Server "prerequisites?"


ok. i appreciate the effort but we’re asking for outside help now. i understand there are risks in emails floating around about this but we cannot just idle. we’ve been asking about the same prerequisites for nearly 3 weeks!
- hacker


Hi @hacker

If the above debugging steps don’t work, you can try removing the ~/Persistent/securedrop/.venv/ directory and running the full setup steps again. You should only run the ~/.securedrop-admin setup command from the ~/Persistent/securedrop/ directory as the amnesia user (not as sudo).

If you want to get more output for debugging you can run the command ~/.securedrop-admin -v setup which will give us more output. If you post that to the forum we will be able to assist you further.



is there a simple way to update the ssh keys for the mon. and app. servers? we tor wants to upgrade to 3.3 now.

it doesn’t seem to be making progress so i’m not sure if it has to be done manually again but we still haven’t got the keys working since the last tor upgrade.

we will delete and try to get past this insane pip error today. securedrop is a real hassle.

                                                                                                  - hacker


ok we now have new keys. we just followed the “setup ssh keys” steps as this tor [was] is new. it seems to work just the way it did the first time. we’re going to carefully rm the “~/Persistent/securedrop/ .venv/” next…

                                                                                   - hacker


dear all,

okay i am getting an error with the fingerprints matching the keyfile. we tried two different keys and importing, making sure there are no spaces? any idea whats going on? can we move on to the install anyway? does it matter if it is or ossec.asc? thanks.
- hacker
log of ./securedrop-admin sdconfig :

amnesia@amnesia:~/Persistent/securedrop$ ./securedrop-admin sdconfig
INFO: Configuring SecureDrop site-specific information
[WARNING]: provided hosts list is empty, only localhost is available

PLAY [Display message about upcoming interactive prompts.] **********************************************************************************************************

TASK [debug] ********************************************************************************************************************************************************
ok: [localhost] => {
“msg”: “You will need to fill out the following prompts in order to configure your SecureDrop instance. After entering all prompts, the variables will be validated and any failures displayed. See the docs for more information

PLAY [Prompt for required site-specific information.] ***************************************************************************************************************

TASK [debug] ********************************************************************************************************************************************************
ok: [localhost] => {
“msg”: “Validating user-entered variables…”

TASK [Create group_vars/all/ directory.] ****************************************************************************************************************************
ok: [localhost]

TASK [Initialize site-specific vars file.] **************************************************************************************************************************
ok: [localhost]

TASK [Save site-specific information as local vars file.] ***********************************************************************************************************
ok: [localhost] => (item={u’var_value’: u’flyko’, u’var_name’: u’ssh_users’})
ok: [localhost] => (item={u’var_value’: u’’, u’var_name’: u’app_ip’})
ok: [localhost] => (item={u’var_value’: u’’, u’var_name’: u’monitor_ip’})
ok: [localhost] => (item={u’var_value’: u’app’, u’var_name’: u’app_hostname’})
ok: [localhost] => (item={u’var_value’: u’mon’, u’var_name’: u’monitor_hostname’})
ok: [localhost] => (item={u’var_value’: u’’, u’var_name’: u’dns_server’})
ok: [localhost] => (item={u’var_value’: u’~/Persistent/securedrop/install_files/ansible-base/2600_securedrop.png’, u’var_name’: u’securedrop_header_image’})
ok: [localhost] => (item={u’var_value’: u’~/Persistent/securedrop/install_files/ansible-base/SecureDrop.asc’, u’var_name’: u’securedrop_app_gpg_public_key’})
ok: [localhost] => (item={u’var_value’: u’FB54F2AAEA028CE55C62AC0A948793E45D5040F8’, u’var_name’: u’securedrop_app_gpg_fingerprint’})
ok: [localhost] => (item={u’var_value’: u’~/Persistent/securedrop/install_files/ansible-base/’, u’var_name’: u’ossec_alert_gpg_public_key’})
ok: [localhost] => (item={u’var_value’: u’3303FC32CB5212C5FD2C9F6ADE0024DE590AAE97’, u’var_name’: u’ossec_gpg_fpr’})
ok: [localhost] => (item={u’var_value’: u’’, u’var_name’: u’ossec_alert_email’})
ok: [localhost] => (item={u’var_value’: u’’, u’var_name’: u’smtp_relay’})
ok: [localhost] => (item={u’var_value’: 25, u’var_name’: u’smtp_relay_port’})
ok: [localhost] => (item={u’var_value’: None, u’var_name’: u’sasl_domain’})
ok: [localhost] => (item={u’var_value’: None, u’var_name’: u’sasl_username’})
ok: [localhost] => (item={u’var_value’: None, u’var_name’: u’sasl_password’})
ok: [localhost] => (item={u’var_value’: False, u’var_name’: u’securedrop_app_https_on_source_interface’})

