Hello.
After installing Passbolt using docker-compose, there was a problem when scanning a QR code.
When scanning, an error pops up: “There was an error during transfer update”, below app logs from phone:
Logs from Android
Device: Xiaomi Mi 9T Pro
Android 11 (30)
Passbolt 1.7.1-9
00:35:11 javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:362)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:849)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.access$100(ConscryptEngineSocket.java:722)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:238)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:217)
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:367)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:325)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:197)
at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:249)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:108)
at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:76)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(SourceFile:245)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:96)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$AddCookiesInterceptor.intercept(SourceFile:57)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$ReceivedCookiesInterceptor.intercept(SourceFile:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.AuthInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.ChangeableBaseUrlInterceptor.intercept(SourceFile:40)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(SourceFile:197)
at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:502)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:923)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:677)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:554)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:510)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:428)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:356)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:161)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:250)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1644)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:568)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1079)
… 35 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
… 49 more
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:362)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:849)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.access$100(ConscryptEngineSocket.java:722)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:238)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:217)
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:367)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:325)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:197)
at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:249)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:108)
at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:76)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(SourceFile:245)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:96)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$AddCookiesInterceptor.intercept(SourceFile:57)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$ReceivedCookiesInterceptor.intercept(SourceFile:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.AuthInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.ChangeableBaseUrlInterceptor.intercept(SourceFile:40)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(SourceFile:197)
at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:502)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:923)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:677)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:554)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:510)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:428)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:356)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:161)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:250)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1644)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:568)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1079)
… 35 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
… 49 more
00:35:11 There was an error during transfer update
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:362)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:849)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.access$100(ConscryptEngineSocket.java:722)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:238)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:217)
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:367)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:325)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:197)
at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:249)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:108)
at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:76)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(SourceFile:245)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:96)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$AddCookiesInterceptor.intercept(SourceFile:57)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$ReceivedCookiesInterceptor.intercept(SourceFile:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.AuthInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.ChangeableBaseUrlInterceptor.intercept(SourceFile:40)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(SourceFile:197)
at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:502)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:923)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:677)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:554)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:510)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:428)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:356)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:161)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:250)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1644)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:568)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1079)
… 35 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
… 49 more
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:362)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:849)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.access$100(ConscryptEngineSocket.java:722)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:238)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:217)
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:367)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:325)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:197)
at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:249)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:108)
at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:76)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(SourceFile:245)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:96)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$AddCookiesInterceptor.intercept(SourceFile:57)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$ReceivedCookiesInterceptor.intercept(SourceFile:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.AuthInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.ChangeableBaseUrlInterceptor.intercept(SourceFile:40)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(SourceFile:197)
at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:502)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:923)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:677)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:554)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:510)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:428)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:356)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:161)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:250)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1644)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:568)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1079)
… 35 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
… 49 more
If I understand correctly, this happens because of an incomplete certificate chain. I tried to make a certificate and a key (cert.pem and key.pem) following this instruction https://help.passbolt.com/faq/hosting/mobile-faq:
openssl req -x509 \
-newkey rsa:4096 \
-days 120 \
-subj "/C=LU/ST=Luxembourg/L=Esch-Sur-Alzette/O=Passbolt SA/OU=Passbolt IT Team/CN=passbolt.domain.tld/" \
-nodes \
-addext "subjectAltName = DNS:passbolt.domain.tld" \
-keyout key.pem \
-out cert.pem
Next, I fixed the paths to new certificates in the passbolt container, in the nginx /etc/nginx/snippets/passbolt-ssl.conf configuration file:
## Passbolt provided file to be included from nginx main virtual hosts file.
# It allows to pull common SSL settings from a central place.
#
# Use the nginx include directive to pull this information in.
#
# Managed by Passbolt
listen [::]:443 ssl http2;
listen 443 ssl http2;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/certs/key.pem;
But even after that, when I scan the QR code, I get an error: “There was an error during transfer update” 
The browser on the computer only shows one certificate, not a chain of three certificates.
Help me please. How to properly configure the system?
and welcome to passbolt community forum 
While using self-signed certificates, you have to import the generated certificate in your Android app.