Can't login using android app on docker installation

ancieque · January 21, 2022, 11:47am

System:

Ubuntu 18.04.6 LTS x86_64
Kernel 4.15.0-159-generic
CPU: Intel Xeon (Skylake, IBRS) (2) @ 2.099GHz (VM)
Docker: Docker version 20.10.8, build 3967b7d
Passbolt Docker Image: 3.5.0-ce
Database: mariadb (mysql Ver 15.1 Distrib 10.1.48-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2)

Installed with: GitHub - neuroforgede/passbolt_ansible: A complete (set of) playbook(s) to selfhost passbolt.

nginX for SSL termination using this config:

server {
    listen 443 ssl;
    server_name  {{ passbolt_domain }};
    include includes/serversettings.conf;

    location /.well-known {
        root /srv/www/_temp/.well-known;
        allow all;
        expires off;
    }

    # include at least a / at the beginning of the rewrite rule, so that the url is not empty

    location / {
        proxy_pass          https://localhost:8444/;
        proxy_set_header    X-Real-IP          $remote_addr;
        proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Host   $host;
        proxy_set_header    X-Forwarded-Server $host;
        proxy_set_header    X-Forwarded-Port   $server_port;
        proxy_set_header    X-Forwarded-Proto  $scheme;
        proxy_pass_request_headers on;
    }

    ssl_certificate /etc/letsencrypt/live/{{ passbolt_domain }}/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/{{ passbolt_domain }}/privkey.pem; # managed by Certbot
}

nginx version:

nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.1  11 Sep 2018
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-H4cN7P/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

Healthcheck Log:


     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell        
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.25.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://<snip>
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [FAIL] The server OpenPGP key is not set
 [HELP] Create a key, export it and add the fingerprint to config/passbolt.php
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [FAIL] The server key fingerprint doesn't match the one defined in config/passbolt.php.
 [HELP] Double check the key fingerprint, example: 
 [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" root | grep -i -B 2 'SERVER_KEY_EMAIL'
 [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring
 [HELP] Import the private server key in the keyring of the webserver user.
 [HELP] you can try:
 [HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" root
 [FAIL] The server key does not have a valid email id.
 [HELP] Edit or generate another key with a valid email id.

 Application configuration

 [PASS] Using latest passbolt version (3.5.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 4 error(s) found. Hang in there!

We would like to try the long awaited Passbolt Android app. However we can’t login after successfully transferring the login credentials via the QR sync. The information that is then displayed on the phone looks correct, but when I try to login I get:

“incorrect passphrase or decryption error. Please try again”

I checked multiple times but the passphrase seems correct.

I tried cycling the server gpg key. I upgraded from 3.4 to 3.5 to see if that helps, but it doesn’t. The container logs don’t provide any further information.

Checklist
[x] I have read intro post: About the Installation Issues category
[x] I have read the tutorials, help and searched for similar issues
[x] I provide relevant information about my server (component names and versions, etc.)
[x I provide a copy of my logs and healthcheck
[x] I describe the steps I have taken to trouble shoot the problem
[x] I describe the steps on how to reproduce the issue

remy · January 21, 2022, 12:11pm

Hello,

I can see there are some errors in the healthcheck:

Have you tried to resolve these issues?

ancieque · January 21, 2022, 6:57pm

I have not been able to do so, but as far as I can tell we do not have a passbolt.php file configured manually. We are using these env vars:

