search

tacruc / gpgmailer

Send encryped emails to registered users
GNU Affero General Public License v3.0
17 stars 4 forks source link

Creating Server GPG Key pair failed. #5

Closed DidierLmn closed 2 years ago

DidierLmn commented 4 years ago

After enabling the app I get the following messages in the log

[gpgmailer] Error: Creating Server GPG Key pair failed. Emails are not going to be signed, expect keys are server keys imported manually

POST /settings/apps/enable
from x.x.x.x by xxx at 2020-07-13T17:28:48+00:00
----
[gpgmailer] Warning: No server GPG key found so no signed emails are possible

POST /settings/apps/enable
from x.x.x.x by xxxx at 2020-07-13T17:28:48+00:00

I've tried reinstalling the app, but it gives the same error.

Server configuration

Operating system: Fedora 32

Web server: Nginx

Database: PostgreSQL

PHP version: 7.4

Nextcloud version: 19

tacruc commented 4 years ago

Can you execute gpg from the comand line? Do you have additional log entries? Can you try to set the nextcloud log level to "debug" or "info" and reinstall the app?

DidierLmn commented 4 years ago

I can execute gpg from the CLI

$ sudo -u nginx gpg --version

gpg (GnuPG) 2.2.20
libgcrypt 1.8.5

Home: /var /lib/nginx/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

I did not have any additional log entries. I've now disabled the app, increased the log level and enabled the app. Now I only get one additional "info" log entry.

[gpgmailer] Error: Creating Server GPG Key pair failed. Emails are not going to be signed, expect keys are server keys imported manually

POST /settings/apps/enable
from x.x.x.x by xxx at 2020-07-19T13:03:29+00:00
__________

[gpgmailer] Info: Created server gpg key pair 

POST /settings/apps/enable
from x.x.x.x by xxx at 2020-07-19T13:03:29+00:00
___________

[gpgmailer] Warning: No server GPG key found so no signed emails are possible

POST /settings/apps/enable
from x.x.x.x by xxx at 2020-07-19T13:03:29+00:00

Next I completely removed the app and reinstalled. The logs produced then are exactly the same as the ones above.

tacruc commented 4 years ago

Have you had the log level at debug or info? I'm looking for an debug message, which should give the output of the key creation.

You could also try:

cat >foo <<EOF
Key-Type: default
Subkey-Type: default
Name-Real: {$name}
Name-Comment: {$commend}
Name-Email: {$email}
Expire-Date: 0
%no-protection
EOF

gpg --batch --gen-key foo:\n

DidierLmn commented 4 years ago

The loglevel was at debug. There were no other log messages in the gpgmailer app context. I checked again, same 3 messages.

Where should I try the above command? In my home directory this is the output

gpg --batch --gen-key foo 2>&1

gpg: directory '/home/username/.gnupg' created
gpg: keybox '/home/username/.gnupg/pubring.kbx' created
gpg: /home/username/.gnupg/trustdb.gpg: trustdb created
gpg: key B476497C19423948 marked as ultimately trusted
gpg: directory '/home/username/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/username/.gnupg/openpgp-revocs.d/3CDF66007A8CBBB21AD2B6B2B476497C19423948.rev'
tacruc commented 4 years ago

How familiar are you with php? https://github.com/tacruc/gpgmailer/blob/b0480f2c5b0a61a1ce355446596f8f82cd5c9df8/lib/Service/Gpg.php#L268 This until the end of the file should be the relevant code where the key is generated. The loadUser($uid) function with $uid=null is what is called to set the gpg env variables and create all the folders etc.

I'm woundering why https://github.com/tacruc/gpgmailer/blob/b0480f2c5b0a61a1ce355446596f8f82cd5c9df8/lib/Service/Gpg.php#L315 debug message is not in your log.

If you are familiar with php it should be quite easy to see all the environment variables you need to set as the gpg with the original environment variables seams to work without problems. If you are not familiar with php I might find the time the next days.

DidierLmn commented 4 years ago

I'm quite familiar with PHP :)

I've been combing through the Nextcloud docs, and noticed that you need to set 'debug' => true in the config.php, I had only set the log level to 0 (debug). Skimming further through their docs I think your if ($debugMode) is unneccesary, anyway, here are the logs I am getting with debug mode on. (FYI, /storage/nextcloud is my nextcloud storage path) 

[gpgmailer] Debug: Generate server key for email:noreply@server.example.org

POST /settings/apps/enable
from x.x.x.x by xxx at 2020-08-26T14:50:27+00:00
________________

[gpgmailer] Debug: gpg --batch --gen-key foo:
Array
(
    [0] => gpg: key 9B91E4A620DA8B30 marked as ultimately trusted
    [1] => gpg: revocation certificate stored as '/storage/nextcloud/.gnupg/openpgp-revocs.d/B622F9F2F7755ACFA813E1AE9B91E4A620DA8B30.rev'
)

 This took 0seconds.

