Can't open passbolt in mobile after change of internet provider

Hello,

I have a huge problem, I can’t access my passbolt system after a change of the internet provider.

I have the ISP router in bridge mode so the only change made was the public IP of the internet connection, there was no other changes in the LAN side of my network, no need to change NAT rules nor anything else.

Now when I try to access my passbolt, from the mobile application I got this message: “server and client time are out fo sync. Please contact your Administrator”. If try to open the webpage it opens a white page without content at all

In the server the time is the same that in my smartphone or my pc, can someone help me?

~ $ date
Fri 9 Jun 12:07:19 CEST 2023

Thank you all

Hi @ic3_2k,

Can you login on your server using SSH and run the status-report command?

sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/status-report" nginx

Do you see any error when you open the chrome browser console on that white page?
Cheers,

nope, no error at all when opening the browser

The command you posted give me error that nginz user doesn’t exist, so I runned It again with www-data username, here are the results:

sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/status-report" www-data

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
Passbolt CE 4.0.2
Cakephp 4.4.11
Linux raspberrypi 6.1.13-v7l+ #1632 SMP Thu Feb 23 12:22:27 GMT 2023 armv7l GNU/Linux
PHP 7.4.33 (cli) (built: Feb 22 2023 20:07:47) ( NTS )
mysql  Ver 15.1 Distrib 10.5.19-MariaDB, for debian-linux-gnueabihf (armv7l) using  EditLine wrapper
gpg (GnuPG) 2.2.27
libgcrypt 1.8.8
Composer version 2.4.4 2022-10-27 14:39:29

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.33.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://**************.net
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 30 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (4.0.2).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [WARN] The deprecated self registration public setting was found in /etc/passbolt/passbolt.php.
 [HELP] You may remove the "passbolt.registration.public" setting.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [FAIL] The /etc/passbolt/jwt/ directory should not be writable.
 [HELP] You can try:
 [HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
 [HELP] sudo chmod 750 /etc/passbolt/jwt/
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [PASS] The SMTP Settings source is: database.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

 [FAIL] 1 error(s) found. Hang in there!

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
Data check shell
[PASS] Data integrity for AuthenticationTokens.
  [PASS] Can validate: 146/146
[PASS] Data integrity for Comments.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Favorites.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Gpgkeys.
  [PASS] Can encrypt: 1/1
  [PASS] Pass validation service checks: 1/1
  [PASS] Entity data and armored key data matches: 1/1
  [PASS] Is not expired: 1/1
  [PASS] Is armored key format valid: 1/1
[PASS] Data integrity for Groups.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Profiles.
  [PASS] Can validate: 2/2
[PASS] Data integrity for Resources.
  [PASS] Can validate: 33/33
[PASS] Data integrity for Secrets.
  [PASS] Can validate: 32/32
[PASS] Data integrity for Users.
  [PASS] Can validate: 2/2
2023-06-09 09:36:39 error: [Cake\Routing\Exception\MissingRouteException] A route matching "/geoserver/web/" could not be found. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 197
Request URL: /geoserver/web/
Client IP: 184.105.247.195


2023-06-09 09:37:43 error: [Cake\Routing\Exception\MissingRouteException] A route matching "/.git/config" could not be found. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 197
Request URL: /.git/config
Client IP: 184.105.247.195


2023-06-09 09:45:25 error: [RuntimeException] Expected configuration key "passbolt.featurePluginAdder" not found. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Core/Configure.php on line 166


2023-06-09 09:48:22 error: [RuntimeException] Expected configuration key "passbolt.featurePluginAdder" not found. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Core/Configure.php on line 166


2023-06-09 09:48:25 error: [RuntimeException] Expected configuration key "passbolt.featurePluginAdder" not found. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Core/Configure.php on line 166