- name: Create passbolt docker container
  vars:
    database_server_str: "{{ groups['mariadb'] | map('extract', hostvars, ['host_ip']) | list | first }}"
  docker_container:
    name: "passbolt_master"
    image: "passbolt/passbolt:{{ passbolt_version }}"
    recreate: true
    ports:
      - "127.0.0.1:8444:443"
    volumes:
      - "/data/ansible/passbolt/data/gpg:/etc/passbolt/gpg"
      - "/data/ansible/passbolt/data/jwt:/etc/passbolt/jwt"
      - "/data/ansible/passbolt/data/images:/usr/share/php/passbolt/webroot/img/public"
      - "/data/ansible/certs/{{ passbolt_cert_dir }}:/certs"
      - "/data/ansible/passbolt/mariadb/mariadb.cnf:/etc/mysql/mariadb.conf.d/mariadb.cnf"
    env:
      DATASOURCES_DEFAULT_HOST: "{{ database_server_str }}"
      DATASOURCES_DEFAULT_USERNAME: "{{ passbolt_db_user }}"
      DATASOURCES_DEFAULT_PASSWORD: "{{ passbolt_db_passwd }}"
      DATASOURCES_DEFAULT_DATABASE: "{{ passbolt_db }}"
      APP_FULL_BASE_URL: "https://{{ passbolt_domain }}"
      DATASOURCES_DEFAULT_SSL_KEY: "/certs/server.key"
      DATASOURCES_DEFAULT_SSL_CERT: "/certs/server.crt"
      DATASOURCES_DEFAULT_SSL_CA: "/certs/rootCA.crt"
      SECURITY_SALT: "{{ passbolt_salt }}"
      PASSBOLT_KEY_LENGTH: "{{ passbolt_key_length }}"
      PASSBOLT_SUBKEY_LENGTH: "{{ passbolt_subkey_length }}"
      PASSBOLT_KEY_NAME: "{{ passbolt_default_user }}"
      PASSBOLT_KEY_EMAIL: "{{ passbolt_default_user_mail }}"
      PASSBOLT_KEY_EXPIRATION: "{{ passbolt_key_expiration }}"
      EMAIL_TRANSPORT_DEFAULT_CLASS_NAME: "{{ passbolt_email_transport_class_name }}"
      EMAIL_DEFAULT_FROM: "{{ passbolt_email_from }}"
      EMAIL_DEFAULT_TRANSPORT: "default"
      EMAIL_TRANSPORT_DEFAULT_HOST: "{{ passbolt_email_host }}"
      EMAIL_TRANSPORT_DEFAULT_PORT: "{{ passbolt_email_port }}"
      EMAIL_TRANSPORT_DEFAULT_TIMEOUT: "{{ passbolt_email_timeout }}"
      EMAIL_TRANSPORT_DEFAULT_USERNAME: "{{ passbolt_email_user }}"
      EMAIL_TRANSPORT_DEFAULT_PASSWORD: "{{ passbolt_email_password }}"
      EMAIL_TRANSPORT_DEFAULT_TLS: "{{  passbolt_email_use_tls }}"
      PASSBOLT_EMAIL_SHOW_COMMENT: "false"
      PASSBOLT_EMAIL_SHOW_DESCRIPTION: "false"
      PASSBOLT_EMAIL_SHOW_SECRET: "false"
      PASSBOLT_EMAIL_SHOW_URI: "false"
      PASSBOLT_EMAIL_SHOW_USERNAME: "false"
      PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED: "true"
      PASSBOLT_PLUGINS_MOBILE_ENABLED: "true"
    restart_policy: unless-stopped

AnatomicJC · January 21, 2022, 7:17pm

Hi @ancieque ,

I’m pretty sure you have the same issue than this other community post: iOS mobile app Sign in fails - #10 by _jc

Connect yourself your docker container and run this command:

gpg --show-keys /etc/passbolt/gpg/serverkey.asc

It should output only one result. We got some customers with docker installation where this command return multiple results.

If you get more than one entity, delete the server keys:

rm /etc/passbolt/gpg/serverkey.asc
rm /etc/passbolt/gpg/serverkey_private.asc

And restart your container. New proper keys will be generated.

Your users will get this warning:

Just accept the new key and you should be able to use the app.

I assume it is an old bug who has been fixed.

Relevant documentation: Passbolt Help | How to rotate server GPG keys

Let me know,

Best,

ancieque · January 21, 2022, 8:05pm

Thanks. This helped me a lot and helped me find the solution.

I already tried deleting the keys like you showed, but they kept coming back so I did not even get the server key change dialog.

I found out that just restarting the container is not enough. What worked for me:

Stop container by hand
remove keys as you described
Redeployed using our ansible playbook (aka: remove the container, create it again)

It seems as if some of the data was persisted in the container and therefore the same key asc file kept coming back.

garrett · May 12, 2022, 1:13pm

2 posts were split to a new topic: “incorrect password or decryption error” after update to Passbolt 3.5.0 (Docker)