“incorrect password or decryption error” after update to Passbolt 3.5.0 (Docker)

Hi !

Since I updated to Passbolt 3.5.0 on docker, I have the error “incorrect password or decryption error” when configuring the App.
I tried the solution described here below and changed the permission as described here : Can't use Android App - #21 by max

But still cannot use it. Unfortunatelly, I cannot produce the healthcheck report due to the database connection issue raised here : Need help to install passbolt with podman)

The container log is only showing : - - [12/May/2022:12:29:28 +0000] "GET /auth/jwt/rsa.json HTTP/1.1" 200 1097 "-" "okhttp/4.7.2"
2022-05-12 12:29:28,088 INFO reaped unknown pid 345 (exit status 0)
2022-05-12 12:29:28,088 INFO reaped unknown pid 347 (exit status 0) - - [12/May/2022:12:29:40 +0000] "GET /auth/verify.json HTTP/1.1" 200 28115 "-" "okhttp/4.7.2"
2022-05-12 12:29:40,019 INFO reaped unknown pid 350 (exit status 0)
2022-05-12 12:29:40,020 INFO reaped unknown pid 352 (exit status 0) - - [12/May/2022:12:29:40 +0000] "GET /auth/jwt/rsa.json HTTP/1.1" 200 1097 "-" "okhttp/4.7.2"
2022-05-12 12:29:40,377 INFO reaped unknown pid 355 (exit status 0)
2022-05-12 12:29:40,377 INFO reaped unknown pid 357 (exit status 0)

Does someone have the same issue ?

@johndi89 If your healthcheck is not working, and your database connection is down, you’ll first need to sort that out.

What errors are you seeing with your db connection issue? You linked to an issue that was resolved so we will need more information regarding what you are seeing since it did not help you.

Hi @garrett ,

I’ll try to be as explicit about the issues I currently have as I can.

  1. First and foremost, since I migrated from passbolt-ce 3.4.0 to 3.5.0 on docker, I cannot use the mobile app anymore. The app is stating “incorrect password or decryption error” when it asks for my user credentials (so after QR Code scanning). Latest passbolt docker logs are stating - - [16/May/2022:22:22:02 +0000] "GET /auth/jwt/rsa.json HTTP/1.1" 200 1097 "-" "okhttp/4.7.2"
2022-05-16 22:22:02,478 INFO reaped unknown pid 27912 (exit status 0)
2022-05-16 22:22:02,479 INFO reaped unknown pid 27914 (exit status 0)

To solve this, so far I tried :

  • Deleting app cache;
  • Reinstalling the app entirely;
  • Resetting permissions on jwt and gpg folders;
  • Removing gpg keys;
  1. To investigate this first issue, I tried to run a healthcheck and got
Healthcheck shell.....Notice Error: Undefined index: message                                                                                                                                               
In [/usr/share/php/passbolt/src/Utility/Healthchecks/DatabaseHealthchecks.php, line 72]                                                                                                                     
2022-05-16 22:25:16 Notice: Notice (8): Undefined index: message in [/usr/share/php/passbolt/src/Utility/Healthchecks/DatabaseHealthchecks.php, line 72]                                                    
Exception: Connection to Mysql could not be established: SQLSTATE[HY000] [2002] No such file or directory                                                                                                   
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Database/Driver.php, line 140]

However, as the web application and browser extensions are perfectly working, I assume the DB connection is working.

To solve this, I tried:

  • Changing docker DB host settings from container name to MariaDB Docker Port (Again, web application and browsers extnsions are working);
  • Checked /etc/environment to make sure variables were correctly set;
  • Installed mysql-client on passbolt-ce container and established a connection to the passbolt DB with provided IP (So no firewall nor network issue);
  • Added a var_dump(attributes) on /php/passbolt/src/Utility/Healthchecks/DatabaseHealthchecks.php, line 72 and got
array(2) {                                                                                                                                                                           
  string(5) "Mysql"                                                                                                                                                                                         
  string(48) "SQLSTATE[HY000] [2002] No such file or directory"                                                                                                                                             
  • Add a die(var_dump($datasource))on line 64 and got string(7) "default";
  • Add a die(var_dump($connection))on line 65 and got all the connection details stated as ***** (As I’m not a cake expert, I’m assuming it’s normal but I would like to check the connection string;
  • Add a var_dump($connection->config());on line 65 and got :
array(18) {                                                                                                                                                                          
  string(26) "Cake\Database\Driver\Mysql"                                                                                                                                                                   
  string(3) "UTC"                                                                                                                                                                                           
  array(0) {                                                                                                                                                                                                
  string(9) "localhost"                                                                                                                                                                                     
  string(0) ""                                                                                                                                                                                              
  string(0) ""                                                                                                                                                                                              
  string(0) ""                                                                                                                                                                                              
  string(0) ""                                                                                                                                                                                              
  string(0) ""                                                                                                                                                                                              
  string(0) ""                                                                                                                                                                                              
  string(7) "utf8mb4"                                                                                                                                                                                       
  string(7) "default"                                                                                                                                                                                       

So, if I’m looking at the right place (again, not a cake expert), it seems the healthcheck script is not picking DB configuration from docker Env properly.

I wanted to redifine de ‘default’ connection by setting a dsn (as described In cake documentation) to confirm that it would work but this

$dsn = 'mysql://passbolt:password@';                                                                                                                    
ConnectionManager::config('default', ['url' => $dsn]);

didn’t work at this point (I’ll keep looking as soon as I can).