2023-06-09 09:58:28 error: [Cake\Routing\Exception\MissingRouteException] A route matching "/robots.txt" could not be found. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 197
Request URL: /robots.txt
Client IP: 185.179.185.167
2023-06-09 09:58:28 error: [Cake\Routing\Exception\MissingRouteException] A route matching "/robots.txt" could not be found. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 197
Request URL: /robots.txt
Client IP: 185.179.185.167
2023-06-09 09:58:28 error: [Cake\Routing\Exception\MissingRouteException] A route matching "/robots.txt" could not be found. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 197
Request URL: /robots.txt
Client IP: 185.179.185.167
2023-06-09 09:58:29 error: [Cake\Routing\Exception\MissingRouteException] A route matching "/img/logo/logo_white.svg" could not be found. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 197
Request URL: /img/logo/logo_white.svg
Referer URL: https://************.net/css/themes/midgar/api_authentication.min.css?v=4.0.2
Client IP: 185.179.185.167

2023-06-09 09:48:25 error: [RuntimeException] Expected configuration key "passbolt.featurePluginAdder" not found. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Core/Configure.php on line 166

Did you modify the file config/default.php by any chance? Looks like a important configuration item is missing.

    'passbolt' => [
        // Edition.
        'edition' => 'ce',
        'featurePluginAdder' => \App\BaseSolutionBootstrapper::class, // <- this

no, I didn’t have modified that file, don’t even know where that config directory is located

But today I run apt update and upgrade to see if that fix the problem, but no luck with that

Looks like you’re running on a raspberrypi, which method did you follow to install passbolt?

Can you share the content of:

sudo ls -la /etc/passbolt

And the content of the file if it’s there:

sudo cat /etc/passbolt/default.php

Yes it’s on a raspberry pi, I had installed it in my home in a Raspberry 4 over a year and a half following the instructions on Passbolt Help | Install Passbolt CE on Raspberry PI

After yesterday change of internet provider I can’t access from already registered devices my mobile my pc, ect,

Now if I try to access with the browser the page to recover the account is shown

Somethig weird is the fact that the status test say the JWT folder is writable, I run the set of chown commands but the test keeps saying that folder is writable

Did the Domain/URL of your passbolt instance changed when you changed internet provider?

$ sudo ls -la /etc/passbolt
total 184
drwxrwx---   6 root     www-data  4096 Jun  9 13:01 .
drwxr-xr-x 129 root     root     12288 Jun  9 12:08 ..
-rwxr-xr-x   1 root     www-data 19998 May 25 12:06 app.php
-rwxr-xr-x   1 root     root     19942 Jun  9 12:43 app.php.bkp_orig
-rwxr-xr-x   1 root     www-data 18231 Nov 18  2022 app.php.dpkg-old
-rw-r-----   1 root     www-data  2044 May 25 12:06 audit_logs.php
-rwxr-xr-x   1 root     www-data  1061 May 25 12:06 bootstrap_cli.php
-rwxr-xr-x   1 root     www-data  7506 May 25 12:06 bootstrap.php
-rwxr-xr-x   1 root     www-data    65 Nov 11  2022 bootstrap_plugins.php
-rwxr-xr-x   1 root     www-data 16200 May 25 12:06 default.php
drwxr-xr-x   2 root     www-data  4096 Nov 15  2022 gpg
drwxr-x---   2 root     www-data  4096 Nov 15  2022 jwt
drwxr-xr-x   2 root     www-data 20480 Jun  9 11:48 Migrations
-rwxr-xr-x   1 root     www-data  5605 Feb 10 11:12 passbolt.default.php
-rwxr-xr-x   1 www-data www-data  2367 Jun  9 12:41 passbolt.php
-rwxr-xr-x   1 root     www-data  2642 Nov 11  2022 paths.php
-rwxrwxrwx   1 root     www-data  1584 May 25 12:06 requirements.php
-rwxr-xr-x   1 root     www-data 13707 May 25 12:06 routes.php
drwxr-xr-x   2 root     www-data  4096 Jun  9 11:49 schema
-rwxr-xr-x   1 root     www-data   101 May 25 12:06 version.php

