The OpenPGP server key cannot be used to decrypt the SMTP settings stored in database.

[ponceto]

Hi !

We upgraded last morning to the lastest version:

 Open source password manager for teams
-------------------------------------------------------------------------------
Passbolt CE 3.8.1
Cakephp 4.3.7

Sometimes cronjob send me an email with a GPG error:

Exception: The OpenPGP server key cannot be used to decrypt the SMTP settings stored in database. To fix this problem, you need to configure the SMTP server again. Decryption failed.
In [/usr/share/php/passbolt/plugins/PassboltCe/SmtpSettings/src/Service/SmtpSettingsGetSettingsInDbService.php, line 114]

We have updated the mail configuration, but the error is still here.

I checked the GPG file permission and everything seems to be fine.

-r--r----- 1 www-data www-data 1.8K Apr 28  2022 serverkey.asc
-r--r----- 1 www-data www-data 3.6K Apr 28  2022 serverkey_private.asc

How can we fix this problem ?

[stripthis]

Sometimes cronjob send me an email with a GPG error.

To confirm, it is not every time, just sometimes?

[ponceto]

I receive an error every (nearly) 2~4hrs.

This was an unknown behavior since the last update.

I looked in the logs but nothing special.

[stripthis]

If it's intermitent this looks like something specific to your environment. Any more information on other logs, or some context of your machine (which virtualization platform, etc.)? Do you have NTP installed? Is entropy pool ok?

[ponceto]

Everything seems to be Okay. The passbolt server run from many months without any problem. The error started just after the upgrade to the v3.8.1.

There are no logs error, passbolt nor syslog .

The server is a lxc server under Debian 11, running on a Proxmox VE hypervisor with a system load < 1%.

[ponceto]

Same problem from another user here:

https://community.passbolt.com/t/rocky-linux-setup-the-openpgp-server-key-cannot-be-used-to-decrypt-the-smtp-settings-stored-in-database-to-fix-this-problem-you-need-to-configure-the-smtp-server-again/6077

[stripthis]

@ponceto the change with 3.8.1 is that now the email queue is using configuration stored from database. The configuration is encrypted using server key. This content is decrypted using gpg (via php-gnupg). There seems to be an issue in the context of a cronjob. At that stage we are not able to reproduce this issue. If you want you can contact us at support@passbolt.com, we could try to schedule a call and dig in the problem together.

[ponceto]

Yes, I saw the config is now in database. But the strange part is that the mail notifications are working. So passbolt is able to decrypt the configuration. I added some traces into the source code.

The exception raised in passbolt/src/Utility/OpenPGP/Backends/Gnupg.php at line 395, and the reason of the exception is just decrypt failed.

That's weird beacause all notifications are working as intended

[stripthis]

Yes I suspect that if it's intermittent, thus, emails are ultimately getting sent. We're trying to dig into this. I suspect we're doing something gnupg / gpgme / php-gnupg doesn't like. Any logs you can get on this side?

[ponceto]

Unfortunately I have no other errors/logs. I'm trying to find the problem with a step by step debug.

[stripthis]

@ponceto can you check your cronjobs, like for both root and nginx (or other users on the machine) to see if maybe there is duplicate there?

[ponceto]

We use passbolt-ce, the debian package.

Here is the cronjob /etc/cron.d/passbolt-ce-server

#
#
#  Cronjob to process emails for the Passbolt Web Service every minute.
#
#  This crontab script is part of the Passbolt Debian package,
#  see dh_installcron debhelper program for more details.
#

PATH=/bin:/usr/local/bin:/usr/bin
PASSBOLT_BASE_DIR=/usr/share/php/passbolt

* * * * * www-data $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /dev/null

There is no crontab for nginx (or other user).

Passbolt is alone on this Linux Container (LXC under Proxmox)

[stripthis]

@ponceto do you manage to see if there are a lot of emails in the queue / another cron running while a new one is launched when the error happens? Or does it happens randomly even if there is no email to be sent? We're still trying to reproduce it on our end.

[ponceto]

It appears randomly when there are no email to be sent. Our passbolt server is not heavily loaded and the problem appears even at night when there is no user at all.

I made lots of tests today with the instance completely isolated, with no users. The problem is really random

[ponceto]

I'll continue to investigate step by step, maybe the problem is on our side.

[julian70400]

Be carefull, this problem occures not online while installation process.

Everything was working fine until the last debian package upgrade (Debian 10.5). Cron is working fine, the health check is fine also. When I try to reconfigure mail server in the interface, it’s correctly saved. But, got still this error every hours : Exception: The OpenPGP server key cannot be used to decrypt the SMTP settings stored in database. To fix this problem, you need to configure the SMTP server again. Decryption failed. In [/usr/share/php/passbolt/plugins/PassboltCe/SmtpSettings/src/Service/SmtpSettingsGetSettingsInDbService.php, line 114]

[ponceto]

Oh, you have the same problem !! So I'm not crazy !!

[stripthis]

We're still trying to reproduce the issue on our end. We've a 3.8.3 release schedule this afternoon that may fix the problem and if not give us more debug information. We also have a call scheduled with a user at 16:00 to try to understand what is the root cause of this.

[stripthis]

https://community.passbolt.com/t/issue-with-gnupg-decryption-in-cron-job-emails-not-sent/6130/2

[ponceto]

The new version has been deployed some minutes ago ... I'll tell you if the issue is resolved or not.

[ponceto]

No more errors since the upgrade \o/

[stripthis]

🕺