Android issue with Let's Encrypt

I have the same issue, could it be related to the use of a letsencrypt certificate?
Use Android 11 on my phone.

Hi @R0N ,

There is no issue with Let’s Encrypt but the way the Let’s Encrypt certificate is configured. If you check your website with SSL Checker online tool, do you get a full green status ?

Best,

Hi,
Yes, all green.
See no errors in the logs, I am using the 3.5.0-ce Docker image btw.

Hi @R0N ,

Can you share you passbolt mobile app debugging logs ? Tap the question mark on the top right to enable / view them. Reproduce your problem then send the logs.

Thanks !

For some reason the log wouldn’t upload to drive so made a screenshot.
It seems it’s a certificate problem that it cannot verify the certificate path.
The certificate is valid and ssl tests seem fine.

:thinking:

How do you manage Let’s Encrypt certificates with docker ? Can you share your docker configuration, especially how do you mount the Let’s Encrypt certificates in docker container ?

Thanks !

Yes, certbot generates the certificates and I mount them in the same volume.

For passbolt I mount them as:
- ./volumes/ssl/certs/xxxxx.xxxxxxx.xx/privkey.pem:/etc/ssl/certs/certificate.key
- ./volumes/ssl/certs/xxxxx.xxxxxxx.xx/cert.pem:/etc/ssl/certs/certificate.crt

When visiting the passbolt site the certificates work fine, the Chrome plugin also works fine.

Hi,

Let’s encrypt provide a fullchain.pem certificate. Can you try to mount this fullchain.pem instead of cert.pem ?

As an example, my fullchain.pem contains 3 CERTIFICATE blocks:

-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----

Best,

Ah thanks that solves that problem.
Now it finds the right connection but gives “Incorrect passphrase or decryption error”
I know for sure my passphrase is correct. The debug logs are empty but I will check the server logs

The logfile shows:

passbolt_1 | 172.20.0.15 - - [26/Jan/2022:15:10:49 +0000] “GET /auth/verify.json HTTP/1.0” 200 3860 “-” “okhttp/4.7.2”
passbolt_1 | 2022-01-26 15:10:49,803 INFO reaped unknown pid 961 (exit status 0)
passbolt_1 | 2022-01-26 15:10:49,803 INFO reaped unknown pid 963 (exit status 0)
200 1090 “-” “okhttp/4.7.2” “-”
passbolt_1 | 172.20.0.15 - - [26/Jan/2022:15:10:49 +0000] “GET /auth/jwt/rsa.json HTTP/1.0” 200 1078 “-” “okhttp/4.7.2”
passbolt_1 | 2022-01-26 15:10:49,963 INFO reaped unknown pid 966 (exit status 0)
passbolt_1 | 2022-01-26 15:10:49,964 INFO reaped unknown pid 968 (exit status 0)

Not sure if that helps

Great ! If you are sure you are entering the correct passphrase, and as you are running docker, maybe you are facing the same docker issue as other user here.

It seems the passbolt server keys on docker had a bug and they were abnormaly long with multiple entities in. To fix this, just connect yourself inside the passbolt container and delete the keys:

rm /etc/passbolt/gpg/serverkey.asc
rm /etc/passbolt/gpg/serverkey_private.asc 

Restart passbolt container and new GPG server keys will be generated.

source: Passbolt Help | How to rotate server GPG keys

Ah great that solved it.
Not just restarting the container but really stopping it and bringing it back up.

For your reference:
On first look:
-rw-r–r-- 1 www-data www-data 3447 Jun 30 2020 serverkey.asc
-rw-r–r-- 1 www-data www-data 6976 Jun 30 2020 serverkey_private.asc

After delete and restart of the container:
-rw-r–r-- 1 www-data www-data 5129 Jan 26 15:37 serverkey.asc
-rw-r–r-- 1 www-data www-data 10421 Jan 26 15:37 serverkey_private.asc

Now it’s working
-rw-r–r-- 1 www-data www-data 1765 Jan 26 15:41 serverkey.asc
-rw-r–r-- 1 www-data www-data 3531 Jan 26 15:41 serverkey_private.asc

Thanks for your help.

1 Like

Cool :+1:

Enjoy the app and don’t hesitate if you have further questions.

Cheers,