$ sudo cat /etc/passbolt/default.php
<?php
/**
 * Passbolt ~ Open source password manager for teams
 * Copyright (c) Passbolt SA (https://www.passbolt.com)
 *
 * Licensed under GNU Affero General Public License version 3 of the or any later version.
 * For full copyright and license information, please see the LICENSE.txt
 * Redistributions of files must retain the above copyright notice.
 *
 * @copyright     Copyright (c) Passbolt SA (https://www.passbolt.com)
 * @license       https://opensource.org/licenses/AGPL-3.0 AGPL License
 * @link          https://www.passbolt.com Passbolt(tm)
 * @since         2.0.0
 */

use App\Model\Entity\AuthenticationToken;
use App\Utility\AuthToken\AuthTokenExpiryConfigValidator;
use Passbolt\JwtAuthentication\Service\AccessToken\JwtAbstractService;

$authTokenExpiryConfigValidator = new AuthTokenExpiryConfigValidator();

return [
    /*
     * Passbolt application default configuration.
     * In alphabetical order:
     * - Authentication
     * - Email notifications
     * - Javascript application config
     * - Meta HTML tags
     * - Gpg
     * - Selenium mode
     * - Security settings
     * - SSL
     *
     * Pick a section and place it in your passbolt.php file to replace default settings.
     * Do not modify directly the values below as it will break passbolt update process.
     *
     */
    'passbolt' => [
        // Edition.
        'edition' => 'ce',
        'featurePluginAdder' => \App\BaseSolutionBootstrapper::class,

        // Authentication & Authorisation.
        'auth' => [
            'tokenExpiry' => env('PASSBOLT_AUTH_TOKEN_EXPIRY', '3 days'),
            'token' => [
                AuthenticationToken::TYPE_REGISTER => [
                    'expiry' => filter_var(env('PASSBOLT_AUTH_REGISTER_TOKEN_EXPIRY', '10 days'), FILTER_CALLBACK, ['options' => $authTokenExpiryConfigValidator])
                ],
                AuthenticationToken::TYPE_RECOVER => [
                    'expiry' => filter_var(env('PASSBOLT_AUTH_RECOVER_TOKEN_EXPIRY', '10 days'), FILTER_CALLBACK, ['options' => $authTokenExpiryConfigValidator])
                ],
                AuthenticationToken::TYPE_LOGIN => [
                    'expiry' => filter_var(env('PASSBOLT_AUTH_LOGIN_TOKEN_EXPIRY', '5 minutes'), FILTER_CALLBACK, ['options' => $authTokenExpiryConfigValidator])
                ],
                AuthenticationToken::TYPE_MOBILE_TRANSFER => [
                    'expiry' => filter_var(env('PASSBOLT_AUTH_MOBILE_TRANSFER_TOKEN_EXPIRY', '5 minutes'), FILTER_CALLBACK, ['options' => $authTokenExpiryConfigValidator])
                ],
                AuthenticationToken::TYPE_REFRESH_TOKEN => [
                    'expiry' => filter_var(env('PASSBOLT_AUTH_JWT_REFRESH_TOKEN', '1 month'), FILTER_CALLBACK, ['options' => $authTokenExpiryConfigValidator])
                ],
                JwtAbstractService::USER_ACCESS_TOKEN_KEY => [
                    'expiry' => filter_var(env('PASSBOLT_AUTH_JWT_ACCESS_TOKEN', '5 minutes'), FILTER_CALLBACK, ['options' => $authTokenExpiryConfigValidator])
                ],
                AuthenticationToken::TYPE_VERIFY_TOKEN => [
                    'expiry' => filter_var(env('PASSBOLT_AUTH_JWT_VERIFY_TOKEN', '1 hour'), FILTER_CALLBACK, ['options' => $authTokenExpiryConfigValidator])
                ],
            ]
        ],

        // Email settings
        'email' => [
            // Additional email validation settings
            'validate' => [
                'mx' => filter_var(env('PASSBOLT_EMAIL_VALIDATE_MX', false), FILTER_VALIDATE_BOOLEAN),
                'regex' => env('PASSBOLT_EMAIL_VALIDATE_REGEX'),
            ],
            'purify' => [
                'subject' => filter_var(env('PASSBOLT_EMAIL_PURIFY_SUBJECT', false), FILTER_VALIDATE_BOOLEAN),
            ],

