Checklist
[X ] I have read intro post: About the Installation Issues category
[X ] I have read the tutorials, help and searched for similar issues
[X ] I provide relevant information about my server (component names and versions, etc.)
[X ] I provide a copy of my logs and healthcheck
Healthcheck is complete green except:
Could not connect to passbolt repository to check versions It is not possible check if your version is up to date. → actually it can connect I upgraded the server from 3.3.0 to 3.3.1
in the error and cli Log there is nothing for the last 2 weeks
[ X] I describe the steps I have taken to trouble shoot the problem
I installed the Passbolt Android App (I think released today). So the correct with the Passbolt Logo from “Passbolt SA”. I klicked on my profile mobile Setup and scanned the code. Then in the App during scan the app says “something went wrong”. On the Passbolt webapp nothing happens
[ X] I describe the steps on how to reproduce the issue
Just install the app and do the scan procedure
We tested it with 2 more android smartphones in the company same issue.
Hi @AnatomicJC
From your android devices, are you able to reach your Passbolt instance from a web browser ?
Yes this is working
Is your Passbolt server using a self-signed certificate ?
yes it is a self signed . Does we need a “real” certificate to use this feature ?
In our company we are not allowed to publish this server external so we only got access over VPN or in the office. Thats why we dont have a real certificate
It is currently not possible to use the mobile application with a self-certificate, we are currently working on it and will publish a fix as soon as possible.
The application is an online-application.It is not planned to add an offline cache for now.
Thanks because it is online only at the moment to get a real Cert (for example let’s encrypt) is not that hard but if several users got this issue I understand that Passbolt wants to fix that.
We are having the same issue in our company - our passbolt instance is intended to be accessed only in LAN or via VPN - so just like in Epytir’s case, we also use self-signed certificate.
Is there any ETA on the release of fix to use the self signed certs? (if no ETA then could you notify us in this thread or via other channel once it’s released?)
Ok we will need to release a new version because I can scan QR codes with self signed cert if I add the CA certificate in the phone with the latest develop apk.
In order to avoid waiting two times the Google Play store approval, we will finish tomorrow the validation of the Edit Create Delete.
So most likely by the end of the week you will have the possiblity to use the app with self sign certificate and fully CreateReadUpdateDelete passwords
Thx for your help debugging the apps guys you are amazing
Just to be sure not having missed something : the Android fix for having the mobile app trust a self-signed CA certificate correctly installed in the smartphone store is still not included in 3.5 ?
I had the same troubles with my wilcard cert, but turns out this app needs an ssl anchor. Browser works without any error for me, but app not. I have to add SSLCACertificatefile to my apache conf. This is nothing to do with a wildcard certs. I tried to get FQDN certs from Let’s Encrypt and I have to add SSLCACertificatefile too.
We have a section in our Passbolt Help | Troubleshoot SSL called Self-hosted private certificate chain study.
Even if this section is focused on self-signed certificate, it also applies on certificates delivered by public authorities, as it explains the role of each chain of trust. To be fully valid, the full certificates chain must be present in the web server configuration. If you forget to configure the intermediate certificate, your passbolt server can be marked as non-secure with some browsers or OS, but not all.
I remember a website I configured some years ago. It was working well on Chrome on my Debian but was flagged as non-secure on Firefox because of missing intermediate certificates.
With Apache server, there is a SSLCACertificatefile directive for intermediate certificates. With nginx, this doesn’t exists and you have to concatenate intermediate and passbolt certificates in one file. << Edit: This is wrong, @see the below answer
thanks for reaction to my post, I have to say I am little confused about that all, cos I am pretty sure that many Certificates Authority (Let’s Encrypt including) sends intermediate certs with client’s cert in one file named fullchain.cer or fullchain.pem. So I am using only two directives SSLCertificateFile and SSLCertificateKeyFile in my Apache conf. And turns out I was wrong about it al the time.
I made some test using https://www.ssllabs.com/ and I thing U had right
SSLCACertificateChainFile is obsolete for sure, that’s true.
But when I checked my server using ssllabs.com with only two SSL directives (SSLCertificateFile and SSLCertificateKeyFile) I got B rating because missing of intermediate certs. When I use all three directives (SSLCertificateFile,SSLCertificateKeyFile and SSLCACertificateFile) I get A+ rating and all seems perfect. BTW: Although SSLCACertificateFile is included in SSLCertificateFile, but apprently is not enough.
So I thing U has right in With Apache server, there is a SSLCACertificatefile directive for intermediate certificates
and welcome to Passbolt community forum 
