I installed passbolt on ubuntu20.04 following installation guide.
Install finishes no error, but I cannot login with correct password.
When I try to login, it says following.
Sorry, you have not been signed in.
Something went wrong, the sign in failed with the following error:
x-gpgauth-authenticated should be set to false during stage1
Did I missed something?
Thanks,
Hi @hiroki,
Can you run the healthcheck command on your server?
sudo su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck” www-data
Could it possible that you are using a proxy that suppress some http x-gpgauth-authenticated headers?
Best,
Hi @remy
Thank you for your reply.
Here is command result.
root@hostname:/etc/ssl/private# sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck"
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell
-------------------------------------------------------------------------------
Environment
[PASS] PHP version 7.4.3.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[PASS] The passbolt config file is present
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to http://hostname.com
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate
Database
[PASS] The application is able to connect to the database
[PASS] 25 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
Application configuration
[PASS] Using latest passbolt version (3.2.1).
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in config/passbolt.php.
[FAIL] App.fullBaseUrl is not set to HTTPS.
[HELP] Check App.fullBaseUrl url scheme in config/passbolt.php.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.
[FAIL] 2 error(s) found. Hang in there!
Also, I set following in nginx.conf and restart nginx but the same error keep displaying.
proxy_set_header x-gpgauth-authenticated false;
Do I have to set SSL to make it work correctly?
This server is internally accessed from reverse proxy server, so I don’t need SSL setting though.
@hiroki passbolt uses a bunch of custom headers to login, they are dynamic you can’t just set them manually. Check if they are allowed on your network.
x-gpgauth-authenticated
x-gpgauth-login-url
x-gpgauth-logout-url
x-gpgauth-progress
x-gpgauth-pubkey-url
x-gpgauth-user-auth-token
x-gpgauth-verify-url
x-gpgauth-verify-response
x-gpgauth-refer
x-gpgauth-version
x-gpgauth-debug
x-gpgauth-error
Do I have to set SSL to make it work correctly?
It shouldn’t require https to work even though without https it is considered unsecure.
To check if the headers are sent correctly you can go, on chrome, to chrome://extensions, click on “index.html” under the passbolt webextension. Then go to network tab and click on the /auth/login requests to see if the headers are sent.
Hi @remy
This is login page response header.
x-gpgauth-authenticated -> false
x-gpgauth-login-url -> /auth/login
x-gpgauth-logout-url -> /auth/logout
x-gpgauth-progress -> stage0
x-gpgauth-pubkey-url -> /auth/verify.json
x-gpgauth-user-auth-token -> not set
x-gpgauth-verify-url -> auth/verify
x-gpgauth-verify-response -> not set
x-gpgauth-refer -> not set
x-gpgauth-version -> 1.3.0
x-gpgauth-debug - > there is no user associated with this key. No key id set.
x-gpgauth-error -> true
Did I miss something?
Thanks,
That is strange, it seems that the user cannot be found. According to the debug message:
there is no user associated with this key. No key id set.
Did you complete the setup without any error?
Can you check on the server if the user is there and active by checking in the database:
select * from users where username='ada@passbolt.com';
select * from gpgkeys where user_id = (select id from users where username='ada@passbolt.com' order by created desc limit 1);
Replace ada with your username. Check if user is present, and set to “active” 1 and “deleted” 0. Check if gpg key exist for the user.
Then checks if the key is present in the keyring. There might be an issue preventing the key to be imported. Check if it is present in the keyring:
sudo -H -u www-data bash -c "gpg --list-keys --home=/var/lib/passbolt/.gnupg"
If it’s not try to see if you can import it manually:
sudo -H -u www-data bash -c "gpg --home=/var/lib/passbolt/.gnupg --import path/to/user/key.file"
Hi @remy
This is command result.