            // Email delivery settings such as credentials are in app.php.
            // Allow to disable displaying the armored secret in the email.
            // WARNING: make sure you have backups in place if you disable these.
            // See. https://www.passbolt.com/help/tech/backup
            'show' => [
                'comment' => filter_var(env('PASSBOLT_EMAIL_SHOW_COMMENT', false), FILTER_VALIDATE_BOOLEAN),
                'description' => filter_var(env('PASSBOLT_EMAIL_SHOW_DESCRIPTION', false), FILTER_VALIDATE_BOOLEAN),
                'secret' => filter_var(env('PASSBOLT_EMAIL_SHOW_SECRET', false), FILTER_VALIDATE_BOOLEAN),
                'uri' => filter_var(env('PASSBOLT_EMAIL_SHOW_URI', false), FILTER_VALIDATE_BOOLEAN),
                'username' => filter_var(env('PASSBOLT_EMAIL_SHOW_USERNAME', false), FILTER_VALIDATE_BOOLEAN),
            ],
            // Choose which emails are sent system wide.
            'send' => [
                'comment' => [
                    'add' => filter_var(env('PASSBOLT_EMAIL_SEND_COMMENT_ADD', true), FILTER_VALIDATE_BOOLEAN)
                ],
                'password' => [
                    'create' => filter_var(env('PASSBOLT_EMAIL_SEND_PASSWORD_CREATE', false), FILTER_VALIDATE_BOOLEAN),
                    'share' => filter_var(env('PASSBOLT_EMAIL_SEND_PASSWORD_SHARE', true), FILTER_VALIDATE_BOOLEAN),
                    'update' => filter_var(env('PASSBOLT_EMAIL_SEND_PASSWORD_UPDATE', true), FILTER_VALIDATE_BOOLEAN),
                    'delete' => filter_var(env('PASSBOLT_EMAIL_SEND_PASSWORD_DELETE', true), FILTER_VALIDATE_BOOLEAN),
                ],
                'user' => [
                    // WARNING: disabling PASSBOLT_EMAIL_SEND_USER_CREATE and PASSBOLT_EMAIL_SEND_USER_RECOVER will prevent user from signing up.
                    'create' => filter_var(env('PASSBOLT_EMAIL_SEND_USER_CREATE', true), FILTER_VALIDATE_BOOLEAN),
                    'recover' => filter_var(env('PASSBOLT_EMAIL_SEND_USER_RECOVER', true), FILTER_VALIDATE_BOOLEAN),
                    'recoverComplete' => filter_var(env('PASSBOLT_EMAIL_SEND_USER_RECOVER_COMPLETE', true), FILTER_VALIDATE_BOOLEAN),
                ],
                'admin' => [
                    'user' => [
                        'setup' => [
                            'completed' => filter_var(env('PASSBOLT_EMAIL_SEND_ADMIN_USER_SETUP_COMPLETED', true), FILTER_VALIDATE_BOOLEAN),
                        ],
                        'recover' => [
                            'abort' => filter_var(env('PASSBOLT_EMAIL_SEND_ADMIN_USER_RECOVER_ABORT', true), FILTER_VALIDATE_BOOLEAN),
                            'complete' => filter_var(env('PASSBOLT_EMAIL_SEND_ADMIN_USER_RECOVER_COMPLETE', true), FILTER_VALIDATE_BOOLEAN),
                        ],
                        'register' => [
                            'complete' => filter_var(env('PASSBOLT_EMAIL_SEND_ADMIN_USER_REGISTER_COMPLETE', true), FILTER_VALIDATE_BOOLEAN),
                        ],
                    ]
                ],
                'group' => [
                    // Notify all members that a group was deleted.
                    'delete' => filter_var(env('PASSBOLT_EMAIL_SEND_GROUP_DELETE', true), FILTER_VALIDATE_BOOLEAN),
                    'user' => [ // notify user group membership changes.
                        'add' => filter_var(env('PASSBOLT_EMAIL_SEND_GROUP_USER_ADD', true), FILTER_VALIDATE_BOOLEAN),
                        'delete' => filter_var(env('PASSBOLT_EMAIL_SEND_GROUP_USER_DELETE', true), FILTER_VALIDATE_BOOLEAN),
                        'update' => filter_var(env('PASSBOLT_EMAIL_SEND_GROUP_USER_UPDATE', true), FILTER_VALIDATE_BOOLEAN),
                    ],
                    'manager' => [
                        // Notify managers when group membership changes.
                        'update' => filter_var(env('PASSBOLT_EMAIL_SEND_GROUP_MANAGER_UPDATE', true), FILTER_VALIDATE_BOOLEAN),
                    ]
                ],
                'folder' => [
                    'create' => filter_var(env('PASSBOLT_EMAIL_SEND_FOLDER_CREATE', false), FILTER_VALIDATE_BOOLEAN),
                    'update' => filter_var(env('PASSBOLT_EMAIL_SEND_FOLDER_UPDATE', true), FILTER_VALIDATE_BOOLEAN),
                    'delete' => filter_var(env('PASSBOLT_EMAIL_SEND_FOLDER_DELETE', true), FILTER_VALIDATE_BOOLEAN),
                    'share' => filter_var(env('PASSBOLT_EMAIL_SEND_FOLDER_SHARE', true), FILTER_VALIDATE_BOOLEAN),
                ],
            ]
        ],

