Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
We have just migrated our old passbolt installation from CentOS 7 to Rocky Linux 9, using the package installation method.
It works fine, until a random period of between 2-24 hours it will stop working and show the following error on the login screen:
“Could not verify the server key. The authentication failed.”
Restarting the nginx or passbolt service doesn’t fix the issue, but rebooting the server does.
The only log i can find is in /var/log/passbolt/error.log:
2024-07-17 01:10:33 error: [Cake\Http\Exception\InternalErrorException] The authentication failed. in /usr/share/php/passbolt/src/Controller/Auth/AuthLoginController.php on line 103
Request URL: /auth/verify.json?api-version=v2
Strangely it mentions forcessl is not set, but it is set in the config, and does auto redirect to the ssl version.
Operating System: Rocky Linux 9.4 (Blue Onyx), Linux 5.14.0-427.24.1.el9_4.x86_64
nginx version: nginx/1.20.1
10.5.22-MariaDB
PHP 8.1.29
Passbolt 4.8.0
____ __ ____ / __ \____ _____ ____/ /_ ____ / / /_/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/Open source password manager for teams
Healthcheck shell
Environment
[PASS] PHP version 8.1.29.
[PASS] PHP version is 8.1 or above.
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.Config files
[PASS] The application config file is present
[PASS] The passbolt config file is presentCore config
[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.our.domain
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.SSL Certificate
[WARN] SSL peer certificate does not validate.
[HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate
[WARN] Hostname does not match when validating certificates.
[HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate
[WARN] Using a self-signed certificate.
[HELP] Check Troubleshooting SSL/TLS | Passbolt documentation.
[HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificateSMTP settings
[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.JWT Authentication
[PASS] The JWT Authentication plugin is enabled.
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found.GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one.
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.Application configuration
[PASS] Using latest passbolt version (4.8.0).
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema up to date.Database
[PASS] The application is able to connect to the database
[PASS] 31 tables found.
[PASS] Some default content is present.[FAIL] 1 error(s) found. Hang in there!