It looks like okay.
mysql> select * from users;
+--------------------------------------+--------------------------------------+----------------------+--------+---------+---------------------+---------------------+
| id | role_id | username | active | deleted | created | modified |
+--------------------------------------+--------------------------------------+----------------------+--------+---------+---------------------+---------------------+
| b50f1a75-e2b2-43f7-9385-2e42d1f6c889 | 9b49fb7c-1e5d-4ea5-86ac-04776485aee9 | dev-team@xxx.jp | 1 | 0 | 2021-06-14 05:10:11 | 2021-06-14 05:11:21 |
+--------------------------------------+--------------------------------------+----------------------+--------+---------+---------------------+---------------------+
1 row in set (0.00 sec)
mysql> select * from gpgkeys where user_id = (select id from users where username='dev-team@xxx.jp');
.
.
.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------+------------------------------------------+----------+------------------------------------------+------+---------+---------------------+---------+---------------------+---------------------+
1 row in set (0.00 sec)
root@hostname:/etc/nginx# sudo -H -u www-data bash -c "gpg --list-keys --home=/var/lib/passbolt/.gnupg"
/var/lib/passbolt/.gnupg/pubring.kbx
------------------------------------
pub rsa2048 2021-06-14 [SC]
FA8BF7B39107EAC4229A6746AFE28B54A46FB2C8
uid [ unknown] hostname.xxx.jp <dev-team@xxx.jp>
sub rsa2048 2021-06-14 [E]
pub rsa2048 2021-06-14 [SC]
592C2A8C747138D48427548CE08D93A6C71A6633
uid [ unknown] Dev-team T-inc <dev-team@xxx.jp>
sub rsa2048 2021-06-14 [E]
That is very strange. I’m unsure what’s not working at this stage.
Can you check if the time is set correctly on the server by installing ntp:
sudo apt-get install ntp
Can you show the permissions on the keyring:
sudo -H -u www-data bash -c "ls -la /var/lib/passbolt/.gnupg"
Hi @remy
ntp server is working and time should be correct on my server.
root@hostname:~# systemctl status chrony
● chrony.service - chrony, an NTP client/server
root@hostname:~# sudo -H -u www-data bash -c "ls -la /var/lib/passbolt/.gnupg"
total 28
drwx------ 3 www-data www-data 4096 6月 14 16:54 .
drwxr-xr-x 4 www-data www-data 4096 6月 14 14:02 ..
srwx------ 1 www-data www-data 0 6月 14 14:08 S.gpg-agent
srwx------ 1 www-data www-data 0 6月 14 14:08 S.gpg-agent.browser
srwx------ 1 www-data www-data 0 6月 14 14:08 S.gpg-agent.extra
srwx------ 1 www-data www-data 0 6月 14 14:08 S.gpg-agent.ssh
drwx------ 2 www-data www-data 4096 6月 14 14:08 private-keys-v1.d
-rw-r--r-- 1 www-data www-data 2832 6月 14 14:11 pubring.kbx
-rw-r--r-- 1 www-data www-data 1407 6月 14 14:08 pubring.kbx~
-rw------- 1 www-data www-data 600 6月 14 16:19 random_seed
-rw------- 1 www-data www-data 1200 6月 14 14:08 trustdb.gpg
This is my server info just in case you need it.
root@pw:~# hostnamectl
Static hostname: hostname.xxx.jp
Icon name: computer-vm
Chassis: vm
Machine ID: 136373d5659f4670bb296154c0ff1b13
Boot ID: ba21fd6eec354b658ff8701bbaa93e14
Virtualization: kvm
Operating System: Ubuntu 20.04.2 LTS
Kernel: Linux 5.4.0-74-generic
Architecture: x86-64
Thanks,
That is strange. Can you get in touch with us at support@passbolt.com (even if you are using CE), so that we can organize a conference call to dig into the issue?
Hi @remy
Okay, how should I explain this on email to support?
Can I mention your name in it??
Thanks,
Yes you can tell remy sent you 
Hi @hiroki yes we’ve seen it, we’ll be in touch. We trying to see when we can organize a call. Most likely tomorrow.
There is a similar error reported on github with Firefox 82, not sure if this is related.
Hi, remy
I upgraded Firefox version and error has gone.
I tried to check previous Firefox version but, it started auto-upgrade so I couldn’t check the previous version number…
Sorry for that…
But I’m sure it had something to do with specific browser version.
No problem, I’m glad we could figure it out.
Hi, remy
Thank you for your support anyway!!