I updated my passbolt server to 3.7.3 and I am trying to set up the mobile app access without success. Whenver anybody with an account scans the QR code, the user gets an error message saying:
There was an error during transfer update(Something went wrong!)
On the phone screen. Any idea on what is wrong?
I use docker in a lan-only configuration (it is only accessible from the local network via the server IP and port by setting the env variable APP_FULL_BASE_URL=https://ip:port)
Helpful?
I followed the information there without any success.
I have certificates that I mount in the docker container (these certificates are in a folder cert next to the docker-compose.yaml file:
...
volumes:
...
- ./certs/certificate.crt:/etc/ssl/certs/certificate.crt:ro
- ./certs/certificate.key:/etc/ssl/certs/certificate.key:ro
- ./certs/key.pem:/etc/ssl/certs/key.pem:ro
- ./certs/cert.pem:/etc/ssl/certs/cert.pem:ro
...
The certificate.crt and certificate.key were generated automatically when I started docker and copied and fixed later. The *.pem files were created running:
openssl req -x509 \
-newkey rsa:4096 \
-days 120 \
-subj "/C=LU/ST=Spain/L=Esch-Sur-Alzette/O=My organization/OU=My server/CN=192.168.1.20/" \
-nodes \
-addext "subjectAltName = IP:192.168.1.20" \
-keyout key.pem \
-out cert.pem
Then I imported the cert.pem into the mobile phone and I can see it in the list of trusted certificates under the user tab.
However, I still get the There was an error during transfer update(Something went wrong!) error message on the app.
Any idea?
here are the app log files:
Device: vivo V2050
Android 12 (31)
Passbolt 1.9.0-11
14:33:30 javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.SSLUtils.toSSLHandshakeException(SSLUtils.java:363)
at com.android.org.conscrypt.ConscryptEngine.convertException(ConscryptEngine.java:1134)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1089)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:876)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:747)
at com.android.org.conscrypt.ConscryptEngine.unwrap(ConscryptEngine.java:712)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:858)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:241)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:367)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:325)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:197)
at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:249)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:108)
at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:76)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(SourceFile:245)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:96)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$AddCookiesInterceptor.intercept(SourceFile:57)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$ReceivedCookiesInterceptor.intercept(SourceFile:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.AuthInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.ChangeableBaseUrlInterceptor.intercept(SourceFile:40)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(SourceFile:197)
at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:502)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
at java.lang.Thread.run(Thread.java:1012)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:670)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:547)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:503)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:423)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.processDataFromSocket(ConscryptEngineSocket.java:858)
at com.android.org.conscrypt.ConscryptEngineSocket$SSLInputStream.-$$Nest$mprocessDataFromSocket(Unknown Source:0)
at com.android.org.conscrypt.ConscryptEngineSocket.doHandshake(ConscryptEngineSocket.java:241)
at com.android.org.conscrypt.ConscryptEngineSocket.startHandshake(ConscryptEngineSocket.java:220)
at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:367)
at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:325)
at okhttp3.internal.connection.RealConnection.connect(SourceFile:197)
at okhttp3.internal.connection.ExchangeFinder.findConnection(SourceFile:249)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(SourceFile:108)
at okhttp3.internal.connection.ExchangeFinder.find(SourceFile:76)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(SourceFile:245)
at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:96)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$AddCookiesInterceptor.intercept(SourceFile:57)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.CookiesInterceptor$ReceivedCookiesInterceptor.intercept(SourceFile:38)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.AuthInterceptor.intercept(SourceFile:22)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at com.passbolt.mobile.android.core.networking.interceptor.ChangeableBaseUrlInterceptor.intercept(SourceFile:40)
at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:100)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(SourceFile:197)
at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:502)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
at java.lang.Thread.run(Thread.java:1012)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:670)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:547)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:503)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:423)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:351)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:90)
at com.android.org.conscrypt.ConscryptEngineSocket$2.checkServerTrusted(ConscryptEngineSocket.java:163)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:255)
at com.android.org.conscrypt.ConscryptEngine.verifyCertificateChain(ConscryptEngine.java:1638)
at com.android.org.conscrypt.NativeCrypto.ENGINE_SSL_read_direct(Native Method)
at com.android.org.conscrypt.NativeSsl.readDirectByteBuffer(NativeSsl.java:569)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextDataDirect(ConscryptEngine.java:1095)
at com.android.org.conscrypt.ConscryptEngine.readPlaintextData(ConscryptEngine.java:1079)
... 35 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
... 49 more
It appears to be related to your cert which was imported to the device. It’s throwing an error because it doesn’t know the full chain. ssl - How to trust self signed certificate on Android? - Stack Overflow
Remove the following:
- ./certs/certificate.crt:/etc/ssl/certs/certificate.crt:ro
- ./certs/certificate.key:/etc/ssl/certs/certificate.key:ro
Which ever certificates or keys you are not using should be removed, I think the server might be getting confused. Like @garrett Mentioned.
Is there any chance you could buy domain name or use a sub-domain of a domain you own?
You can then request free ssl certificates from Lets Encrypt
Trusting self-signed certificates are NOT a good idea. Especially on Android.
Guide is here for self signed certs: Passbolt Help | iOS / Android Mobile FAQ
If I remove the certificate.crt and certificate.key every time I restart the server a new certificate is produced and I have to accept it in the browser for the browser extensions to work. However, I’ve tried restarting the docker without these two files and the android app did not succeed with the same error.
I cannot expose the server to the public domain as for the policy at the company I work at. It has to be accessible only within the company network.
When you install the cert to your phone, it needs to be the CA certificate option, not a user certificate. Trusted Credentials, not User Credentials.
You can also have a look at: Passbolt Help | Troubleshoot SSL
Hi @apalomer 
,
According to the documentation, you should configure the mount like this to avoid creation of new certificates on each docker restart:
- ./certs/cert.pem:/etc/ssl/certs/certificate.crt:ro
- ./certs/key.pem:/etc/ssl/certs/certificate.key:ro
Cheers,
Thanks @AnatomicJC, that fixed the problem!
Cooool 
Don’t hesitate if you have further questions,
Best regards,
Hello everybody,
I’d like to add my learning regarding Lets Encrypt certificates and the passbolt Android app:
I failed as well for 2 days to setup a mobile device with the passbolt-app.
The key was to install the intermediate certificates of Lets Encrypt to my Android devices.
You can download the intermediate certificates here:
https://letsencrypt.org/certificates/
The active ones are:
RSA 2048, O = Let's Encrypt, CN = R3)
ECDSA P-384, O = Let's Encrypt, CN = E1)
I hope this is helping the one or the other who is trying to setup passbolt with lets encrypt.