        // build | options : development or production.
        // development will load the non compiled version.
        // production will load the compiled passbolt.js file.
        'js' => [
            'build' => env('PASSBOLT_JS_BUILD', 'production')
        ],

        // Html meta information.
        'meta' => [
            'title' => env('PASSBOLT_META_TITLE', 'Passbolt'),
            'description' => env('PASSBOLT_META_DESCRIPTION', 'Open source password manager for teams'),
            // Do you want search engine robots to index your site.
            // Default is set to false.
            'robots' => env('PASSBOLT_META_ROBOTS', 'noindex, nofollow')
        ],

        // GPG Configuration.
        'gpg' => [
            // Tell passbolt which OpenPGP backend to use
            // Default is PHP-GNUPG with some help from OpenPGP-PHP
            'backend' => env('PASSBOLT_GPG_BACKEND', 'gnupg'),

            // Tell passbolt where to find the GnuPG keyring.
            // If putenv is set to false, gnupg will use the default path ~/.gnupg.
            // For example :
            // - Apache on Centos it would be in '/usr/share/httpd/.gnupg'
            // - Apache on Debian it would be in '/var/www/.gnupg'
            // - Nginx on Centos it would be in '/var/lib/nginx/.gnupg'
            // - etc.
            'keyring' => '/var/lib/passbolt' . DS . '.gnupg',

            // Replace GNUPGHOME with above value even if it is set.
            'putenv' => true,

            // Main server key.
            'serverKey' => [
                // Server public / private key location and fingerprint.
                'fingerprint' => env('PASSBOLT_GPG_SERVER_KEY_FINGERPRINT', null),
                'public' => env('PASSBOLT_GPG_SERVER_KEY_PUBLIC', CONFIG . 'gpg' . DS . 'serverkey.asc'),
                'private' => env('PASSBOLT_GPG_SERVER_KEY_PRIVATE', CONFIG . 'gpg' . DS . 'serverkey_private.asc'),

                // PHP Gnupg module currently does not support passphrase, please leave blank.
                'passphrase' => ''
            ],
            'experimental' => [
                'encryptValidate' => filter_var(env('PASSBOLT_GPG_EXTRA_ENCRYPT_VALIDATE', true), FILTER_VALIDATE_BOOLEAN)
            ]
        ],

        // Healthcheck
        'healthcheck' => [
            'error' => filter_var(env('PASSBOLT_HEALTHCHECK_ERROR', false), FILTER_VALIDATE_BOOLEAN)
        ],

