Mobile ios application: can't connect to local host with self signed certificate by qr code

Installation Issues
1

When i try connect to my local passbolt server worked with self-signed certificate i see a message

Server was not reachable!
Server was not reachable!591×1280 118 KB

In passbolt log i find this:

2021/11/25 10:35:48 [info] 146#146: *1365 peer closed connection in SSL handshake while SSL handshaking, client: 192.168.40.15, server: 0.0.0.0:443

I add root certificate in my iphone, but problem doesn’t go.

About my setup.
Healthcheck:

root@0423493c3ea1:/usr/share/php/passbolt# su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell        
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.25.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [FAIL] Debug mode is on.
 [HELP] Set debug = false; in config/passbolt.php
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.ngn.eltex.loc:443
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
fopen(): Failed to enable crypto
fopen(https://passbolt.ngn.eltex.loc/healthcheck/status.json): failed to open stream: operation failed

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (3.3.1).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 3 error(s) found. Hang in there!

Passbolt running in docker compose.

Is that possibale connect to passbolt with self-signed ssl certs from ios app?

More details:

worked_link
worked_link591×1280 121 KB

worked_passbolt
worked_passbolt591×1280 37.9 KB

root_ca
root_ca591×1280 25.1 KB

2

Hi @rudeqit :wave:

Thanks for testing our mobile app and your detailled report. For now, the iOS app is not able to connect to PAssbolt instances with self-signed certificates, even if the certificate has been imported in your iPhone.

It is an issue we are aware as some users reported this to us. It is in our backlog and will be fixed in a future release.

Regards,

3

Hi _jc,
can you tell a scope when self-signed certs will work in the mobile app?

Thanks!

4

Hi @plutzo :wave: and welcome to passbolt community forum :people_holding_hands:

This post is quite old and both Android and iOS apps accept self-signed certificates.

You find on this FAQ page how to properly generate your self-signed certificate: Passbolt Help | iOS / Android Mobile FAQ

It is important to set a subjectAltName.

And in this other FAQ page, you will learn how to import your certificate in your smartphone to make the passbolt mobile app working smoothly: Passbolt Help | How to import SSL certificate on mobile application

Don’t hesitate to ask if you have further questions.

Best regards,