POST /settings/apps/enable
from x.x.x.x by xxx at 2020-08-26T14:50:27+00:00
__________________

[gpgmailer] Warning: No server GPG key found so no signed emails are possible

POST /settings/apps/enable
from x.x.x.x by xxx at 2020-08-26T14:50:27+00:00
_________________

[gpgmailer] Debug: Saved server key fingerprint: to system config

POST /settings/apps/enable
from x.x..x by xxx at 2020-08-26T14:50:27+00:00
_________________

[gpgmailer] Info: Created server gpg key pair 

POST /settings/apps/enable
from x.x.x.x by xxx at 2020-08-26T14:50:27+00:00
________________

[gpgmailer] Error: Creating Server GPG Key pair failed. Emails are not going to be signed, expect keys are server keys imported manually

POST /settings/apps/enable
from x.x.x.x by xxx at 2020-08-26T14:50:27+00:00

The keys are present on my filesystem, I can see all of the created keys thus far (with the regular enabling-disabling) when I do ls /storage/nextcloud/.gnupg/private-keys-v1.d

So I've gone ahead and added some logging around line 320 in Gpg.php

                $keys = $gpg->keyinfo($email);
                $fingerprint = "";

                $this->logger->debug($email);
                $this->logger->debug(print_r($gpg->keyinfo($email)));

                foreach ($keys as $key) {
                        $this->logger->debug(print_r($key));

the $email logs the server email as expected. The $gpg->keyinfo($email) however just logs 1 so the foreach is skipped and the $fingerprint variable never set. Then I've also logged just $gpg->keyinfo(''); which shoud return all keys, however this also just returns 1. As I've never used gnupg in php I'm not entirely sure what else to try.

tacruc commented 4 years ago

I'm quite familiar with PHP :)

Perfect, as I'm unfortunately quite busy.

Skimming further through their docs I think your if ($debugMode) is unneccesary, anyway, here are the logs I am getting with

is an artifact from developing I forgot to remove, I wanted to be able to set the debug mode just for this app.

the $email logs the server email as expected. The $gpg->keyinfo($email) however just logs 1 so the foreach is skipped and the $fingerprint variable never set.

I think it is a problem with your print_r you have to set the return argument to true, https://www.php.net/manual/en/function.print-r.php.

DidierLmn commented 4 years ago

You're right, forgot a param, my bad.

At line 317 in Gpg.php I've done 

$foo = system("rm foo",$out);
$data = [$cwd, $home, $email, $name, $commend, $foo, $out1, $out2];
$this->logger->debug(print_r($data, true));
$this->logger->debug(print_r($gpg->keyinfo($email), true));
$this->logger->debug(print_r($gpg->keyinfo(''), true));

which gives me in the logs

[no app in context] Debug: Array
(
    [0] => /usr/share/nginx/nextcloud
    [1] => /storage/nextcloud/
    [2] => noreply@server.example.org
    [3] => Nextcloud
    [4] => a safe home for all your data
    [5] => 
    [6] => 0
    [7] => Array
        (
            [0] => gpg: key 2E8117D983833504 marked as ultimately trusted
            [1] => gpg: revocation certificate stored as '/storage/nextcloud/.gnupg/openpgp-revocs.d/EE172C97F3A5D2C13A8A7AA22E8117D983833504.rev'
        )

)

POST /settings/apps/enable
from x.x.x.x by xxx at 2020-08-27T18:33:01+00:00
_________
[no app in context] Debug: Array
(
)

POST /settings/apps/enable
from x.x.x.x by xxx at 2020-08-27T18:33:01+00:00
_________
[no app in context] Debug: Array
(
)

POST /settings/apps/enable
from x.x.x.x by xxx at 2020-08-27T18:33:01+00:00

It appears there are no keys in the keyring at all.

I've also tried $gpg->seterrormode(gnupg::ERROR_EXCEPTION); and wrapping the whole thing in a try{}catch(){} and logging the exception message, but no exception is being thrown.

When checking the /storage/nextcloud/.gnupg permissions (where the keys are being created, I can see them here), the nginx user has rwx permissions. Php-fpm also uses the nginx user.

Lastly I dubbelchecked that the php-gpg extension is installed

$ php -i | grep -i gnupg

/etc/php.d/40-gnupg.ini,
gnupg
gnupg support => enabled
tacruc commented 4 years ago

Can you check the keyring manually with any other gnupg application. You can use an environment variable to tell gpg which keyring to use. You can then also manually import a key and check if it is fount by gpg->keyinfo("")

tacruc commented 4 years ago

@DidierLmn do you have any news?

