt/tmp/cache/persistent/ is not writable in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 437]
2018-05-17 07:23:33 Warning: Warning (2): session_start(): open(/var/lib/php/session/sess_hjo3799hsopum7bamo9nc8c7v7, O_RDWR) failed: Permission denied (13) in [/var/www/passbolt/vendor/cakephp/cakephp/src/Network/Session.php, line 335]
2018-05-17 07:23:33 Warning: Warning (2): session_write_close(): open(/var/lib/php/session/sess_hjo3799hsopum7bamo9nc8c7v7, O_RDWR) failed: Permission denied (13) in [Unknown, line 0]
2018-05-17 07:23:33 Warning: Warning (2): session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in [Unknown, line 0]

Looks like I didn’t fix all of the permissions that needed fixing.

I would like it for nginx to not be able to modify files it shouldn’t need to modify. I guess that’s what I was thinking with creating a passbolt-src user. Also so that that user could run git updates without nginx permissions. Alas, I see your installations instructions say to just let nginx own everything…

cameron@myserver /var/www/passbolt $ sudo chown -R nginx: .

Hmmm. Still not logging in. nginx Access logs show things happening…

==> /var/log/nginx/access.log <==
12.34.56.789 - - [17/May/2018:10:38:57 +0300] "POST /auth/login.json?api-version=v1 HTTP/1.1" 200 1097 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" "-"
12.34.56.789 - - [17/May/2018:10:38:57 +0300] "POST /auth/login.json?api-version=v1 HTTP/1.1" 200 3995 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" "-"
12.34.56.789 - - [17/May/2018:10:38:57 +0300] "GET /auth/checkSession.json?api-version=v1 HTTP/1.1" 403 263 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" "-"
12.34.56.789 - - [17/May/2018:10:38:57 +0300] "GET / HTTP/1.1" 302 5 "https://passbolt.mydomain.com/auth/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" "-"
12.34.56.789 - - [17/May/2018:10:38:57 +0300] "GET /auth/login HTTP/1.1" 200 5611 "https://passbolt.mydomain.com/auth/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" "-"
12.34.56.789 - - [17/May/2018:10:38:59 +0300] "POST /auth/verify.json?api-version=v1 HTTP/1.1" 200 1916 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" "-"
12.34.56.789 - - [17/May/2018:10:38:59 +0300] "GET /settings.json?api-version=v2 HTTP/1.1" 200 326 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36" "-"

Oh! More errors in /var/www/passbolt/logs/error.log (that I overlooked before):

2018-05-17 07:38:57 Warning: Warning (2): session_start(): open(/var/lib/php/session/sess_047i6tj20dvnm28ccrogasj561, O_RDWR) failed: Permission denied (13) in [/var/www/passbolt/vendor/cakephp/cakephp/src/Network/Session.php, line 335]
2018-05-17 07:38:57 Warning: Warning (2): session_regenerate_id(): open(/var/lib/php/session/sess_kvmtav4e1sddkb29mdd14fddb7, O_RDWR) failed: Permission denied (13) in [/var/www/passbolt/vendor/cakephp/cakephp/src/Network/Session.php, line 578]
2018-05-17 07:38:57 Warning: Warning (4096): session_regenerate_id(): Failed to create(read) session ID: files (path: /var/lib/php/session) in [/var/www/passbolt/vendor/cakephp/cakephp/src/Network/Session.php, line 578]
2018-05-17 07:38:57 Warning: Warning (2): session_start(): open(/var/lib/php/session/sess_3l4ftb10bo0m1eip6rtp48log3, O_RDWR) failed: Permission denied (13) in [/var/www/passbolt/vendor/cakephp/cakephp/src/Network/Session.php, line 335]
2018-05-17 07:38:57 Warning: Warning (2): session_write_close(): open(/var/lib/php/session/sess_3l4ftb10bo0m1eip6rtp48log3, O_RDWR) failed: Permission denied (13) in [Unknown, line 0]
2018-05-17 07:38:57 Warning: Warning (2): session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in [Unknown, line 0]
2018-05-17 07:38:59 Warning: Warning (2): session_start(): open(/var/lib/php/session/sess_3l4ftb10bo0m1eip6rtp48log3, O_RDWR) failed: Permission denied (13) in [/var/www/passbolt/vendor/cakephp/cakephp/src/Network/Session.php, line 335]
2018-05-17 07:38:59 Warning: Warning (2): session_write_close(): open(/var/lib/php/session/sess_3l4ftb10bo0m1eip6rtp48log3, O_RDWR) failed: Permission denied (13) in [Unknown, line 0]
2018-05-17 07:38:59 Warning: Warning (2): session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in [Unknown, line 0]

Stupid php update changes the permissions on /var/lib/php/session to apache.

cameron@myserver ~ $ sudo ls -ld /var/lib/php/session
drwxrwx--- 2 root apache 4096 Apr 28 11:22 /var/lib/php/session
cameron@myserver ~ $ sudo chgrp nginx /var/lib/php/session

And we’re all set!

Thanks for the help debugging this. Hope the documentation of my tribulations will help someone else eventually.

1 Like

Good catch @cinderblock, i’m glad you figured it out!
Thanks for the write up, it will certainly be useful for other people in a similar case.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.