Passbolt Android app ssl not working

justinbernard · December 19, 2021, 6:49pm

Hello,

as I’m trying to install the Passbolt mobile app on my Android device, I enabled SSL for my passbolt instance and created my own CA in order to trust my self-issued certificates on my Android phone. For this, I followed this German tutorial on how to issue SSL certificates with your own CA, merged my CA’s public key with the public key of my page and included them on my passbolt instance.

The healthcheck spits out some errors of which I think that they appear because of the different hostname for the CA certificate but encryption seems to works fine.

However, when I try to scan the QR Codes in my Passbolt mobile app, it says something went wrong and tries to scan the QR codes in an infinite loop.

My Firefox on my mobile phone shows, that the page isn’t trustworthy although I imported my CA’s certificate on my phone.

Am I not understanding how to get your phone to trust your self-signed certificates?

Edit:
When using this command: sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/status-report" I get more errors in my healthcheck. I’ll attach it as “Healthcheck 2”.

Regards
Justin

Health check

-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.31-1~deb10u1.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://192.168.10.34:8080
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
fopen(): Failed to enable crypto
fopen(https://192.168.10.34:8080/healthcheck/status.json): failed to open stream: operation failed

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (3.4.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 2 error(s) found. Hang in there!

Healthcheck 2

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
Passbolt CE 3.4.0
Cakephp 4.2.9
Linux ProtoRaspberry 5.10.63-v7l+ #1496 SMP Wed Dec 1 15:58:56 GMT 2021 armv7l GNU/Linux
PHP 7.3.31-1~deb10u1 (cli) (built: Oct 24 2021 15:18:08) ( NTS )
mysql  Ver 15.1 Distrib 10.3.31-MariaDB, for debian-linux-gnueabihf (armv8l) using readline 5.2
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
 ERROR: /usr/share/php/passbolt/bin/utils.sh: line 64: composer: command not found

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.31-1~deb10u1.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://192.168.10.34:8080
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
fopen(): Failed to enable crypto
fopen(https://192.168.10.34:8080/healthcheck/status.json): failed to open stream: operation failed

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [FAIL] The private key cannot be used to decrypt and verify a message
 [FAIL] The public key cannot be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (3.4.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 4 error(s) found. Hang in there!


     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Cleanup shell (dry-run)
-------------------------------------------------------------------------------
No issue found, data looks squeaky clean!

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
Data check shell
[PASS] Data integrity for AuthenticationTokens.
  [PASS] Can validate: 63/63
[PASS] Data integrity for Comments.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Favorites.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Gpgkeys.
  [PASS] Can encrypt: 1/1
  [PASS] Can validate: 1/1
[PASS] Data integrity for Groups.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Profiles.
  [PASS] Can validate: 1/1
[PASS] Data integrity for Resources.
  [PASS] Can validate: 83/83
[PASS] Data integrity for Secrets.
  [PASS] Can validate: 83/83
[PASS] Data integrity for Users.
  [PASS] Can validate: 1/1
2021-12-19 18:08:53 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /usr/share/php/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP: 192.168.10.21


2021-12-19 18:16:56 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /usr/share/php/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP: 192.168.10.21


2021-12-19 18:35:28 Error: [Cake\Routing\Exception\MissingRouteException] A route matching "/img/illustrations/passphrase_intro.png" could not be found. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /img/illustrations/passphrase_intro.png
Client IP: 192.168.10.21


2021-12-19 18:35:28 Error: [Cake\Routing\Exception\MissingRouteException] A route matching "/img/diagrams/mobile-transfer.svg" could not be found. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /img/diagrams/mobile-transfer.svg
Client IP: 192.168.10.21


2021-12-19 18:35:28 Error: [Cake\Routing\Exception\MissingRouteException] A route matching "/img/controls/chevron-down_blue.svg" could not be found. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /img/controls/chevron-down_blue.svg
Client IP: 192.168.10.21

My system
System: Raspberry Pi 4
OS: Raspbian 10
Web Server: Nginx 1.14.2
PHP v.: 7.3.31-1~deb10u1
Passbolt v.: 3.4.0

My phone
Xiaomi Mi 9 running xiaomi.eu MIUI 12.6 on Android 11 RKQ1.200826.002

garrett · December 20, 2021, 12:12am

@justinbernard Not sure if this will help, but with self signed certs it’s still important to declare TLSv1.2 or TLSv1.3. Without these, the certs will often be processed by browsers as the lowest version which will throw errors.

In NGINX this is ssl_protocols TLSv1.2 TLSv1.3 in the server context.

justinbernard · December 20, 2021, 11:43am

Hello @garrett,

thank you very much for your response.

I included this line to my nginx ssl configuration under /etc/passbolt/nginx-ssl.conf and it works fine on my computer. I’ll attach a photo below.

Strangely enough Firefox on my PC trusts this page but on my phone I still get the little crossed out lock.

Firefox desktop
SSL Firefox

I installed chrome on my phone and get the following error: ERR_CERT_COMMON_NAME_INVALID

After having imported my root-ca cert into Microsoft Edge on my PC, it still doesn’t want to trust the page and spits out the following error: ERR_CERT_AUTHORITY_INVALID

garrett · December 20, 2021, 12:31pm

@justinbernard I don’t have a reference to link but I recall desktop Firefox permitting local IP addresses for development. If you were to create self signed certs with a public IP my understanding is that it would not work in Firefox. The last time I created a self signed cert I left the common name blank. What is the common name on your cert?

ssl - Getting Chrome to accept self-signed localhost certificate - Stack Overflow is related to Chrome but a few years old.

justinbernard · December 21, 2021, 7:29pm

Hello @garrett,

the common name for my cert of my passbolt instance is 192.168.10.34 and the common name for my CA-Root cert also included in the same file is some random webpage of mine.

But would this post really resolve my problem? I have to get the SSL to be trusted on my whole phone in order for it to work and as I already installed my own Root-CA cert on my phone it should be working already.

I’ve read on this post that the mobile app only uses the port 443 but I use the port 8080 on my instance. So maybe this is the cause the app can’t connect when scanning the QR code and the SSL is already being trusted by Android just like it is on my desktop Firefox after having imported my Root-CA cert.

This would mean the page only isn’t trusted on my mobile Firefox and Chrome because they have got some extra rules that for security measures and differently from Firefox desktop don’t let self created CAs through even though I trusted them in my Android OS. As you suggest this seems to also be the case for Chromium on Desktop (Chrome and Edge use it as their underlying engine).

Murdock · December 22, 2021, 10:22am

I tried adding the SSL certificate today through the let’s encrypt … the URL the app thinks it’s serving from is https instead of http.

garrett · December 22, 2021, 12:43pm

@justinbernard Or can you put an NGINX reverse proxy in front of your passbolt to listen on 443 and proxy_pass it back to 8080?

justinbernard · December 27, 2021, 6:12pm

Hello community,

the problem was related to the fact that my cert had not had alternative subject names defined. I defined them by adding -extfile v3.ext when generating the cert and creating following v3.ext file:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = YOURDOMAIN

Thank you all very much for your help. Now the QR code reading doesn’t give me any errors anymore.

Regards
Justin