DidierLmn commented 4 years ago

I had kinda forgotten about this, but I just checked 

$ sudo -u nginx gpg --homedir /storage/nextcloud/.gnupg --list-keys
/storage/nextcloud/.gnupg/pubring.kbx
-------------------------------------
pub   rsa2048 2020-07-13 [SC]
      37A0F70AC7D3DC6A2D7711FC86F1C0B9C9ED7246
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-07-13 [E]

pub   rsa2048 2020-07-13 [SC]
      A306361A8F660342561852570249D1A500A15302
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-07-13 [E]

pub   rsa2048 2020-07-19 [SC]
      DE489480D3A0B8EF28A140F57F3EB139B97AF862
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-07-19 [E]

pub   rsa2048 2020-07-19 [SC]
      09F589DF8750E6AB80B1BE1B9C45D81D6F26D92B
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-07-19 [E]

pub   rsa2048 2020-08-26 [SC]
      EDB4913AD8C7F8FC60A7C535FE072205B0CA41F5
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-26 [E]

pub   rsa2048 2020-08-26 [SC]
      C896F751F576E2EF371B0F2E5EBCD83B9D7F9AD2
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-26 [E]

pub   rsa2048 2020-08-26 [SC]
      B622F9F2F7755ACFA813E1AE9B91E4A620DA8B30
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-26 [E]

pub   rsa2048 2020-08-26 [SC]
      1A7053069E96C6B920A44D808DAA9D7E413431F3
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-26 [E]

pub   rsa2048 2020-08-26 [SC]
      2482EFA0A51A6A7A6499D62F17276BB664381D93
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-26 [E]

pub   rsa2048 2020-08-26 [SC]
      CC911C3A031AB34332F18F399CEDAF67F1AE3364
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-26 [E]

pub   rsa2048 2020-08-27 [SC]
      98BC39663914238FAE91AAB196472659B569A276
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-27 [E]

pub   rsa2048 2020-08-27 [SC]
      8955CB1B5524F09DAD901D4E5A0580578DDF1A48
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-27 [E]

pub   rsa2048 2020-08-27 [SC]
      E320021742B983998943192ECFD70B313D5D57AE
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-27 [E]

pub   rsa2048 2020-08-27 [SC]
      5E85433FE6A92059856CFFB0D8FE2478E5C6EDF7
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-27 [E]

pub   rsa2048 2020-08-27 [SC]
      E401DAA67D0CA25B1D6CC82672AF05C0E14E4393
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-27 [E]

pub   rsa2048 2020-08-27 [SC]
      164F9612497981F1C3A7B178D48E8768CDBDB83A
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-27 [E]

pub   rsa2048 2020-08-27 [SC]
      01C123F6A3BE9E2B26894A4E63EFEA2FD086AA0F
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-27 [E]

pub   rsa2048 2020-08-27 [SC]
      EE16AEE5E344C589628EE10AAF24D0141AF90A8B
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-27 [E]

pub   rsa2048 2020-08-27 [SC]
      E87A662D4B7449A43D66AC28CE2043CDC2AE3BA8
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-27 [E]

pub   rsa2048 2020-08-27 [SC]
      B35ADA5BD8A700DA78E628069064FDC4DF26F4C6
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-27 [E]

pub   rsa2048 2020-08-27 [SC]
      E355D203A9B6BCD599E0A32B3B436C874502AC21
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-27 [E]

pub   rsa2048 2020-08-27 [SC]
      B0C13CDFCB2371DAE499F8D6436B48D8A3CC6A8F
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-27 [E]

pub   rsa2048 2020-08-27 [SC]
      EE172C97F3A5D2C13A8A7AA22E8117D983833504
uid           [ultimate] Nextcloud (a safe home for all your data) <noreply@xxx>
sub   rsa2048 2020-08-27 [E]

So just using the CLI a bunch of keys are indeed found, that are made by your app.

Executing the following

<?php
putenv('GNUPGHOME=/storage/nextcloud/.gnupg');
error_reporting(E_ALL);
$gpg = new gnupg();
$gpg->seterrormode(gnupg::ERROR_EXCEPTION);
$keydata = file_get_contents('/storage/nextcloud/.gnupg/private-keys-v1.d/00EFC8EC9490D61621BE031870F5AFD9D47C14EE.key');
$info = $gpg->import($keydata);
var_dump($info);
var_dump($gpg->keyinfo(""));
var_dump($gpg->keyinfo('EE172C97F3A5D2C13A8A7AA22E8117D983833504'));
var_dump( $gpg->geterror());

putenv('GNUPGHOME=/storage/nextcloud/.gnupg');
error_reporting(E_ALL);
$res = gnupg_init();
gnupg_seterrormode($res,GNUPG_ERROR_WARNING);
$info = gnupg_keyinfo($res, 'EE172C97F3A5D2C13A8A7AA22E8117D983833504');
var_dump($info);

$export = gnupg_export($res, 'EE172C97F3A5D2C13A8A7AA22E8117D983833504');
var_dump($export);

?>

Gives

$ sudo -u nginx php -f ./test.php

bool(false)
array(0) {
}
array(0) {
}
bool(false)
array(0) {
}
bool(false)

I have no clue as to what else I can try.

tacruc commented 4 years ago

Which version of php gnupg are you using? I'm sorry, but I don't have a clue what is going on. Maybe can you try to change the working dir with chdir, too. But I'm just guessing.