Can't reach passbolt Domain from PC, phone version works

Hello,

my Passbolt installation ran very well for some time. But since today I can’t use it anymore on my PC as my browser says it can’t reach the server.

When I use my phone app it can still connect to Passbolt and I can use my passwords, just the browser extension doesn’t work anymore.

Thank you very much for your help. I actually hoped it would work now.

Regards

Healthcheck

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.31-1~deb10u1.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://protoraspberry/
 [FAIL] App.fullBaseUrl does not validate. https://protoraspberry/.
 [HELP] Edit App.fullBaseUrl in config/passbolt.php
 [HELP] Select a valid domain name as defined by section 2.3.1 of http://www.ietf.org/rfc/rfc1035.txt
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
 [HELP] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
fopen(): Failed to enable crypto
fopen(https://protoraspberry/healthcheck/status.json): failed to open stream: operation failed

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (3.6.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 3 error(s) found. Hang in there!

My system
My system
System: Raspberry Pi 4
OS: Raspbian 10
Web Server: Nginx 1.14.2
PHP v.: 7.3.31-1~deb10u1
Passbolt v.: 3.6.0

Hi @justinbernard I know using the domain without a tld worked for you in the past but can you add a .lan to the end to test it whether this is the issue?

Also note: any change in the noted domain will cause a recovery to need to be performed for the browser extension, so have your backed up private key (recovery bundle) handy.

1 Like

Hello @garrett , thanks for the fast response! Oddly enough it changes nothing I get the same error from my browser. “This site can’t be reached”

@justinbernard Any change in the healthcheck? What if you use the ip address instead… any response at all?

1 Like

@garrett yes, I can attach it below. The App.fullBaseUrl validation is now okay. But it can’t reach the /healthcheck/status with the url specified in App.fullBaseUrl anymore:

Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://protoraspberry.lan/
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in config/passbolt.php
 [HELP] Check the network settings

Using the IP
If I use the IP I can connect to my passbolt again. However this causes the SSL to not work again.

Health check excerpts

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://192.168.10.34/
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.
GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [FAIL] The private key cannot be used to decrypt and verify a message
 [FAIL] The public key cannot be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

@justinbernard I learned recently the fulBaseUrl should not have a trailing slash… try with it removed. Also, make sure the host device can resolve the new protoraspberry.lan domain.

1 Like

@garrett oh okay that’s good to know and explained why I configured it without the trailing slash before. I guess firefox can resolve .lan domains but also tried it using edge. Still gives the same error. I’ll attach the healthcheck

Healthcheck

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.31-1~deb10u1.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://protoraspberry.lan
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in config/passbolt.php
 [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
 [HELP] fopen(): php_network_getaddresses: getaddrinfo failed: Name or service not known
fopen(https://protoraspberry.lan/healthcheck/status.json): failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (3.6.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 3 error(s) found. Hang in there!

@justinbernard What happens when you ping protoraspberry.lan from the pi device command line? The error is about not being able to resolve the domain. You can add/modify 127.0.0.1 protoraspberry.lan protoraspberry localhost into /etc/hosts if needed.

1 Like

@garrett after adding it to my hosts file I can ping it from the RaspberryPi console. The site still isn’t reachable.

One odd thing: originally the hosts file said:
127.0.1.1 protoraspberry instead of
127.0.0.1 protoraspberry.

What is right? I can ping both configurations using my raspberry pi console.

EDIT

This actually resolved one of the healtcheck’s errors:

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.31-1~deb10u1.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://protoraspberry.lan
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
 [HELP] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
fopen(): Failed to enable crypto
fopen(https://protoraspberry.lan/healthcheck/status.json): failed to open stream: operation failed

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (3.6.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 2 error(s) found. Hang in there!

@justinbernard When you say it isn’t reachable, do you mean from your browser? If so, then protoraspberry.lan must also be resolvable from that device. If from your phone, the self signed certs need to be set up just right, and the tutorial is here Passbolt Help | iOS / Android Mobile FAQ

And don’t forget the healthcheck’s last message about the domain of the self signed cert.

1 Like

@garrett I guess that this domain isn’t reachable anymore is the problem in itself. If I try to ping it from the Windows PowerShell it also says that it couldn’t find that domain.

The certificates worked before and I guess I could get them to work with the “.lan” extension aswell once the problem is solved. As I said it only worked on my phone, out of nothing and only since today, before I changed the base URL but my PC somehow can’t resolve the base URL.

Edit

If so, then protoraspberry.lan must also be resolvable from that device.

Do you mean that I have to manually add it to my hosts file and say it should resolve to my Pi’s local IP?

Yep.

I’m not a browser expert, but without a tld I would think a browser would normally interpret that as a file location instead. The healthcheck looks good, so I think with some updated certs and adding the new domain to your hosts file on the PC, you should be set.

1 Like

Out of curiosity, which browser do you normally use? We could look into whether a recent update there may also cause this for others.

@garrett I use Firefox 101.0.1

@garrett Thank you very much! This actually solved the problem. Such an easy fix. I really don’t understand why it suddenly doesn’t work anymore but now it’s been solved!

1 Like

@justinbernard I vaugely recall Firefox works with self-signed certs out of the box only if the domain is .lan and needs an override for other scenarios, but I could be mistaken.

@garrett Actually the SSL and everything works perfectly fine after having added the association of the domain protoraspberry to my Pi’s local ip in the Windows hosts file.

I could even change the base URL back to just protoraspberry without the .lan to avoid having to sign new certificates.

Somehow my PC stopped knowing how to resolve the protoraspberry domain. I tried adding a local DNS record to my PiHole instead to avoid having to do it on each device but it didn’t work.

So I doubt the problem is really Firefox but rather Windows 11.

This is good to know! …I’m always comfortable blaming Windows myself. :wink:

I have not yet updated to Windows 11. Thanks for the extra info.

1 Like

Blaming Windows is always the solution! :sweat_smile:

I’d actually not recommend upgrading to you. I deeply regret it for missing the detailed taskbar item view as well as missing the option to move the taskbar to the top.

1 Like