        // Legal
        'legal' => [
            'privacy_policy' => [
                'url' => env('PASSBOLT_LEGAL_PRIVACYPOLICYURL', '')
            ],
            'terms' => [
                'url' => env('PASSBOLT_LEGAL_TERMSURL', 'https://www.passbolt.com/terms')
            ]
        ],

        // Which plugins are enabled
        'plugins' => [
            'export' => [
                'enabled' => filter_var(env('PASSBOLT_PLUGINS_EXPORT_ENABLED', true), FILTER_VALIDATE_BOOLEAN)
            ],
            'import' => [
                'enabled' => filter_var(env('PASSBOLT_PLUGINS_IMPORT_ENABLED', true), FILTER_VALIDATE_BOOLEAN)
            ],
            'previewPassword' => [
                'enabled' => filter_var(env('PASSBOLT_PLUGINS_PREVIEW_PASSWORD_ENABLED', true), FILTER_VALIDATE_BOOLEAN)
            ],
            'resourceTypes' => [
                'enabled' => filter_var(env('PASSBOLT_PLUGINS_RESOURCE_TYPES_ENABLED', true), FILTER_VALIDATE_BOOLEAN)
            ],
            'totpResourceTypes' => [
                'enabled' => filter_var(env('PASSBOLT_PLUGINS_TOTP_RESOURCE_TYPES_ENABLED', false), FILTER_VALIDATE_BOOLEAN),
            ],
            'mobile' => [
                'enabled' => filter_var(env('PASSBOLT_PLUGINS_MOBILE_ENABLED', true), FILTER_VALIDATE_BOOLEAN)
            ],
            'jwtAuthentication' => [
                'enabled' => filter_var(env('PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED', true), FILTER_VALIDATE_BOOLEAN)
            ],
            'accountRecoveryRequestHelp' => [
                // Feature flag to allow client to tune behavior for backward compatibility
                // e.g. updated recovery process allows for admin email notification with "lost-passphrase" option
                // @deprecated when v3.5 is dropped - Ref. PB-15046
                'enabled' => true,
                'settingsVisibility' => [
                    'whiteListPublic' => [
                        'enabled',
                    ],
                ],
            ],
            'smtpSettings' => [
                // A typo is here covered for backward compatibility
                'enabled' => filter_var(env('PASSBOLT_PLUGINS_SMTP_SETTINGS_ENABLED', env('PASSBOLT_PLUGINS_SMTP_SETTINGS', true)), FILTER_VALIDATE_BOOLEAN)
            ],
            'selfRegistration' => [
                'enabled' => filter_var(env('PASSBOLT_PLUGINS_SELF_REGISTRATION_ENABLED', true), FILTER_VALIDATE_BOOLEAN)
            ],
        ],

        // Activate specific entry points for selenium testing.
        // true will render your installation insecure.
        'selenium' => [
            'active' => filter_var(env('PASSBOLT_SELENIUM_ACTIVE', false), FILTER_VALIDATE_BOOLEAN)
        ],

