[solved] gpg + otrs

[creiss]

Updated: Fixed by updating to 4.0.8 -- or at least the error went away.

Hey folks,

I am going nuts. I have OTRS 4.0.7 installed (from sources, working great) with apache and gnupg2-2.0.14. OTRS itsself is running awesome and productive. But fot the love of god I somewhere along the way gnupg stopped working (yes, it worked before). I am assuming the issue lies with gpg-agent and/or integration of otrs <-> gnupg <-> gpg-agent.

My installation of otrs runs inside a dedicated backend server, where otrs:otrs is uid/gid which is also the apache user. Permissions are set correctly using otrs.SetPermissions.pl, ~/.gnupg is also otrs:otrs, with no unsafe permissions:

Code: Select all

[otrs@otter .gnupg]$ pwd
/opt/otrs/.gnupg
[otrs@otter .gnupg]$ l
total 76K
drwx------  3 otrs otrs 4.0K May 20 12:56 .
drwxr-xr-x 11 otrs otrs 4.0K May 20 12:20 ..
-rw-------  1 otrs otrs 9.1K Nov 26 12:29 gpg.conf
drwx------  2 otrs otrs 4.0K May 12 14:39 private-keys-v1.d
-rw-------  1 otrs otrs  36K Feb  6 09:29 pubring.gpg
-rw-------  1 otrs otrs  600 May 20 12:20 random_seed
-rw-------  1 otrs otrs 7.8K Nov 26 12:29 secring.gpg
-rw-------  1 otrs otrs 1.5K Nov 26 12:29 trustdb.gpg

I am starting gpg-agent with

Code: Select all

gpg-agent --daemon --batch --use-standard-socket --log-file ~/gpg.log -vvv

which results in

Code: Select all

srwxr-xr-x  1 otrs otrs    0 May 20 12:58 S.gpg-agent

Now an *incoming* encrypted email gets decrypted, outgoing signed, however is sent unsigned and unencrypted. OTRS log:

Code: Select all

May 20 13:02:07 otter OTRS-CGI-53[20119]: [Error][Kernel::System::Crypt::PGP::Sign][Line:229]: Can't sign with Key 9C6B59E1: gpg: problem with the agent: Bad passphrase#012gpg: no default secret key: General error#012gpg: signing failed: General error#012!

Which corresponds to the gpg.log from the gpg-agent:

Code: Select all

2015-05-20 13:02:07 gpg-agent[19620] command get_passphrase failed: Bad passphrase

Now before anyone jumps to any conclusions: I quadordrupplechecked the key, copy & pasted it around... no dice. It's identical. But doing things on the command line itsself even yield no password prompt:

Code: Select all

[otrs@otter .gnupg]$ gpg -d encrypted

You need a passphrase to unlock the secret key for
user: "alpha-labs.net support <support@alpha-labs.net>"
4096-bit RSA key, ID 9C6B59E1, created 2014-06-28 (main key ID C3D31F3F)

gpg-agent[20581]: handler 0x1645410 for fd 6 started
gpg-agent[20581]: starting a new PIN Entry
gpg-agent[20581]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user
gpg: encrypted with 4096-bit RSA key, ID 9C6B59E1, created 2014-06-28
      "alpha-labs.net support <support@alpha-labs.net>"
gpg: public key decryption failed: General error
gpg: decryption failed: No secret key

So I guess I nailed the problem down to two questions:

• What's the correct gpg-agent startup command line?
• What's the correct PGP::Options for SysConfig for PGP?

For the above, mine are:

• gpg-agent --use-standard-socket -vv --daemon
• --homedir /opt/otrs/.gnupg --auto-key-locate keyserver --keyserver hkp://sks.alpha-labs.net:11371/ --no-tty

Any help is sooo greatly appreciated
Yours,

[jojo]

OTRS does not use the gpg agent. did you check the passphrase for the private keys in the sysconfig

[creiss]

Hey,

yes checked that as well, and it fits. If I stop the gpg-agent and try to send an email I get this in the OTRS log:

Code: Select all

May 20 13:22:44 otter OTRS-CGI-53[22872]: [Error][Kernel::System::Crypt::PGP::Sign][Line:229]: Can't sign with Key 9C6B59E1: can't connect to `/opt/otrs/.gnupg/S.gpg-agent': No such file or directory#012Error opening terminal: unknown.#012gpg-agent[22886]: command get_passphrase failed: End of file#012gpg: problem with the agent: End of file#012gpg: Invalid passphrase; please try again ...#012gpg: problem with the agent: Not supported#012gpg: no default secret key: General error#012gpg: signing failed: General error#012