Emails (using SMTP) not working, issue with wildcard certificate and server key error - Oracle Linux 8.5 - New install v3.9.0

Hello,

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Im using Oracle Linux 8.5 and Passbolt CE 3.9.0-3 (new install). Its a VM created on vSphere 6.7, with 4 cores, 8 GB RAM and 40 GB HDD in total.

The installation, configuration etc. was performed using this information.

Issue #1. Emails.

Once configured, the administrator account is created. The drawback is that there is no confirmation email when I try to log in.

I have seen in the forum that there was a problem with cron (3.8), where changing the account to root worked normally. But in this version (3.9) the cron has configured the Nginx account, which is correct; in any case I make the change to root to perform the test and it does not work either.

Original.

PATH=/bin:/usr/local/bin:/usr/bin
PASSBOLT_BASE_DIR=/usr/share/php/passbolt
PASSBOLT_LOG_DIR=/var/log/passbolt

          • Nginx $PASSBOLT_BASE_DIR/bin/cron > $PASSBOLT_LOG_DIR/cron.log 2> $PASSBOLT_LOG_DIR/cron-error.log

Edited.

PATH=/bin:/usr/local/bin:/usr/bin
PASSBOLT_BASE_DIR=/usr/share/php/passbolt
PASSBOLT_LOG_DIR=/var/log/passbolt

          • root $PASSBOLT_BASE_DIR/bin/cron > $PASSBOLT_LOG_DIR/cron.log 2> $PASSBOLT_LOG_DIR/cron-error.log

When it was configured in the wizard, the test was performed and it worked normally.

Environment validated.

su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck --application --configFiles --core --database --environment --ssl” nginx

When the test is performed from the terminal the mail is sent.

su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck --gpg --smtpSettings” nginx

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

SMTP Settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

[PASS] No error found. Nice one sparky!

This command works fine.

su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt send_test_email --recipient=myuser@my.domain” nginx

Debug email shell
Email configuration
Host: 1.0.0.0
Port: 25
Username:
Password: *********
TLS: false
Sending email from: Passbolt passbolt@my.domain
Sending email to: myuser@my.domain
Trace
[220] server.my.domain Microsoft ESMTP MAIL Service ready at Fri, 20 Jan 2023 15:53:52 -0600
EHLO localhost
[250] server.my.domain Hello [1.0.0.1]
[250] SIZE 37748736
[250] PIPELINING
[250] DSN
[250] ENHANCEDSTATUSCODES
[250] STARTTLS
[250] X-ANONYMOUSTLS
[250] AUTH NTLM
[250] X-EXPS GSSAPI NTLM
[250] 8BITMIME
[250] BINARYMIME
[250] CHUNKING
[250] XRDST
MAIL FROM:passbolt@my.domain
[250] 2.1.0 Sender OK
RCPT TO:myuser@my.domain
[250] 2.1.5 Recipient OK
DATA
[354] Start mail input; end with .
From: Passbolt passbolt@my.domain
To: myuser@my.domain
Date: Fri, 20 Jan 2023 21:53:52 +0000
Message-ID: 68a0dd712beb4894a7b55dd37ad0cba6@server.my.domian
Subject: Passbolt test email
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Congratulations!
If you receive this email, it means that your passbolt smtp configuration is working fine.

.
[250] 2.6.0 68a0dd712beb4894a7b55dd37ad0cba6@server.my.domian [InternalId=113902532690034, Hostname=server.my.domain] 1812 bytes in 0.102, 17.233 KB/sec Queued mail for delivery
QUIT

Works fine.
su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt send_test_email --recipient=usar@my.domain” nginx

20-01-2023_16-11-35

20-01-2023_16-11-58

Issue #2. Wildcard certificate.

I have two errors concerning the security certificate.
In this case I am using a wildcard (*.my.domain) which covers the DNS name of the server (passbolt.my.domain) and its from a CA (RapidSSL).

Environment

[PASS] PHP version 8.1.14.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://server.my.domain
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[FAIL] SSL peer certificate does not validate
** [FAIL] Hostname does not match when validating certificates.**
[WARN] Using a self-signed certificate
[HELP] Check Passbolt Help | Troubleshoot SSL
[HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate

Database

[PASS] The application is able to connect to the database
[PASS] 26 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

Application configuration

[PASS] Using latest passbolt version (3.9.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[PASS] All email notifications will be sent.

[FAIL] 2 error(s) found. Hang in there!

Issue #3. Login error.

Sometimes when I try to do the login, it tells me that there is an error.

20-01-2023_15-47-07

I have read the forums, made tests but I have not been able to solve the problems. So I look forward to recommendations.

Regards.

Wow @darkm4n This is superb offering of information!

What does curl-config --ca show? We are hoping a path. If it returns empty then curl is not compiled with ca lookup support.

Hello @garrett

Thanks for your time :slight_smile:

If I run the command, it tells me that it is not found. The server must not have the functionality installed.

$ sudo curl-config --ca
-bash: curl-config: command not found

Note.
The certificates (root, intermediate and certificate) were added to the server via trust anchor, also the files were copied to the server’s ca-trust.

Trust Anchor

sudo trust anchor /tmp/DigitcertRootCA.cer
sudo trust anchor /tmp/RapidSSLRSACA.cer
sudo trust anchor /tmp/Wildcard.crt

CA-Trust

sudo cp /tmp/DigitcertRootCA.cer /usr/share/pki/ca-trust-source/anchors
sudo cp /tmp/RapidSSLRSACA.cer /usr/share/pki/ca-trust-source/anchors
sudo cp /tmp/Wildcard.crt /usr/share/pki/ca-trust-source/anchors

They can be verified by.
$ trust list

Source RHEL nfo.

e.g.
23-01-2023_12-04-39

The https access looks works normally on the web browsers (Chrome, Edge and Firefox).
The message its in spanish, but the web browser indicates that the certificate its fine.

This is similar to what you are referring to with curl and the ca?

Regards.

I just had to do this the other day, but it’s manually setting the curl cacert path in php, I found an example on SO: curl: (60) SSL certificate problem: unable to get local issuer certificate - Stack Overflow

You could try that and see that resolves the curl error.