Emails (using SMTP) not working, issue with wildcard certificate and server key error - Oracle Linux 8.5 - New install v3.9.0


I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Im using Oracle Linux 8.5 and Passbolt CE 3.9.0-3 (new install). Its a VM created on vSphere 6.7, with 4 cores, 8 GB RAM and 40 GB HDD in total.

The installation, configuration etc. was performed using this information.

Issue #1. Emails.

Once configured, the administrator account is created. The drawback is that there is no confirmation email when I try to log in.

I have seen in the forum that there was a problem with cron (3.8), where changing the account to root worked normally. But in this version (3.9) the cron has configured the Nginx account, which is correct; in any case I make the change to root to perform the test and it does not work either.



          • Nginx $PASSBOLT_BASE_DIR/bin/cron > $PASSBOLT_LOG_DIR/cron.log 2> $PASSBOLT_LOG_DIR/cron-error.log



          • root $PASSBOLT_BASE_DIR/bin/cron > $PASSBOLT_LOG_DIR/cron.log 2> $PASSBOLT_LOG_DIR/cron-error.log

When it was configured in the wizard, the test was performed and it worked normally.

Environment validated.

su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck --application --configFiles --core --database --environment --ssl” nginx

When the test is performed from the terminal the mail is sent.

su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck --gpg --smtpSettings” nginx

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

SMTP Settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Or set to true in /etc/passbolt/passbolt.php.

[PASS] No error found. Nice one sparky!

This command works fine.

su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt send_test_email --recipient=myuser@my.domain” nginx

Debug email shell
Email configuration
Port: 25
Password: *********
TLS: false
Sending email from: Passbolt passbolt@my.domain
Sending email to: myuser@my.domain
[220] Microsoft ESMTP MAIL Service ready at Fri, 20 Jan 2023 15:53:52 -0600
EHLO localhost
[250] Hello []
[250] SIZE 37748736
[250] DSN
[250] 8BITMIME
[250] XRDST
MAIL FROM:passbolt@my.domain
[250] 2.1.0 Sender OK
RCPT TO:myuser@my.domain
[250] 2.1.5 Recipient OK
[354] Start mail input; end with .
From: Passbolt passbolt@my.domain
To: myuser@my.domain
Date: Fri, 20 Jan 2023 21:53:52 +0000
Subject: Passbolt test email
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If you receive this email, it means that your passbolt smtp configuration is working fine.

[250] 2.6.0 [InternalId=113902532690034,] 1812 bytes in 0.102, 17.233 KB/sec Queued mail for delivery

Works fine.
su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt send_test_email --recipient=usar@my.domain” nginx



Issue #2. Wildcard certificate.

I have two errors concerning the security certificate.
In this case I am using a wildcard (*.my.domain) which covers the DNS name of the server ( and its from a CA (RapidSSL).


[PASS] PHP version 8.1.14.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[FAIL] SSL peer certificate does not validate
** [FAIL] Hostname does not match when validating certificates.**
[WARN] Using a self-signed certificate
[HELP] Check Passbolt Help | Troubleshoot SSL
[HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate


[PASS] The application is able to connect to the database
[PASS] 26 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

Application configuration

[PASS] Using latest passbolt version (3.9.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[PASS] All email notifications will be sent.

[FAIL] 2 error(s) found. Hang in there!

Issue #3. Login error.

Sometimes when I try to do the login, it tells me that there is an error.


I have read the forums, made tests but I have not been able to solve the problems. So I look forward to recommendations.


Wow @darkm4n This is superb offering of information!

What does curl-config --ca show? We are hoping a path. If it returns empty then curl is not compiled with ca lookup support.

Hello @garrett

Thanks for your time :slight_smile:

If I run the command, it tells me that it is not found. The server must not have the functionality installed.

$ sudo curl-config --ca
-bash: curl-config: command not found

The certificates (root, intermediate and certificate) were added to the server via trust anchor, also the files were copied to the server’s ca-trust.

Trust Anchor

sudo trust anchor /tmp/DigitcertRootCA.cer
sudo trust anchor /tmp/RapidSSLRSACA.cer
sudo trust anchor /tmp/Wildcard.crt


sudo cp /tmp/DigitcertRootCA.cer /usr/share/pki/ca-trust-source/anchors
sudo cp /tmp/RapidSSLRSACA.cer /usr/share/pki/ca-trust-source/anchors
sudo cp /tmp/Wildcard.crt /usr/share/pki/ca-trust-source/anchors

They can be verified by.
$ trust list

Source RHEL nfo.


The https access looks works normally on the web browsers (Chrome, Edge and Firefox).
The message its in spanish, but the web browser indicates that the certificate its fine.

This is similar to what you are referring to with curl and the ca?


I just had to do this the other day, but it’s manually setting the curl cacert path in php, I found an example on SO: curl: (60) SSL certificate problem: unable to get local issuer certificate - Stack Overflow

You could try that and see that resolves the curl error.