Could not verify the server key. The authentication failed. (on Fedora 37)

Installation Issues
1

Hey,

Thanks in advance for any help you might be able to offer.

Fresh install of Fedora 37 + Passbolt.
It is running at private IP 192.168.0.127 using a self signed cert.
Nginx (user changed in cron, to fix emails)

Passbolt worked for about a day, then suddenly stopped working. Not quite sure what happened. The error is “Could not verify the server key. The authentication failed.” There is no login, no skip, no nothing. Full stop.

I have checked around, but the other topics I found dont seem to have ‘unprovoked’ errors. Not sure how to interpret the health check.

Here is my health check.

/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 8.1.14.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to
[FAIL] App.fullBaseUrl does not validate. .
[HELP] Edit App.fullBaseUrl in config/passbolt.php
[HELP] Select a valid domain name as defined by section 2.3.1 of http://www.ietf.org/rfc/rfc1035.txt
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in config/passbolt.php
[HELP] Check the network settings

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check Passbolt Help | Troubleshoot SSL
[HELP] The source URI string appears to be malformed

Database

[PASS] The application is able to connect to the database
[PASS] 26 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (3.8.3).
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in config/passbolt.php.
[FAIL] App.fullBaseUrl is not set to HTTPS.
[HELP] Check App.fullBaseUrl url scheme in config/passbolt.php.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found

SMTP Settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.

[FAIL] 6 error(s) found. Hang in there!

1 Like
2

Here is some extra info.

When I ran the install script, SSL failed because it was a local IP (not public). I installed passbolt without ssl, and then later created and imported a self-signed cert into nginx myself.

Some of these failures may be from this.

3

Hi @Solara Welcome!

Key verification is sensitive to synchronization of time so maybe check whether client and server are each running on accurate time.

4

Thanks for the tip. I checked both client and server have time matched to the second…

5

The SSL troubleshooting link in the healthcheck should help you with the SSL errors. The cert has a problem, try to resolve the errors first.

6

Thanks for the tip. Will follow the link and troubleshoot the SSL. In the meantime I hve resolved the other 4 errors, so the updated healthcheck is below.

If I recreate a new cert, will PB reject that somehow/ fail to decrypt?

Thanks again !

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 8.1.14.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://192.168.0.127/
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check Passbolt Help | Troubleshoot SSL
[HELP] cURL Error (60) SSL certificate problem: self-signed certificate

Database

[PASS] The application is able to connect to the database
[PASS] 26 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (3.8.3).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found

SMTP Settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.

[FAIL] 2 error(s) found. Hang in there!

7

When the domain is changed (ip to domain or http to https), the server key will be different. This will result in a prompt being shown to the user, but it’s not a breaking change, just an alert. You can agree to it, since you made the change. The alert is a security feature.

A change to the site cert only should help it function right in this case but won’t result in other changes unless it also includes the above changes in domain, is my understanding.

8

Ok so, I created a new self signed cert, re-added it to the passbolt conf file in conf.d folder. Restarted ngix, also did a config test (this passed).

I receive the expected ‘Warning: Potential security risk ahead’, proceed. Then once again, the same server key error from passbolt. (screenshot below). Cant seem to get past this.

image

Would this be because the self signed cert doesnt come from a trusted CA? If yes, why did it work in the first place, and suddenly stop lol?

9

It’s not clear what the problem is. Is your healthcheck error-free? If so, we can inspect the extension console for hopefully more details:

  • If you are using Google Chrome you can go to: chrome://extensions, then activate the Developer mode in the top right corner. Look for the Passbolt card and click details button. Look for the Inspect views and the index.html link. A new window will appear - this is the debugger of the browser extension. Try to reproduce the error and post the results.

  • On Firefox, you can go to: about:debugging#/runtime/this-firefox. Then locate Passbolt and click Inspect. A new tab for the console of the browser extension will appear.

10

Thanks again, and sorry for the wait Garrett.

Debugger output screenshot posted below.

image
image1541×350 107 KB

11

@Solara If you haven’t tried uninstalling the extension and reinstalling it with the recovery kit, I think I would try that next.

12

Hello,

How about making this change in ngix modsecurity?

Maybe you need to add the following custom rule exclusion in ModSecurity.
SecRule REQUEST_URI “@streq /auth/verify.json?api-version=v2” “id:1060,phase:2,ctl:ruleRemoveById=942100”

Source:
TroubleShooting

Regards.