Passbolt helm chart issue with ios app

Health Report


 [PASS] PHP version 8.2.7.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [FAIL] Debug mode is on.
 [HELP] Set debug = false; in /etc/passbolt/passbolt.php
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate


 [PASS] The application is able to connect to the database
 [PASS] 30 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [FAIL] This installation is not up to date. Currently using 4.0.2 and it should be v4.1.0.
 [HELP] See.
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [FAIL] The /etc/passbolt/jwt/ directory should not be writable.
 [HELP] You can try:
 [HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
 [HELP] sudo chmod 750 /etc/passbolt/jwt/
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [WARN] The SMTP Settings source is: env variables.
 [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Or set to true in /etc/passbolt/passbolt.php.

 [FAIL] 3 error(s) found. Hang in there!


Device: iPhone iPhone
OS: 16.5.1
App: 1.14.4
[2023-07-11 03:57:50] Initializing the app...
[2023-07-11 03:57:50] initialization completed!
[2023-07-11 03:57:50] Verifying data integrity...
[2023-07-11 03:57:50] integrity verification finished
[2023-07-11 03:57:50] Fetching server configuration...
[2023-07-11 03:57:50] ...server configuration fetching skipped!
[2023-07-11 03:57:51] [F7134D8A-D644-409B-87D8-AF1F8F57054D] HTTP GET /lookup
[2023-07-11 03:57:51] [F7134D8A-D644-409B-87D8-AF1F8F57054D] HTTP 200 /lookup
[2023-07-11 03:57:51] [D0B0C7E8-7A62-484E-AE1B-0F157EBBE8F0] HTTP GET /img/avatar/user_medium.png
[2023-07-11 03:57:52] [D0B0C7E8-7A62-484E-AE1B-0F157EBBE8F0] HTTP 200 /img/avatar/user_medium.png
[2023-07-11 03:58:01] Beginning authorization...
[2023-07-11 03:58:02] ...creating new access token...
[2023-07-11 03:58:02] ...fetching server public RSA key...
[2023-07-11 03:58:02] ...fetching server public PGP key...
[2023-07-11 03:58:02] [76C8D9E4-A1C2-4839-A167-30C1ED73D85F] HTTP GET /auth/verify.json
[2023-07-11 03:58:02] [1022FD2E-D7AC-46E8-8FFA-0764BCF2CFF2] HTTP GET /auth/jwt/rsa.json
[2023-07-11 03:58:02] [1022FD2E-D7AC-46E8-8FFA-0764BCF2CFF2] HTTP 200 /auth/jwt/rsa.json
[2023-07-11 03:58:02] [76C8D9E4-A1C2-4839-A167-30C1ED73D85F] HTTP 200 /auth/verify.json
[2023-07-11 03:58:02] ...verifying server public PGP key...
[2023-07-11 03:58:02] ...preparing authorization challenge...
[2023-07-11 03:58:02] [6DDE6047-9B1A-4291-81FA-9CB3169AC685] HTTP POST /auth/jwt/login.json
[2023-07-11 03:58:02] [6DDE6047-9B1A-4291-81FA-9CB3169AC685] HTTP 200 /auth/jwt/login.json
[2023-07-11 03:58:03] Access token signature verification failed
[2023-07-11 03:58:03] ...authorization failed!
[2023-07-11 03:58:03] Access token signature verification failed

I’m having difficulty debugging and getting past a “Access token signature verification” failure when logging into a self hosted version of passbolt using IOS that i am running on a kubernetes cluster. To deploy it i used the helm charts that the passbolt team published on github. As it stands the web and browser plugin works though when i attempt to login via the ios app i get the above error.

Here are my attempts to debug this.

  1. Checked the kubernetes ingress to see if it was blocking anything, i could not definitly tell since I had a hard time determining how the ios app was authinticatin itself it seems to be hitting api endpoints that are not documented. So this could be the issue though i dont think so.
  2. I noticed that the version of passbolt deployed from the helm chart was out of date so i deployed the most recent version using docker-compose keeping the networking identical between the machine running docker-compose and kubernetes, to see if i messed up some networking config on the edge. The version of passbolt using docker-compose worked as intented. So maybe there is a bug in passbolt 4.0.2?
  3. Changed ENV PASSBOLT_AUTH_JWT_ACCESS_TOKEN, PASSBOLT_AUTH_LOGIN_TOKEN_EXPIRY, PASSBOLT_AUTH_MOBILE_TRANSFER_TOKEN_EXPIRY; to longer times seeing if it was a timing difference between my phone and the server, did not work.

My next idea is to go through the steps to upgrade the container image that helm is deploying to see if that fixes the issue.

If that idea fails it would be great to hear if anyone has any ideas on additional steps i could take to help debug this.

Hi @samuelcolacchia

Welcome to the forum.

Thank you for posting your health check.

I would check out the “HELP” “WARN”, etc in health-check.

For the iOS app to work, your Passbolt server must be secure.

Health-check is showing debug is on - please checkout this link

JWT settings

This link if for helm trouble shooting

Passbolt helm

Hope these links help.

Hi @Duffman,

Looking at the warnings and help they seem to be irrelevant to this issue.

Debug was intentionally set to true in hopes that i would be able to get more information to try and solve the issue. Though just for a santity check i set debug to false to see if it would fix the issue it did not.

You mentioned that the passbolt server must be secure and as far as i can tell it is (ssl cert, jwt token, gpg cert and key).

Addititional things i have tried.

  1. Upgraded 4.1.0 - no improvement
  2. cleared the database and reinstalled - no improvement

After doing all this i found the mobile faq help page, when running the below script i got “JWT key and pem doesn’t match”, at first ignored it since the healthcheck output “[PASS] A valid JWT key pair was found”. Though as a last ditch effored i generated new jwt key and cert rather than letting the helm scripts do it. The new JWT key worked and i can login using the mobile app!

if openssl rsa -in /etc/passbolt/jwt/jwt.key -outform PEM -pubout 2>/dev/null | diff /etc/passbolt/jwt/jwt.pem - > /dev/null; then echo "OK: JWT key matches with JWT pem"; else echo "NOT OK: JWT key and pem doesn't match"; fi

To Fix

ssh-keygen -t rsa -b 4096 -m PEM -f jwt.key
openssl rsa -in jwt.key -pubout -outform PEM -out

cat jwt.key | base64 -w 0
copy the output to jwtServerPrivate in values.yaml
jwtServerPrivate: "string with base64 private key"

cat | base64 -w 0
copy the output to jwtServerPublic in values.yaml
jwtServerPublic: "string with base64 public key"
1 Like