        // Security.
        'security' => [
            'cookies' => [
                // force cookie secure flag even if request is not https
                'secure' => filter_var(env('PASSBOLT_SECURITY_COOKIE_SECURE', true), FILTER_VALIDATE_BOOLEAN)
            ],
            'setHeaders' => filter_var(env('PASSBOLT_SECURITY_SET_HEADERS', true), FILTER_VALIDATE_BOOLEAN),
            'csrfProtection' => [
                'active' => true,
                'unlockedActions' => [
                    'AuthLogin' => ['loginPost'],
                    'RecoverComplete' => ['complete'],
                    'SetupComplete' => ['complete'],
                    'TransfersUpdate' => ['updateNoSession'],
                ]
            ],
            'csp' => env('PASSBOLT_SECURITY_CSP', true),
            // enables the storage and display of the user agent (user's browser and hardware related information)
            'userAgent' => filter_var(env('PASSBOLT_SECURITY_USER_AGENT', true), FILTER_VALIDATE_BOOLEAN),
            // enables the storage and display if the user IP address
            'userIp' => filter_var(env('PASSBOLT_SECURITY_USER_IP', true), FILTER_VALIDATE_BOOLEAN),
            'smtpSettings' => [
                'endpointsDisabled' => filter_var(env('PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED', false), FILTER_VALIDATE_BOOLEAN)
            ],
            // Enables trusting of HTTP_X headers set by most load balancers.
            // Only set to true if your instance runs behind load balancers/proxies that you control.
            'proxies' => [
                'active' => filter_var(env('PASSBOLT_SECURITY_PROXIES_ACTIVE', false), FILTER_VALIDATE_BOOLEAN),
                // If your instance is behind multiple proxies, redefine the list of IP addresses of proxies in your control in passbolt.php
                'trustedProxies' => [],
            ],
            'mfa' => [
                'duoVerifySubscriber' => filter_var(env('PASSBOLT_SECURITY_MFA_DUO_VERIFY_SUBSCRIBER', false), FILTER_VALIDATE_BOOLEAN)
            ],
        ],

        // Should the app be SSL / HTTPS only.
        // false will render your installation insecure.
        'ssl' => [
            'force' => filter_var(env('PASSBOLT_SSL_FORCE', true), FILTER_VALIDATE_BOOLEAN)
        ],
        //ObfuscateFields placeholder
        'obfuscateFields' => [
            'placeholder' => env('PASSBOLT_OBFUSCATE_FIELDS_PLACEHOLDER', \App\Controller\Component\ObfuscateFieldsComponent::FIELD_PLACEHOLDER),
        ]
    ],
    // Override the Cake ExceptionRenderer.
    'Error' => [
        'exceptionRenderer' => 'App\Error\AppExceptionRenderer',
    ]
];

nope, domain is the same, only changed public IP

DNS A regiter updated to the new IP address

I tried to make dissapear all the errore from the status report program so I created the enviroment variables requested by the program but it keep saying the same error each time I try to check the status:

Here are the environment variables before running the status report

pi@raspberrypi:~ $ env
SHELL=/bin/bash
PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED=true
NO_AT_BRIDGE=1
PWD=/home/pi
LOGNAME=pi
XDG_SESSION_TYPE=tty
MOTD_SHOWN=pam
HOME=/home/pi
LANG=en_GB.UTF-8
......
OLDPWD=/home/pi/
TEXTDOMAIN=Linux-PAM
PASSBOLT_EMAIL_VALIDATE_MX=true
_=/usr/bin/env

also the commands executed for the JWT directory

pi@raspberrypi:~ $  sudo chown -Rf root:www-data /etc/passbolt/jwt/
pi@raspberrypi:~ $ sudo chmod 750 /etc/passbolt/jwt/
pi@raspberrypi:~ $ sudo chmod 640 /etc/passbolt/jwt/jwt.key
pi@raspberrypi:~ $ sudo chmod 640 /etc/passbolt/jwt/jwt.pem
pi@raspberrypi:~ $ ls -alR /etc/passbolt/jwt
ls: cannot access '/etc/passbolt/jwt': Permission denied
pi@raspberrypi:~ $ sudo ls -alR /etc/passbolt/jwt
/etc/passbolt/jwt:
total 16
drwxr-x--- 2 root www-data 4096 Nov 15  2022 .
drwxrwx--- 6 root www-data 4096 Jun  9 13:01 ..
-rw-r----- 1 root www-data 3272 Nov 15  2022 jwt.key
-rw-r----- 1 root www-data  800 Nov 15  2022 jwt.pem

and keep getting those annoying messges:

 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.

[FAIL] The /etc/passbolt/jwt/ directory should not be writable.
 [HELP] You can try:
 [HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
 [HELP] sudo chmod 750 /etc/passbolt/jwt/
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem

[WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

Hey @ic3_2k just to make sure I am following everything correctly the current state is:

• Via the web browser you are prompted to recover your account
• The mobile app you get “server and client time are out fo sync. Please contact your Administrator”

Is that correct?

