Migrated Passbolt Source Install to Docker - Account Recovery pops up

Hey dear community,
I migrated my passbolt server from source install to Docker. The containers are starting but account recovery is popping up. I migrated: serverkeys, certs, database, passbolt.php

-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.27-1~deb10u1.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable.
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://blabla.bla
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 39 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [FAIL] This installation is not up to date. Currently using 3.2.2 and it should be v3.7.3.
 [HELP] See. https://www.passbolt.com/help/tech/update
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [WARN] Some email notifications are disabled by the administrator.

 [FAIL] 3 error(s) found. Hang in there!

Curl and Browser-Surfing are popping up in the logs, so it’s definitely the right server, right IP and right Name-Resolution. But somehow somewhere I’m missing something that my Browser Add-On still thinks it’s a new server? I’m sorry if the error is obvious, I searched a lot on here and didn’t find anything that solved the issue. I’m happy about every answer, thanks!

Hi @CrossfireAUT ,

Unfortunately, I cannot read the Health Check with it being in one line.

Could you update your post to contain the Health check the exact way it is outputted to the terminal. Line by line.

EG:

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell        
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 8.1.2.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://REDACTED
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (3.7.3).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [WARN] Registration is open to everyone.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set passbolt.registration.public to false in config/passbolt.php.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [PASS] No error found. Nice one sparky!

Something like the above as it is readable to all of us :slight_smile:

Regards
Bond

1 Like

Hi @CrossfireAUT,

Did the domain changed even from one char?
If that’s the case the extension thinks its a different server so you need to recover your account (with private key backup)

Best,
Max

3 Likes

Thanks for your answer and I‘m sorry, seems like there was a copy & paste mistake. I will fix it instantly once I get home!

The domain and name didn’t change in any way

I edited it now, thanks again!

Okay, so your first issue is, you are using SSL and the server is unable to verify that the hostname matches with the certificate. That’s if you are using a fqdn (Full Qualified Domain Name)

Your Second Issue; like @max stated

The moment you change servers or anything slightly changes your browser extension would need to be updated to the new domain name or IP. In this case I assume you might need to import your Private Key that you would use for that account.

I would suggest like @max suggested. Initiate an account recovery and import your private key (backup) and things should work as expected again.

Although before doing that, I recommend sorting out your SSL issues.

Regards,
Bond

1 Like

I think the first issue is not being able to verify the chain of trust, the container is missing the intermediate and/or Root-CA of the self-signed cert containing the FQDN. I will look into that today

I want to avoid having the users recover their accounts. In the best case scenario they don’t notice anything because everything is the same if migrated correctly (fingerprint, keys, name, certs etc.)

Please also have a look at our troubleshooting page for SSL: Passbolt Help | Troubleshoot SSL

Thanks a lot for the advice!
I don’t know why, passbolt is failing the part where the chain of trust gets verified. But I’m using a public wildcard cert from Sectigo. Is the error “using a self-signed certificate” wrong?
Inside the cointainer, nginx is using the correct cert as displayed in the browser (chrome and firefox say it’s valid). Logging in with a local Passbolt Admin-User works fine without any need for recovery or other warnings. But logging in with LDAP-Users starts recovery although I migrated everything.
There must be something I am missing?

No, it cannot be wrong. There is a misconfiguration somewhere.

Can you post your nginx configuration you can obviously null out any information for privacy purposes.
How do you connect to the container externally ?

Do you mean first time login on a new browser ?

Can you describe how you have your setup.