Android App Something went wrong

Checklist
[X ] I have read intro post: About the Installation Issues category
[X ] I have read the tutorials, help and searched for similar issues
[X ] I provide relevant information about my server (component names and versions, etc.)

PRETTY_NAME=“Debian GNU/Linux 10 (buster)”
NAME=“Debian GNU/Linux”
VERSION_ID=“10”
VERSION=“10 (buster)”
VERSION_CODENAME=buster
passbolt-pro-server/buster,now 3.3.1-1 all [installiert]

[X ] I provide a copy of my logs and healthcheck
Healthcheck is complete green except:

  • Could not connect to passbolt repository to check versions It is not possible check if your version is up to date. → actually it can connect I upgraded the server from 3.3.0 to 3.3.1
  • in the error and cli Log there is nothing for the last 2 weeks
    [ X] I describe the steps I have taken to trouble shoot the problem

I installed the Passbolt Android App (I think released today). So the correct with the Passbolt Logo from “Passbolt SA”. I klicked on my profile mobile Setup and scanned the code. Then in the App during scan the app says “something went wrong”. On the Passbolt webapp nothing happens

[ X] I describe the steps on how to reproduce the issue

Just install the app and do the scan procedure

We tested it with 2 more android smartphones in the company same issue.

Greetings Epytir

Hi @epytir :wave: and welcome to Passbolt community forum :handshake:

From your android devices, are you able to reach your Passbolt instance from a web browser ? Is your Passbolt server using a self-signed certificate ?

Thanks and regards,

Hi @_jc
From your android devices, are you able to reach your Passbolt instance from a web browser ?

Yes this is working

Is your Passbolt server using a self-signed certificate ?

yes it is a self signed . Does we need a “real” certificate to use this feature ?

In our company we are not allowed to publish this server external so we only got access over VPN or in the office. Thats why we dont have a real certificate

Thanks for your quick response

I tested it with our reverse Proxy (that has a real Zertifikate) and it is working. So its only a self signed problem.

Is a offline cache version planned ? (when you have no connection to the server)

Thanks for your answers :+1:

It is currently not possible to use the mobile application with a self-certificate, we are currently working on it and will publish a fix as soon as possible.

The application is an online-application.It is not planned to add an offline cache for now.

Best regards,

1 Like

Thanks because it is online only at the moment to get a real Cert (for example let’s encrypt) is not that hard but if several users got this issue I understand that Passbolt wants to fix that.

Have a nice weekend.

Greetings Epytir

Hello,

We are having the same issue in our company - our passbolt instance is intended to be accessed only in LAN or via VPN - so just like in Epytir’s case, we also use self-signed certificate.

Is there any ETA on the release of fix to use the self signed certs? (if no ETA then could you notify us in this thread or via other channel once it’s released?)

Best regards,
Matt

Hi @Mateusz,

Just to be sure, can you reach your Passbolt instance from a web browser on your Android device ?

We will keep you informed when a fix will be published. It has been done for iOS yesterday. Android is on the way.

Best,

Thanks for answer. Yes, I can access passbolt it in the browser without any issues(after accepting the self-signed certificate warning).

Regards,
Matt

Hi @Mateusz

Ok we will need to release a new version because I can scan QR codes with self signed cert if I add the CA certificate in the phone with the latest develop apk.
In order to avoid waiting two times the Google Play store approval, we will finish tomorrow the validation of the Edit Create Delete.
So most likely by the end of the week you will have the possiblity to use the app with self sign certificate and fully CreateReadUpdateDelete passwords :wink:
Thx for your help debugging the apps guys you are amazing :star_struck:

2 Likes

Thanks for the info, I will try to figure out more!

Hello @_jc ,

Just to be sure not having missed something : the Android fix for having the mobile app trust a self-signed CA certificate correctly installed in the smartphone store is still not included in 3.5 ?

Hi @farfade ,

You can use a self signed certificate. You just have to ensure the certificate is correctly generated with a subjectaltname.

You will find an example of the correct openssl command to generate key and cert in our documentation : Passbolt Help | Manual HTTPS configuration on Debian and Ubuntu with user provided certificates

Once the key and cert configured in your web server, you just have to import the generated cert with subjectaltname in your phone, following this other documentation : Passbolt Help | How to import SSL certificate on mobile application

Let me know if you encounter issues.

Best,

Argh @_jc , so I fear it is a concern about wildcard :frowning:

My cert is configured for *.www.MYDOMAIN

including subjectAltName = DNS:*.www.MYDOMAIN

Accessing passbolt by (Android, Windows, Linux) firefox works like a charm, but with the passbolt app it ends with “Something went wrong”.

Do you specifically refuse to support wildcard certs ? Or do I have to continue to investigate what’s wrong with mine ?

Is there a way to get a more precise error behind the “Something went wrong” message of the Android app ?

I had the same troubles with my wilcard cert, but turns out this app needs an ssl anchor. Browser works without any error for me, but app not. I have to add SSLCACertificatefile to my apache conf. This is nothing to do with a wildcard certs. I tried to get FQDN certs from Let’s Encrypt and I have to add SSLCACertificatefile too.

1 Like

Hum; after one good night, I tried again today and it now works without any change :slight_smile:

Let’s enjoy now :sunglasses:

1 Like

Hi @tlamik,

We have a section in our Passbolt Help | Troubleshoot SSL called Self-hosted private certificate chain study.
Even if this section is focused on self-signed certificate, it also applies on certificates delivered by public authorities, as it explains the role of each chain of trust. To be fully valid, the full certificates chain must be present in the web server configuration. If you forget to configure the intermediate certificate, your passbolt server can be marked as non-secure with some browsers or OS, but not all.

I remember a website I configured some years ago. It was working well on Chrome on my Debian but was flagged as non-secure on Firefox because of missing intermediate certificates.

You will find in our Passbolt Help | Troubleshoot SSL documentation online tools to check that.

With Apache server, there is a SSLCACertificatefile directive for intermediate certificates. With nginx, this doesn’t exists and you have to concatenate intermediate and passbolt certificates in one file. << Edit: This is wrong, @see the below answer

Best,

Hi _jc,

thanks for reaction to my post, I have to say I am little confused about that all, cos I am pretty sure that many Certificates Authority (Let’s Encrypt including) sends intermediate certs with client’s cert in one file named fullchain.cer or fullchain.pem. So I am using only two directives SSLCertificateFile and SSLCertificateKeyFile in my Apache conf. And turns out I was wrong about it al the time.

Thanks

My bad @tlamik,

I confused SSLCACertificateFile with SSLCertificateChainFile who become obsolete with Apache 2.4.8.

You were right and I stroke what I wrote.

Sorry for the confusion.

I made some test using https://www.ssllabs.com/ and I thing U had right :slight_smile:
SSLCACertificateChainFile is obsolete for sure, that’s true.
But when I checked my server using ssllabs.com with only two SSL directives (SSLCertificateFile and SSLCertificateKeyFile) I got B rating because missing of intermediate certs. When I use all three directives (SSLCertificateFile,SSLCertificateKeyFile and SSLCACertificateFile) I get A+ rating and all seems perfect. BTW: Although SSLCACertificateFile is included in SSLCertificateFile, but apprently is not enough.
So I thing U has right in With Apache server, there is a SSLCACertificatefile directive for intermediate certificates