Expired SSL certificate

Installation Issues
1

Good morning. We had a SSL certificate expire yesterday. This morning, we are unable to access Passbolt at all.

passbolt.xxxxx.net normally uses encryption to protect your information. When Chrome tried to connect to passbolt.xxxxx.net this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be passbolt.afs.net, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chrome stopped the connection before any data was exchanged.

You cannot visit passbolt.xxxxx.net right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

Naturally, the Passbolt admin account is stored in Passbolt. I have attempted other browsers as well, but I am having no success in getting the plug-in to load. Are there any hints or suggestions that will allow us to gain access to Passbolt to grab the admin account so we can update the certificate?

2

Hi @gshafer ,

HTTP Strict Transport Security (HSTS) policy protects your website/applications from malicious attacks such as clickjacking, protocol downgrades and man-in-the-middle attacks. It is not possible to access to an HTTPS website if HTTPS is misconfigured.

One solution is to temporary disable HSTS. The way to do it depends of your configuration. Do you serve your https passbolt domain with nginx configuration provided by passbolt package, with a proxy in front of passbolt ?

An other less secure solution is to disable HTTPS and access passbolt with http:// instead of https://. For this, you have to update passbolt.php configuration file and replace https with http in the fullBaseUrl parameter. You can have the ssl parameter set to true in the passbolt section. Set it to false to be able to access to http.

(...)
    'passbolt' => [
        // GPG Configuration.
        // The keyring must to be owned and accessible by the webserver user.
        // Example: www-data user on Debian
        'gpg' => [
            // Main server key.
            'serverKey' => [
                // Server private key fingerprint.
                'fingerprint' => '335F793F3E96B3F132ED362ABDD47DA8865C097E',
                'public' => CONFIG . DS . 'gpg' . DS . 'serverkey.asc',
                'private' => CONFIG . DS . 'gpg' . DS . 'serverkey_private.asc',
            ],
        ],
        'registration' => [
            'public' => false,
        ],
        'ssl' => [
            'force' => true,
        ]
    ],
(...)

Best,