At this point, I cannot evaluate if the two issues are related. If the healthcheck is not picking the DB connection correctl, maybe the API used by the mobile app is have the same issue. But as the web application and browser extensions are getting data from the PHP application and DB’ that’s a bit strange.

If someone more advanced in cake than I am have ideas/input/solution, please let me know :wink:


This is very helpful information, thanks.

Can you provide the healthcheck command you are executing which results in the error?

You’re very welcome (just trying to avoid being an idiot or making equests with only ‘it does not work’ as example :laughing:). Thank you for looking into it with me.

I’m running
usr/share/php/passbolt# sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck"
from a docker bash terminal (as root - even if irrelevant because of sudo :nerd_face:)

@johndi89 I’m not wanting to assume, but it seems that maybe you have modified some of the source code as you were troubleshooting? By any chance are you able to roll-back your update? Do you have a backup image or something like that so another update could be attempted?

The thing that is hard to decipher is how you are saying the app works fine, but the healthcheck is complaining and won’t run. Without your environment variables and other diagnostic steps, it would be a lot of work to nail down what is happening. If you were using the standard approach and settings to begin with, maybe a second try at an update is the faster way to go.

Of course, if this is not an option, we can try to work on figuring it out.

Hi @johndi89 ,

There is no need to edit passbolt code in docker containers. Can you recreate your docker container to cancel your updates and run the passbolt healthcheck as instructed here: Passbolt Help | Troubleshoot Docker

I see in a previous topic you are using docker on Synology. Can you share how do you run the passbolt container on it ? With docker-compose ? How did you defined your volumes ?

Did you have a look at this thread: Permissions errors with docker on Synology ?


Hi !

First of all, thank you both for your kind support. I really appreciate it.
Second of all, my issues are (almost) solved. The healthcheck is now running perfectly and the mobile app configuration worked.

As you suggested, I recreated the containers to avoid any possible code contamination (even if as I was using only “big fat die(var_dump());” on a copied file, I had not much of doubt about my ability to roll-back :nerd_face:).

I also re-checked the gpg and jwt folders on the NAS and re-applied them to user 33 (as there is indeed no www-data user on my NAS) with

chown -R 33:33 /volume1/docker/passbolt-3.5.0/passbolt/jwt/
chown -R 33:33/volume1/docker/passbolt-3.5.0/passbolt/gpg/

However, instead of defining all docker Env variables with Synology User interface (which I usually do to avoid running root command on the entire NAS), I used a full docker-compose with entire configuration variables (putting it only as reference if needed):

version: '3.9'
    container_name: passbolt-3.5.0-mariadb-10.7.1
    image: mariadb:10.7.1
    restart: unless-stopped
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      - /volume1/docker/passbolt-3.5.0/mysql/:/var/lib/mysql
      - 3306:3306

    container_name: passbolt-3.5.0
    image: passbolt/passbolt:latest-ce
    #Alternatively you can use rootless:
    #image: passbolt/passbolt:latest-ce-non-root
    restart: unless-stopped
      - passbolt-3.5.0-mariadb-10.7.1
      APP_FULL_BASE_URL: https://password.cap300.be
      DATASOURCES_DEFAULT_HOST: "passbolt-3.5.0-mariadb-10.7.1"
      PASSBOLT_SSL_FORCE: "true"
      - /volume1/docker/passbolt-3.5.0/passbolt/gpg/:/etc/passbolt/gpg
      - /volume1/docker/passbolt-3.5.0/passbolt/jwt/:/etc/passbolt/jwt
    command: ["/usr/bin/wait-for.sh", "-t", "0", " passbolt-3.5.0-mariadb-10.7.1:3306", "--", "/docker-entrypoint.sh"]
      - 80:80
      - 443:443
    #Alternatively for non-root images:
    # - 80:8080
    # - 443:4433


Doing so, the ENV variables are correctly picked up by the healthcheck script, which is now running fine.

I still have the following errors that I’ll need to solve :

 [FAIL] The server OpenPGP key is not set
 [HELP] Create a key, export it and add the fingerprint to config/passbolt.php                                                                                                                              
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg                                                                                                                                             
 [PASS] The public key file is defined in config/passbolt.php and readable.                                                                                                                                 
 [PASS] The private key file is defined in config/passbolt.php and readable.                                                                                                                                
 [FAIL] The server key fingerprint doesn't match the one defined in config/passbolt.php.                                                                                                                    
 [HELP] Double check the key fingerprint, example:                                                                                                                                                          
 [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'                                                                  
 [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.                                                                                                                             
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg                                                                                                                                             
 [FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring                                                                                           
 [HELP] Import the private server key in the keyring of the webserver user.                                                                                                                                 
 [HELP] you can try:                                                                                                                                                                                        
 [HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data                                                                             
 [FAIL] The server key does not have a valid email id.                                                                                                                                                      
 [HELP] Edit or generate another key with a valid email id

I tried removing the keys (from inside the container and from the persistence folder on the NAS to rotate the key (as described here) but listing the keys with

gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg

stills returns two keys (one ultimate and one unknown), which however are using the provided “PASSBOLT_KEY_EMAIL” and “PASSBOLT_KEY_NAME”.

Sorry for my extra long post and once again, thank you for your help, quick reactions and really great product.

Cheers :slight_smile: