Checklist
[ ] I have read intro post: About the Installation Issues category
[ ] I have read the tutorials, help and searched for similar issues
[ ] I provide relevant information about my server (component names and versions, etc.)
[ ] I provide a copy of my logs and healthcheck
[ ] I describe the steps I have taken to trouble shoot the problem
[ ] I describe the steps on how to reproduce the issue
Dear Passbolt Team,
I changed the certifiacte (from self-signed to wildcard), modified the config files in /etc/ngnix/conf.d and changed fullBaseURL in /var/www/passbolt/config/passbolt.php.
If I access the new URL i have to recover my account. When Passbolt sends me the recover-email i get the error “500 An Internal Error Has Occured”.
The error seemed strange to me, since i only changed the certificate. so i googled a bit but didnt found anything helpfull.
Healthcheck told me, that the certifactes arent correct (which could be a false positive) and that jwt direcotry is writable and a JWT Key is missing.
since I had created a snapshot, I had reset the VM back to the point where everything worked and can use passbolt again. I tried to recover my account in another browser, get the link from our server and the same error occured.
Healthcheck: the same.
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell
-------------------------------------------------------------------------------
Environment
[PASS] PHP version 7.4.24.
[PASS] PCRE compiled with unicode support.
[FAIL] The temporary directory and its content are not writable, or are executable.
[HELP] Ensure the temporary directory and its content are writable by the webserver user.
[HELP] you can try:
[HELP] sudo chown -R www-data:www-data /var/www/passbolt/tmp/
[HELP] sudo chmod -R 775 $(find /var/www/passbolt/tmp/ -type d)
[HELP] sudo chmod -R 664 $(find /var/www/passbolt/tmp/ -type f)
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[PASS] The passbolt config file is present
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://SERVERNAME
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate
Database
[PASS] The application is able to connect to the database
[PASS] 37 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
[PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
Application configuration
[PASS] Using latest passbolt version (3.5.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled
[FAIL] The /var/www/passbolt/config/jwt/ directory should not be writable.
[HELP] You can try:
[HELP] sudo chown -R www-data:www-data /var/www/passbolt/config/jwt/
[HELP] sudo chmod 550 /var/www/passbolt/config/jwt/
[HELP] sudo chmod 440 $(find /var/www/passbolt/config/jwt/ -type f)
[FAIL] A valid JWT key pair is missing
[HELP] Run the create JWT keys script to create a valid JWT secret and public key pair:
[HELP] sudo su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt create_jwt_keys" www-data
[FAIL] 5 error(s) found. Hang in there!
i looked up the error.log and this error keeps repeating:
2022-02-15 12:22:33 Error: Fatal Error (1): Trait 'App\Controller\Setup\SetupControllerTrait' not found in [/var/www/passbolt/src/Controller/Setup/RecoverStartController.php, line 30]
2022-02-15 12:22:33 Error: [Cake\Error\FatalErrorException] Trait 'App\Controller\Setup\SetupControllerTrait' not found in /var/www/passbolt/src/Controller/Setup/RecoverStartController.php on line 30
Request URL: /setup/recover/7ec16c1b-a653-469c-9eac-c6cfc371e27f/57c484f8-d162-4a0e-b914-67742d741e85
And now i have no idea what i could do.
Any Ideas? We updated the server maybe a month ago, could this be a part of the problem? How can I fix this?
Hi @hen Using the healthcheck, the next step is to follow the lines that say HELP after lines that say FAIL. Right at the top of the output is a mention of the temp folder not being configured right, so those following HELP lines can guide you regarding folder permissions.
Try to work through those and resolve the FAILs and that should help with overall functionality and troubleshooting if you still have problems.
It seems you have rights problems with your passbolt temporary folder. You should execute the commands written below the error to fix rights / ownership.
And also with JWT authentication:
You should never run ./bin/cake commands as root user but as the web server user of your server, I guess www-data for you.
Once your files rights fixed, you should execute and send us the output of these commands:
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell
-------------------------------------------------------------------------------
Environment
[PASS] PHP version 7.4.24.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[PASS] The passbolt config file is present
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://SERVERNAME
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate
Database
[PASS] The application is able to connect to the database
[PASS] 37 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
[PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
Application configuration
[PASS] Using latest passbolt version (3.5.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled
[PASS] The /var/www/passbolt/config/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found
[FAIL] 2 error(s) found. Hang in there!
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Data check shell
[PASS] Data integrity for AuthenticationTokens.
