Login occasionally impossible until server reboot

Checklist
I have read intro post: https://community.passbolt.com/t/about-the-installation-issues-category/12
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hi all,
from time to time my passbolt installation seems to break.
There does not seem to be a pattern what triggers the failure though.
Trying to reach the webpage instantly gives an error page, stating the ‘The authentication failed’, it won’t show the actual login to enter the passphrase.

The only solution I could come up with yet is rebooting the server.
(Tried restarting nginx before, but no luck)

Here’s the healthcheck:

Healthcheck
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//./_//__/

Open source password manager for teams

Passbolt CE 4.10.1
Cakephp 4.5.7
Linux passbolt.APS-ESC.local 5.14.0-503.21.1.el9_5.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 19 09:37:00 EST 2024 x86_64 x86_64 x86_64 GNU/Linux
PHP 8.1.31 (cli) (built: Nov 19 2024 15:24:51) (NTS gcc x86_64)
mysql Ver 15.1 Distrib 10.5.22-MariaDB, for Linux (x86_64) using EditLine wrapper
gpg (GnuPG) 2.3.3
libgcrypt 1.10.0-unknown

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[INFO] Linux passbolt.APS-ESC.local 5.14.0-503.21.1.el9_5.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 19 09:37:00 EST 2024 x86_64 x86_64 x86_64 GNU/Linux
[PASS] PHP version 8.1.31.
[PASS] PHP version is 8.1 or above.
[PASS] 64-bit architecture system detected.
[INFO] gpg (GnuPG) 2.3.3 / libgcrypt 1.10.0-unknown
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] System clock is synchronized and NTP service is active.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Cache is working.
[FAIL] Debug mode is on.
[HELP] Set debug to false in /etc/passbolt/passbolt.php
[PASS] Unique value set for security.salt
[PASS] Full base url is set to http://passbolt.aps-esc.local
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates.
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate.

SMTP settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled.
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one.
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (4.10.1).
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[FAIL] App.fullBaseUrl is not set to HTTPS.
[HELP] Check App.fullBaseUrl url scheme in /etc/passbolt/passbolt.php.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema is up to date.

Database

[PASS] The application is able to connect to the database
[PASS] 34 tables found.
[PASS] Some default content is present.

[FAIL] 3 error(s) found. Hang in there!

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//./_//__/

Open source password manager for teams

Cleanup shell (dry-run)

1 issues found in table Groups (with no members)
1 issues detected, please re-run without --dry-run to fix.

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//./_//__/

Open source password manager for teams

Data check shell
[PASS] Data integrity for AuthenticationTokens.
[PASS] Can validate: 17/17
[PASS] Data integrity for Comments.
[PASS] Can validate: 0/0
[PASS] Data integrity for Favorites.
[PASS] Can validate: 0/0
[PASS] Data integrity for Gpgkeys.
[PASS] Can encrypt: 2/2
[PASS] Pass validation service checks: 2/2
[PASS] Entity data and armored key data matches: 2/2
[PASS] Is not expired: 2/2
[PASS] Is armored key format valid: 2/2
[PASS] Data integrity for Groups.
[PASS] Can validate: 4/4
[PASS] Data integrity for Profiles.
[PASS] Can validate: 2/2
[PASS] Data integrity for Resources.
[PASS] Can validate: 52/52
[PASS] Data integrity for Secrets.
[PASS] Can validate: 60/60
[PASS] Data integrity for Users.
[PASS] Can validate: 2/2

Here’s a portion of the error.log (debug activated):
(this is repeated over and over)

error.log

Request URL: /auth/verify.json?api-version=v2
Client IP: 192.168.168.95
2025-01-14 15:10:45 error: [Cake\Http\Exception\InternalErrorException] The authentication failed. in /usr/share/php/passbolt/src/Controller/Auth/AuthLoginController.php on line 103
Stack Trace:

  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Controller/Controller.php:560
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Controller/ControllerFactory.php:140
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Controller/ControllerFactory.php:115
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/BaseApplication.php:325
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:86
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/SecurityHeadersMiddleware.php:255
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/src/Middleware/HttpProxyMiddleware.php:50
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php:140
  • /usr/share/php/passbolt/src/Middleware/CsrfProtectionMiddleware.php:39
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtCsrfDetectionMiddleware.php:55
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/src/Middleware/GpgAuthHeadersMiddleware.php:40
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/plugins/PassboltCe/Locale/src/Middleware/LocaleMiddleware.php:47
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/plugins/PassboltCe/MultiFactorAuthentication/src/Middleware/InjectMfaFormMiddleware.php:67
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/plugins/PassboltCe/MultiFactorAuthentication/src/Middleware/MfaRequiredCheckMiddleware.php:82
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/vendor/cakephp/authentication/src/Middleware/AuthenticationMiddleware.php:124
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtDestroySessionMiddleware.php:43
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/src/Middleware/SessionAuthPreventDeletedOrDisabledUsersMiddleware.php:46
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/BodyParserMiddleware.php:162
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/src/Middleware/SessionPreventExtensionMiddleware.php:66
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/src/Middleware/ApiVersionMiddleware.php:46
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/src/Middleware/UuidParserMiddleware.php:52
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtRouteFilterMiddleware.php:47
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtAuthDetectionMiddleware.php:58
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php:189
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware.php:77
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/src/Middleware/SslForceMiddleware.php:52
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Error/Middleware/ErrorHandlerMiddleware.php:149
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/src/Middleware/ContentSecurityPolicyMiddleware.php:39
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/src/Middleware/ValidCookieNameMiddleware.php:45
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/src/Middleware/ContainerInjectorMiddleware.php:54
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:82
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php:67
  • /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Server.php:99
  • /usr/share/php/passbolt/webroot/index.php:40
  • [main]:

Request URL: /auth/verify.json?api-version=v2
Client IP: 192.168.168.95
2025-01-14 15:10:45 error: The authentication failed.

The server is a RHEL 9 installation, installed according to /docs/hosting/install/ce/redhat/

Hello @TzwennLen,

Since this is fixed by restarting the server and then reappears sporadically could you please check NTP sync as any issues with time syncs can cause issues with GPG keys?

1 Like

This did the trick, thank you!

2 Likes