Hello, have you checked if your ISP is using CG-NAT?
Maybe you have a “public” IP that is not a real public IP and this is the reason why you are not able to connect

Hello,

Now I’m at home, so I can use trusted PC to try to access Passbolt webage using the browser, this time the webpage loaded without issues

So I though maybe the mobile app become unstable for unknown reason, I deleted the account from the mobile device, went to the page to enroll again the mobile application it readed the QR code, but when tried to log in, again the same error ‘Server and Client time is out of sync’

Thanks for your idea @Termindiego25 but I purchased a fixed public IP address so no worries about CGNAT in this case

Hello @ic3_2k !

Is it possible for you to share the logs from the mobile app please?
On the top right of your screen there’s a question mark icon, clicking on it opens a menu where you could find `access the logs".

From there you should be able to share them. It might gives us some insight about the problem.

Since it mentions a time sync issue can you double check that you have ntp properly set on the server and that your phone is configured for network time?

first of all thanks both of you, is impressive having this kind of support from the developers

@clayton as time was one of the keywords of the error show in the application, NTP was one of the first checkpoints i did

pi@raspberrypi:~$ timedatectl
               Local time: Fri 2023-06-09 14:56:03 CEST
           Universal time: Fri 2023-06-09 12:56:03 UTC
                 RTC time: n/a
                Time zone: Europe/Madrid (CEST, +0200)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

@Steph here are the logs from the mobile app

Device: Xiaomi M2012K11G
Android 12 (31)
Passbolt 1.14.0-22

14:36:59 Passphrase cache cleared
14:36:59 Passphrase cached
14:36:59 Getting server pgp and rsa keys
14:36:59 --> GET https://******.net/auth/verify.json http/1.1
14:36:59 <-- HTTP FAILED: java.io.IOException: unexpected end of stream on https://ic32k.ddns.net/...
14:36:59 --> GET https://******.net/auth/verify.json http/1.1
14:36:59 <-- 200 OK https:/******s.net/auth/verify.json (267ms, unknown-length body)
14:36:59 --> GET https://******.net/auth/jwt/rsa.json http/1.1
14:36:59 <-- 200 OK https://******.net/auth/jwt/rsa.json (268ms, unknown-length body)
14:36:59 Getting server pgp and rsa keys succeeded
14:36:59 Checking if time adjustment is needed
14:36:59 Time delta to big for sync. Showing error.
14:37:01 App went background
14:37:01 Passphrase cache cleared
14:42:22 Passphrase cache cleared
14:42:22 Passphrase cached
14:42:22 Getting server pgp and rsa keys
14:42:22 --> GET https://ic32k.ddns.net/auth/verify.json http/1.1
14:42:22 <-- HTTP FAILED: java.io.IOException: unexpected end of stream on https://ic32k.ddns.net/...
14:42:22 --> GET https://******.net/auth/verify.json http/1.1
14:42:22 <-- 200 OK https://******.net/auth/verify.json (251ms, unknown-length body)
14:42:22 --> GET https://******.net/auth/jwt/rsa.json http/1.1
14:42:22 <-- 200 OK https://******s.net/auth/jwt/rsa.json (246ms, unknown-length body)
14:42:22 Getting server pgp and rsa keys succeeded
14:42:22 Checking if time adjustment is needed
14:42:22 Time delta to big for sync. Showing error.
14:44:22 App went background
14:44:22 Passphrase cache cleared
14:53:01 App went background
14:53:01 Passphrase cache cleared
14:53:26 App went background
14:53:26 Passphrase cache cleared

Since NTP is set can you also confirm the phone time is set to network time? If for some reason you had manually set the time on your phone this can be the cause of the difference

YES!!! You nailed it!

Despite having the same time configured there was a difference of few seconds between the phone and passbolt system, enough to fire the error and keep me out of the application

Maybe the change of ISP was only a coincidence? Or maybe as the IP changed more checks was done befre login…
Now I am curious about the origin of the failure.