[PASS] Can validate: 1378/1378
[PASS] Data integrity for Comments.
[PASS] Can validate: 0/0
[PASS] Data integrity for Favorites.
[PASS] Can validate: 0/0
[PASS] Data integrity for Gpgkeys.
[PASS] Can encrypt: 7/7
[PASS] Can validate: 7/7
[PASS] Data integrity for Groups.
[PASS] Can validate: 12/12
[PASS] Data integrity for Profiles.
[PASS] Can validate: 8/8
[PASS] Data integrity for Resources.
[PASS] Can validate: 616/616
[PASS] Data integrity for Secrets.
[PASS] Can validate: 2864/2864
[PASS] Data integrity for Users.
[PASS] Can validate: 8/8
In the Healthcheck its still the certificate, but it is valid, I can access the URL without a problem. I access the URL and can get a email for revoery. the link in the mail doesnt work and I get the error “An Internal Error has Occurred Error 500”. Its self signed - shouldnt be a problem? I will exchange the self-signed certificate for a wildcard anyway (after the problem is solved).
what does the “cleanup” error mean?
Okay so i migrated from install scripts to ubunti package and the server is back online, but if i try to login i have to verify the server key and can continue to login. but after the password i get the messagen:
Sorry, you have not been signed in.
Something went wrong, the sign in failed with the following error:
The authentication failed.
I run a healtcheck and get an Error in the GPG Config
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt//gpg/serverkey_private.asc" www-data
[PASS] There is a valid email id defined for the server key.
To Fix this i used: sudo su -s /bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc” www-data
But still with the authentication error. I cleared the cache. I logged out and tried to recovery my account. When I upload my private key i get the message: “This key does not match any account.”
sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake passbolt datacheck --hide-success-details"
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Data check shell
[PASS] Data integrity for AuthenticationTokens.
[PASS] Can validate: 1391/1391
[PASS] Data integrity for Comments.
[PASS] Can validate: 0/0
[PASS] Data integrity for Favorites.
[PASS] Can validate: 0/0
[PASS] Data integrity for Gpgkeys.
[PASS] Can encrypt: 7/7
[PASS] Can validate: 7/7
[PASS] Is not expired: 7/7
[PASS] Is armored key format valid: 7/7
[PASS] Is email unique: 7/7
[PASS] Data integrity for Groups.
[PASS] Can validate: 12/12
[PASS] Data integrity for Profiles.
[PASS] Can validate: 8/8
[PASS] Data integrity for Resources.
[PASS] Can validate: 616/616
[PASS] Data integrity for Secrets.
[PASS] Can validate: 2864/2864
[PASS] Data integrity for Users.
[PASS] Can validate: 8/8
i checked the permissions in the key ring with
sudo -H -u www-data bash -c "ls -la /var/lib/passbolt/.gnupg"
total 52
drwx------ 3 www-data www-data 4096 Feb 19 20:20 .
drwxr-xr-x 4 www-data www-data 4096 Feb 19 19:47 ..
drwx------ 2 www-data www-data 4096 Feb 19 20:05 private-keys-v1.d
-rw-rw-r-- 1 www-data www-data 13719 Feb 19 20:10 pubring.kbx
-rw-rw-r-- 1 www-data www-data 12328 Feb 19 20:10 pubring.kbx~
-rw------- 1 www-data www-data 600 Feb 19 20:20 random_seed
srwx------ 1 www-data www-data 0 Feb 19 19:55 S.gpg-agent
srwx------ 1 www-data www-data 0 Feb 19 19:55 S.gpg-agent.browser
srwx------ 1 www-data www-data 0 Feb 19 19:55 S.gpg-agent.extra
srwx------ 1 www-data www-data 0 Feb 19 19:55 S.gpg-agent.ssh
-rw------- 1 www-data www-data 1200 Feb 19 19:55 trustdb.gpg
sudo -H -u www-data bash -c "gpg --list-keys --home=/var/lib/passbolt/.gnupg"
/var/lib/passbolt/.gnupg/pubring.kbx
pub rsa4096 2018-03-26 [SC]
changed
uid [ unknown] Passbolt License (Passbolt License) <license@passbolt.com>
sub rsa4096 2018-03-26 [E]
pub rsa2048 2020-12-22 [SC]
changed
uid [ unknown] changed <passbolt@changed>
sub rsa2048 2020-12-22 [E]
**and all other users are listed**
/etc/passbolt$ sudo su -s /bin/bash -c "gpg --list-secret-keys" www-data
gpg: WARNING: unsafe permissions on homedir '/home/www-data/.gnupg'
/home/www-data/.gnupg/pubring.kbx
---------------------------------
sec rsa2048 2020-12-22 [SC]
**changed: is the same as seen on the loginscreen and old server**
uid [ unknown] office-passbolt01 <passbolt@changed>
ssb rsa2048 2020-12-22 [E]
@hen Yes, but on the other homedir like in the previous command you were showing. sudo -H -u www-data bash -c "gpg --list-keys --home=/var/lib/passbolt/.gnupg"
GPG authentication error can occur also if your server is not well synchronized with a time server (NTP).
You can check is systemd-timesyncd is running:
sudo systemctl status systemd-timesyncd.service
● systemd-timesyncd.service - Network Time Synchronization
Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2022-02-21 08:10:59 UTC; 4s ago
Docs: man:systemd-timesyncd.service(8)
Main PID: 1483 (systemd-timesyn)
Status: "Initial synchronization to time server 91.189.89.198:123 (ntp.ubuntu.com)."
Tasks: 2 (limit: 1071)
Memory: 1.3M
CGroup: /system.slice/systemd-timesyncd.service
└─1483 /lib/systemd/systemd-timesyncd
Feb 21 08:10:59 ubuntu2004 systemd[1]: Starting Network Time Synchronization...
Feb 21 08:10:59 ubuntu2004 systemd[1]: Started Network Time Synchronization.
Feb 21 08:11:00 ubuntu2004 systemd-timesyncd[1483]: Initial synchronization to time server 91.189.89.198:123 (ntp.ubuntu.com).
If you execute the date command, it must returns the same date and time than the https://time.is website.
Healthcheck seems fine, the SSL Error shouldnt be the problem?:
sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck"
[sudo] password for :
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell
-------------------------------------------------------------------------------
Environment
[PASS] PHP version 7.4.24.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[PASS] The passbolt config file is present
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://server
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
[HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate
Database
[PASS] The application is able to connect to the database
[PASS] 37 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.
Application configuration
[PASS] Using latest passbolt version (3.5.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found
[FAIL] 2 error(s) found. Hang in there!
Wrong timezone was set, changed it and rebootet the server. output from time service now:
sudo systemctl status systemd-timesyncd.service
● systemd-timesyncd.service - Network Time Synchronization
Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2022-02-21 09:51:15 CET; 2min 33s ago
Docs: man:systemd-timesyncd.service(8)
Main PID: 676 (systemd-timesyn)
Status: "Initial synchronization to time server 91.189.94.4:123 (ntp.ubuntu.com)."
Tasks: 2 (limit: 2178)
Memory: 1.8M
CGroup: /system.slice/systemd-timesyncd.service
└─676 /lib/systemd/systemd-timesyncd
Feb 21 09:51:15 office-passbolt01 systemd[1]: Starting Network Time Synchronization...
Feb 21 09:51:15 office-passbolt01 systemd[1]: Started Network Time Synchronization.
Feb 21 09:51:18 office-passbolt01 systemd-timesyncd[676]: Network configuration changed, trying to establish connection.
Feb 21 09:51:20 office-passbolt01 systemd-timesyncd[676]: Network configuration changed, trying to establish connection.
Feb 21 09:51:50 office-passbolt01 systemd-timesyncd[676]: Initial synchronization to time server 91.189.94.4:123 (ntp.ubuntu.com).
No, the SSL error shouldn’t be the problem. Do you still have this issue while trying to connect ?
If yes, it seems your private key is not the good one. You can check your private key by upload it to your passbolt server, or any Linux / MacOS machine. I assume it is named “passbolt_private.asc”.
$ gpg --show-keys passbolt_private.asc
sec# rsa2048 2021-08-16 [SC]
FD2CBE35090BBE2B5066EEA7ADBE777C62E90E6A
uid John Doe <john@doe.com>
ssb# rsa2048 2021-08-16 [E]
You should see your name and email address. And you should find the displayed fingerprint in the passbolt OpenPGP keyring:
And if you execute this request in mysql, do you get results ?
SELECT * FROM gpgkeys WHERE fingerprint = "your-key-fingerprint" \G
If yes, you should be able to connect.
If you still not able, which error message is displayed ? Do you have any other error message in /var/log/passbolt/error.log ? Maybe should you check if date and time on your workstation are correct too.
You can touch error.log in the /var/log/passbolt directory and make sure it’s owned by webserver user.
FYI this error is common and expected:
Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /usr/share/php/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177