I can create an account manually, but I cant log in without e-mail. How can i setup this service so that I ONLY need a username/password and do not need the server to send an e-mail to log in [recovery used for all new browser-based devices]

Installation Issues
1

I can create an account manually, but I cant log in without e-mail. How can i setup this service so that I ONLY need a username/password and do not need the server to send an e-mail to log in.

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

/usr/share/php/passbolt/bin# ./healthcheck 

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell         
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.33.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passwords.jwaresolutions.com
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 30 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [FAIL] The server OpenPGP key is not set
 [HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [FAIL] The server key fingerprint doesn't match the one defined in /etc/passbolt/passbolt.php.
 [HELP] Double check the key fingerprint, example: 
 [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
 [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
 [HELP] Import the private server key in the keyring of the webserver user.
 [HELP] you can try:
 [HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
 [FAIL] The server key does not have a valid email id.
 [HELP] Edit or generate another key with a valid email id.

 Application configuration

 [PASS] Using latest passbolt version (4.0.2).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] The self registration provider is: Email domain safe list.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [FAIL] SMTP Setting errors: Argument 1 passed to App\Utility\OpenPGP\Backends\Gnupg::setDecryptKeyFromFingerprint() must be of the type string, null given, called in /usr/share/php/passbolt/plugins/PassboltCe/SmtpSettings/src/Service/SmtpSettingsGetSettingsInDbService.php on line 109
 [WARN] The SMTP Settings source is: undefined.
 [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

 [FAIL] 5 error(s) found. Hang in there!

root@c138568da5d1:/usr/share/php/passbolt/bin#
2

Something like this Recover account on a network without email - #2 by remy

3

I can recover an account, that is not the problem.
the problem is that whenever I open a new browser or new computer and I attempt to log in. I cant. Passbolt wants to send an e-mail verification before I can log in.

4

That’s normal. Recovery is used also for additional browser-based devices because the extension needs to be registered.

See Passbolt Help | Why do I need a browser extension?

5

I am not trying to recover anything. I created a new user and I cant log in with it. any time i try to log in with a new account, Passbolt tries to send a verification e-mail. the verification e-mail never gets sent. I either need to fix that so the verification e-mail goes out, or disable it so that new users can just put in their username/password to log in. I am not starting a commercial enterprise here, users are restricted to my family members, I don’t really need them to verify their e-mail address.

6

One of the posted requirements for installation is a working SMTP server for email notifications so the dependency on mail delivery should not come as surprise. You’ve posted elsewhere about your mail issue, so no need to do that here.

If you can’t get your email working, you can check the db for the registration link that is generated, and send that to your family member manually. It’s a workaround solution to exactly what you are describing you need.

7

That will work assuming the need for that registration link is a one and done thing. where is the registration link saved in the DB?

8

Sure, this can help you find it - it should be the first listed:

SELECT user_id, token from authentication_tokens WHERE type="register" AND active=1 ORDER BY created DESC;

Returns:

+--------------------------------------+--------------------------------------+
| user_id                              | token                                |
+--------------------------------------+--------------------------------------+
| 4fefec85-26a3-49b4-b8ce-ab19e4ec0b74 | 1952aa23-d0c1-4308-b3f5-76d6ea3eb3fc |
+--------------------------------------+--------------------------------------+

Then, use these values to send a link to the family member like:

https://yourdomain.tld/setup/install/{user_id}/{authentication_token}

https://yourdomain.tld/setup/install/4fefec85-26a3-49b4-b8ce-ab19e4ec0b74/1952aa23-d0c1-4308-b3f5-76d6ea3eb3fc

The email_queue has the email content, but this method will be more direct I think.

9

This is the same link that comes of of creating a user via cli with docker-compose -f docker-compose-ce.yaml exec passbolt su -m -c "/usr/share/php/passbolt/bin/cake passbolt register_user -u {user} -f fname -l lname -r user" -s /bin/sh www-data

that will let me create a user, and setup a password. but that will not let that user log in on a new device without e-mail working.

10

I just tried it myself and it’s working fine for me.

  1. Create a new user as an admin.
  2. Create the link as described above, send the link to the other user.

The other user would click on that link and see:

  1. a message saying to download the extension (so, they install it)
  2. it refreshes after install and begins the setup process
  3. after setup, they are logged in

As the extension is now installed, when they go to log in it will show the email address used for the creation of the new user, and all they have to do is put in their passphrase.

The difference here is letting the user choose their own password.

So, if you are going to choose their password for them and get registered for them and generate the recovery kit…

You should then unregister the extension and use the email address again to request a recovery link:

SELECT user_id, token from authentication_tokens WHERE type="recover" AND active=1 ORDER BY created DESC;

NOTE: “recover” instead of “register”

And then send them this link:
https://yourdomain.tld/setup/recover/{user_id}/{authentication_token}

The recovery process is essentially the setup process, but no selection of passphrase at this point. They will use the recovery kit you send them, and they will also need to know the passphrase you chose for them.

I am thinking of my own mother as I write this, so hopefully it is helpful to you.

11

yes, if I send them the setup link they will be able to log in to a single device. the problem is then how do they log in to another device? the same register link wont work again, I tested that. based on what i see in authentication_tokens there is a new unique key for regular logins. I’m guessing there is a template somewhere that puts together a different link with those 2 pieces of information.

ultimately this whole thing is just a workaround for the original issue that I cant get passbolt to send an e-mail through Google workspaces (except when i am testing the e-mail server). I am not sure why I am having so many problems with that part. I don’t think I am doing anything complex here, just the most basic setup possible using docker.

Currently I am trying to just setup a basic e-mail server on the same droplet hoping I can avoid google workspaces entirely.

I have not sent any users anything yet because I want to make sure that it works. so I am creating test users and trying to figure out what instructions to give my family once it is done.

12

As long as you enable 2FA and create an app password in Google settings, you can even use any old Gmail account.

13

using a regular Gmail account worked, everything is working now. thanks for the help.

1 Like