Error 401 in /auth/is-authenticated.json endpoint

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hello. I am deploying passbolt-CE using the latest Helm charts in k3s, and apparently everything goes ok. But when try to login in the web app, sometimes it goes back to login page, and when login run successfully, the page keeps blank. I think the login via extension is working properly, when i login, it shows the search field.

Kubernetes version: v1.22.5+k3s1
Helm version: v3.10.2

My healthcheck file:

su -s /bin/bash -c "source /etc/environment; ./bin/cake passbolt healthcheck" www-data

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell                                                         
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 8.2.20.
 [PASS] PHP version is 8.1 or above.
 [PASS] PCRE compiled with unicode support.
 [PASS] Mbstring extension is installed.
 [PASS] Intl extension is installed.
 [PASS] GD or Imagick extension is installed.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Cache is working.
 [PASS] Debug mode is off.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.foo.bar
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates.
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate.

 SMTP settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [WARN] The SMTP Settings source is: env variables.
 [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
 [PASS] No custom SSL configuration for SMTP server.

 JWT Authentication

 [WARN] The JWT Authentication plugin is disabled.
 [HELP] Set the environment variable PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED to true

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one.
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (4.9.1).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.
 [PASS] The database schema is up to date.

 Database

 [PASS] The application is able to connect to the database
 [PASS] 31 tables found.
 [PASS] Some default content is present.

 [PASS] No error found. Nice one sparky!

Basically i added the helm repo:

helm repo add passbolt https://download.passbolt.com/charts/passbolt

Then i ran the helm install pointing to the values.yaml. In this file, i did some modifications, disabling the persistentVolume, the redis and configuring the ingress.

values.yml:

redisDependencyEnabled: false
mariadbDependencyEnabled: true
postgresqlDependencyEnabled: false

global:
  imageRegistry: ""
  imagePullSecrets: []

redis:
  auth:
    enabled: false
    password: "CHANGEME"
  sentinel:
    enabled: false

mariadb:
  architecture: replication
  auth:
    rootPassword: root
    username: CHANGEME
    password: CHANGEME
    database: passbolt
    replicationPassword: CHANGEME

  primary:
    persistence:

      enabled: false
      existingClaim: ""
      subPath: ""
      storageClass: ""
      labels: {}
      annotations: {}
      accessModes:
        - ReadWriteOnce
      size: 2Gi
      selector: {}
  secondary:
    persistence:
      enabled: false
      subPath: ""
      storageClass: ""
      labels: {}
      annotations: {}
      accessModes:
        - ReadWriteOnce
      size: 4Gi
      selector: {}
app:
  databaseInitContainer:
    enabled: true
  image:
    registry: ""
    repository: passbolt/passbolt
    pullPolicy: IfNotPresent
    tag: 4.9.1-1-ce
  database:
    kind: mariadb
    ssl: off
  cache:
    redis:
      enabled: false
      sentinelProxy:
        enabled: false
        image:
          registry: ""
          repository: haproxy
          tag: "latest"
        resources: {}
  extraPodLabels: {}
  resources: {}
  tls:
    autogenerate: false
    existingSecret: foobar-wildcard-certificado

cronJobEmail:
  enabled: true
  schedule: "* * * * *"
  extraPodLabels: {}

gpgPath: /etc/passbolt/gpg
gpgServerKeyPrivate: ""
gpgServerKeyPublic: ""
gpgExistingSecret: passbolt-sec-gpg

jwtExistingSecret: passbolt-sec-jwt
jwtPath: /etc/passbolt/jwt
jwtServerPrivate: ""
jwtServerPublic: ""
jwtCreateKeysForced: false
jobCreateJwtKeys:
  extraPodLabels: {}

