Checklist
[√ ] I have read intro post: About the Installation Issues category
[ √] I have read the tutorials, help and searched for similar issues
[ √] I provide relevant information about my server (component names and versions, etc.)
[ √] I provide a copy of my logs and healthcheck
[ √] I describe the steps I have taken to trouble shoot the problem
[ √] I describe the steps on how to reproduce the issue
Using Passbolt Docker CE latest-non-root tag (3.5.0) + Maria DB 10.3
JWT creates successfully and all health checks passing (bar the following 3) - which I believe is expected when using Docker from my research?
- [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
- [FAIL] SSL peer certificate does not validate
- [FAIL] Hostname does not match when validating certificates.
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell
-------------------------------------------------------------------------------
Environment
[PASS] PHP version 7.4.25.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.<our_domain>.com
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in config/passbolt.php
[HELP] Check the network settings
SSL Certificate
[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
[HELP] fopen(https://passbolt.<our_domain>.com/healthcheck/status.json): failed to open stream: Connection refused
Database
[PASS] The application is able to connect to the database
[PASS] 26 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.
Application configuration
[PASS] Using latest passbolt version (3.5.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.
JWT Authentication
[WARN] The JWT Authentication plugin is disabled
[HELP] Set the environment variable PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED to true
[FAIL] 3 error(s) found. Hang in there!
Question/Request for assistance:
Is it expected that enabling JWT via environment variables (set to true) so that we are able to make use of the mobile app functionality on the community edition, that this would then ‘break’ the web authentication functionality in that attempting to authenticate via the web produces the message:
‘The route /auth/login is not permitted with JWT authentication.’
Apologies if this is well-known or obvious, but I have referenced a few set-up guides for JWT and Mobile feature and nothing I’ve found so far explicitly states this is the case if that is correct. There are no errors in my Docker logs, so I have to assume that this is intentional to a degree.
I suspect my confusion here is a misunderstanding of the intent for the mobile app, I believed so far that it was a form of MFA, but having just now read on the forums I see that MFA may be restricted to a pro plan, is that correct?
If my assumption above is correct and JWT/Mobile access cannot work in tandem with web authentication, can someone please explain (or point me to an article I may have missed) as to how users are intended to scan their QR code from within the web UI without being able to access the /auth/login route?
Likewise, if I’m incorrect, I’d greatly appreciate a point in the correct direction as to how to get this set up. There are no obvious server-side logs stating what the issue is here outside of the friendly message being displayed when I attempt to authenticate via the web UI. My hope was that we could have both the Web auth and Mobile auth/app working together for our users that work predominantly on their mobile devices.
Any advice and assistance appreciated