iOS pairing fails to connect to server

Installation Issues
1

I am running the passbolt docker container, and for the life of me I cannot get the IOS app to scan the QR code successfully. I am at a loss as to where to check next. I feel like I am missing something basic here…

The web interface works just fine with the browser plugin and with navigating to the web page.

I am running with the variables below. As you can see, I’m exposing the SSL port of the container as 10443.

Now, when I go to fire up the IOS app, I follow the instructions for an existing account. On the computer, I navigate to the web page, log in, go to the profile, select mobile setup, hit “go”, and it brings up the QR code. I scan it with the phone running the IOS app, get a small pop-up on the screen saying it was successful and to keep moving, and then nothing happens. Eventually, I get a “Server was not reachable!” pop-up on the phone (it does say it cannot reach passbolt:10443), and the log on the phone shows:
Beginning new account transfer…
Processing QR code payload…
…processing succeeded, continuing transfer…
Error: serverNotReachable timeout

From the phone’s web browser, I can navigate to passbolt:10443 successfully, so I know it isn’t having trouble with DNS resolution.

I am running this on a server with a web server that has a bunch of virtual hosts, and that is why I have the port redirection to port 10443. (I will admin I started with port 1443, and bumped it to 10443 to see if that helped any)

docker run --name passbolt
-p 8088:80
-p 10443:443
-v /etc/letsencrypt/archive/mydomain.com/cert1.pem:/etc/ssl/certs/certificate.crt
-v /etc/letsencrypt/archive/mydomain.com/privkey1.pem:/etc/ssl/certs/certificate.key
-e DATASOURCES_DEFAULT_HOST=10.1.100.1
-e DATASOURCES_DEFAULT_PASSWORD=mydbpass
-e DATASOURCES_DEFAULT_USERNAME=mydbuser
-e DATASOURCES_DEFAULT_DATABASE=passbolt
-e APP_FULL_BASE_URL=https://passbolt:10443/
-e EMAIL_TRANSPORT_DEFAULT_HOST=mail
-e EMAIL_TRANSPORT_DEFAULT_PORT=25
-e EMAIL_DEFAULT_FROM=janitor@mydomain.com
-e DEBUG=true
passbolt/passbolt

(BTW, it wouldn’t let me post this with all of the FQDNs in there, so I had to trim them out. Rest assured I have FQDNs for all of the host names)

2

Hi @wesmoc :wave: and welcome to passbolt community forum :handshake:

Do you have any warning about not trusted certificate ? Is the padlock green without any error ? Can you share a screenshot ?

I noticed than you are mounting cert1.pem as SSL certificate. To make the certificate really trusted, you should use fullchain.pem file instead, as this file contains the full chained certificate. It is mandatory to make passbolt mobile app working. Simple cert is not enough to ensure security.

Another thought, when you generate certificates with let’s encrypt, it is displayed something like this:

Congrats, we have successfully generated your certs, use /etc/letsencrypt/live/mydomain.com/fullchain.pem and /etc/letsencrypt/live/mydomain.com/privkey.pem

You should use the recommended paths :wink:

Best,

3

Thanks for the quick response! On a whim, I thought I would open passbolt outside of my home network, and sure enough everything worked. The instant I lock down the external access (even with the IOS device on the trusted wireless network), it stops working from the mobile device.

Thank you for the tip about the fullchain and paths. I thought it wouldn’t mount the file correctly into the container since the live path contains symlinks. But, I’ve since since learned it does mount correctly. I’ve updated to the fullchain in the live path.

I would include more images, but it the forum only allows for one image to be attached.
The lock is green on my computer, the certificate is trusted (both before and after the cert changes) and no errors when browsing to the web page in safari on the IOS device (my phone).

4

Hi @wesmoc,

If I understand well, the application is working fine if you open passbolt outside of your home, but doesn’t work anymore as soon as you lock down external access ?

When locked down, are you accessing passbolt with the same domain name on your browser’s computer ? I guess you resolve this domain name with an IP address from your private network ?

When you are using your iPhone, are you sure your passbolt domain name resolves to your internal IP address ?

Best,