jobCreateGpgKeys:
  extraPodLabels: {}

passboltEnv:
  plain:
    PASSBOLT_LEGAL_PRIVACYPOLICYURL: https://www.passbolt.com/privacy
    APP_FULL_BASE_URL: https://passbolt.foo.bar
    PASSBOLT_SSL_FORCE: true
    PASSBOLT_REGISTRATION_PUBLIC: true
    CACHE_CAKE_DEFAULT_SERVER: 127.0.0.1
    EMAIL_TRANSPORT_DEFAULT_PORT: 587
    DEBUG: false
    PASSBOLT_KEY_EMAIL: email@foo.bar
    PASSBOLT_SELENIUM_ACTIVE: false
    PASSBOLT_PLUGINS_LICENSE_LICENSE: /etc/passbolt/subscription_key.txt
    EMAIL_DEFAULT_FROM: no-reply@foo.bar
    EMAIL_DEFAULT_FROM_NAME: Passbolt
    EMAIL_TRANSPORT_DEFAULT_HOST: FOOBAR
    EMAIL_TRANSPORT_DEFAULT_TIMEOUT: 30
    EMAIL_TRANSPORT_DEFAULT_TLS: true
    PASSBOLT_JWT_SERVER_KEY: /var/www/passbolt/config/jwt/jwt.key
    PASSBOLT_JWT_SERVER_PEM: /var/www/passbolt/config/jwt/jwt.pem
    PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED: false
    KUBECTL_DOWNLOAD_CMD: curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
    APP_DEFAULT_TIMEZONE: America/Recife
  secret:
    CACHE_CAKE_DEFAULT_PASSWORD: CHANGEME
    DATASOURCES_DEFAULT_PASSWORD: CHANGEME
    DATASOURCES_DEFAULT_USERNAME: CHANGEME
    DATASOURCES_DEFAULT_DATABASE: passbolt
    EMAIL_TRANSPORT_DEFAULT_USERNAME: foobar
  extraEnv:
    - name: TZ
      value: "America/Recife"
  extraEnvFrom:
    []
replicaCount: 2

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80

rbacEnabled: true

livenessProbe:
  httpGet:
    port: https
    scheme: HTTPS
    path: /healthcheck/status.json
    httpHeaders:
      - name: Host
        value: passbolt.foo.bar
  initialDelaySeconds: 20
  periodSeconds: 10
readinessProbe:
  httpGet:
    port: https
    scheme: HTTPS
    httpHeaders:
      - name: Host
        value: passbolt.foo.bar
    path: /healthcheck/status.json
  initialDelaySeconds: 5
  periodSeconds: 10

networkPolicy:
  enabled: false
  label: app.kubernetes.io/name
  podLabel: ingress-nginx
  namespaceLabel: ingress-nginx

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

serviceAccount:
  create: true
  annotations: {}

podAnnotations: {}

podSecurityContext:
  {}
  # fsGroup: 2000

service:
  type: ClusterIP
  annotations: {}
  ports:
    https:
      port: 443
      targetPort: 443
      name: https
    http:
      port: 80
      targetPort: 80
      name: http

ingress:
  enabled: true
  className: nginx
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  hosts:
    - host: passbolt.foo.bar
      paths:
        - path: /
          port: https
          pathType: ImplementationSpecific
  tls:
    - autogenerate: false
      existingSecret: foobar-wildcard-certificado
      hosts:
        - passbolt.foo.bar
nodeSelector: {}

tolerations: []

affinity: {}

extraVolumes: []

extraVolumeMounts: []

Looking to my application log, i get the following error:

[20/Aug/2024:11:40:21 -0300] "GET /auth/is-authenticated.json?api-version=v2 HTTP/1.1" 401 282 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"

And this is the response from this endpoint on the browser:

{
  "header": {
    "id": "d723f605-c03c-43e4-8909-c93d42fe0ee7",
    "status": "error",
    "servertime": 1724164874,
    "action": "4d2d5c43-a76a-5d4a-8f47-2b1f0268e3d6",
    "message": "Authentication is required to continue",
    "url": "/auth/is-authenticated.json?api-version=v2",
    "code": 401
  },
  "body": ""
}

I tried to add some annotations in the ingress, but doesn’t works. Like this:

    nginx.ingress.kubernetes.io/proxy-set-headers: |
      "Authorization": $http_authorization
      "X-GPGAuth-Verify-Response": $http_x_gpgauth_verify_response
      "X-GPGAuth-Progress": $http_x_gpgauth_progress
      "X-GPGAuth-User-Auth-Token": $http_x_gpgauth_user_auth_token

I can create users and confirm users via e-mail, but every user receive the same 401 error. I tried in Google Chrome and Firefox, both with the sabe problem. I searched the forum but didn’t find any topic with the same problem.

Not helm chart fluent, but sporadic disconnections could be caused by sessions not being persisted correctly in high availability setup. Like having replicaCount: 2 and not sharing sessions between replicas, since Redis is disabled? Try setting replica to 1 or enabling redis?

Nice. It works!!

Thank you so much!

1 Like