PLAY [Validate site-specific information.] **************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************
ok: [localhost]

TASK [Include site-specific vars.] **********************************************************************************************************************************
ok: [localhost] => (item=/home/amnesia/Persistent/securedrop/install_files/ansible-base/group_vars/all/site-specific)

TASK [validate : Validate Admin username (specified in vars).] ******************************************************************************************************
ok: [localhost] => (item=amnesia) => {
“changed”: false,
“item”: “amnesia”,
“msg”: “All assertions passed”
ok: [localhost] => (item=root) => {
“changed”: false,
“item”: “root”,
“msg”: “All assertions passed”

TASK [validate : include] *******************************************************************************************************************************************
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/validate/tasks/validate_gpg_info.yml for localhost
included: /home/amnesia/Persistent/securedrop/install_files/ansible-base/roles/validate/tasks/validate_gpg_info.yml for localhost

TASK [validate : Validate GPG fingerprints.] ************************************************************************************************************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”

TASK [validate : Confirm GPG public key files exist locally.] *******************************************************************************************************
ok: [localhost] => {
“changed”: false,
“msg”: “All assertions passed”

TASK [validate : Confirm public key file and fingerprint match.] ****************************************************************************************************
fatal: [localhost]: FAILED! => {“changed”: false, “failed”: true, “rc”: 1, “stderr”: “”, “stdout”: “Creating temporary GPG config dir for testing key import…\nImporting pubkey file from ‘~/Persistent/securedrop/install_files/ansible-base/’…\nFailed! Specified fingerprint does NOT match pubkey file.\nCleaning up temporary GPG config dir…\n”, “stdout_lines”: [“Creating temporary GPG config dir for testing key import…”, “Importing pubkey file from ‘~/Persistent/securedrop/install_files/ansible-base/’…”, “Failed! Specified fingerprint does NOT match pubkey file.”, “Cleaning up temporary GPG config dir…”]}
to retry, use: --limit @/home/amnesia/Persistent/securedrop/install_files/ansible-base/securedrop-configure.retry

PLAY RECAP **********************************************************************************************************************************************************
localhost : ok=12 changed=0 unreachable=0 failed=1

TASK: Save site-specific information as local vars file. ---------------- 1.90s
TASK: Gathering Facts --------------------------------------------------- 0.44s
TASK: Initialize site-specific vars file. ------------------------------- 0.21s
TASK: Create group_vars/all/ directory. --------------------------------- 0.21s
TASK: validate : include ------------------------------------------------ 0.07s
TASK: validate : Confirm public key file and fingerprint match. --------- 0.06s
TASK: validate : Validate Admin username (specified in vars). ----------- 0.05s
TASK: validate : Validate GPG fingerprints. ----------------------------- 0.04s
TASK: Include site-specific vars. --------------------------------------- 0.03s
TASK: debug ------------------------------------------------------------- 0.02s

Playbook finished: Wed Dec 13 02:27:32 2017, 12 total tasks. 0:00:03 elapsed.

Traceback (most recent call last):
File “./securedrop-admin”, line 329, in
File “./securedrop-admin”, line 65, in sdconfig
subprocess.check_call(ansible_cmd, cwd=ANSIBLE_PATH, env=os.environ.copy())
File “/usr/lib/python2.7/”, line 186, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command ‘[‘ansible-playbook’, ‘-i’, ‘/dev/null’, ‘/home/amnesia/Persistent/securedrop/./install_files/ansible-base/securedrop-configure.yml’, ‘–extra-vars’, ‘@/home/amnesia/Persistent/securedrop/./install_files/ansible-base/group_vars/all/site-specific’]’ returned non-zero exit status 2


Hi hacker,

It should not matter what the name is, as long as your configuration in install_files/ansible-base/group_vars/all/site-specific (which is the file populated by securedrop-admin sdconfig points to the right file, and the key in question has the correct fingerprint.

To make sure you are using the correct fingerprint for each public key, II suggest you gpg import the key(s) in question in your keyring locally, and do gpg --list-keys or gpg --edit-key $KEY_ID and fpr to print the long fingerprint.

This error is raised when the GPG fingerprint does not correspond to the public key you specified. The GPG fingerprint verification is in place to ensure admins can read the alerts and journalists can read the submissions, so I suggest you not skip this step.