After upgrade from 2.1.0 to 2.2.0 it is no longer possible to create new entries to passbolt. The error.log of passbolt shows entries like:
2018-08-15 17:09:23 Error: [Cake\Network\Exception\InvalidCsrfTokenException] CSRF token mismatch.
Request URL: /resources.json?api-version=v2
Referer URL: http://passbolt1./
When go back to 2.1.0 the error is no longer existent. So it seems that the passbolt patch is the reason for this behavior (and not the parallel done OS patch).
It is not relevant to add a “server_name” (some forums discussed this) directive to /etc/nginx/conf.d/default.conf or to comment out “add_header X-XSS-Protection” or set it to “0”. In my opinion the error messages are not generated from nginx but from the passbolt application so that it seems logical that the nginx configuration changes are not working.
- centos 7.5 latest patch incl. all components shown below
____ __ ____ / __ \____ _____ ____/ /_ ____ / / /_
/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
Open source password manager for teams
[PASS] PHP version 7.0.31.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
[PASS] The application config file is present
[PASS] The passbolt config file is present
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to http://passbolt1.
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate
[PASS] The application is able to connect to the database
[PASS] 19 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
[PASS] PHP GPG Module is installed and loaded.
[PASS] The server gpg key is not the default one
[PASS] The environment variable GNUPGHOME is set to /var/cache/nginx/.gnupg.
[PASS] The directory /var/cache/nginx/.gnupg containing the keyring is writable by the webserver user.
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[FAIL] This installation is not up to date. Currently using 2.1.0 and it should be v2.2.0.
=> status with 2.1.0 is the same as with 2.2.0
[HELP] See. https://www.passbolt.com/help/tech/update
[PASS] Passbolt is configured to force SSL use.
[FAIL] App.fullBaseUrl is not set to HTTPS.
[HELP] Check App.fullBaseUrl url scheme in config/passbolt.php.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] All email notifications will be sent.
2 error(s) found. Hang in there!