Health Report
Environment
[PASS] PHP version 8.2.7.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[FAIL] Debug mode is on.
[HELP] Set debug = false; in /etc/passbolt/passbolt.php
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.kub3.424cloud.net
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate
Database
[PASS] The application is able to connect to the database
[PASS] 30 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.
Application configuration
[FAIL] This installation is not up to date. Currently using 4.0.2 and it should be v4.1.0.
[HELP] See. https://www.passbolt.com/help/tech/update
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled
[FAIL] The /etc/passbolt/jwt/ directory should not be writable.
[HELP] You can try:
[HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
[HELP] sudo chmod 750 /etc/passbolt/jwt/
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
[PASS] A valid JWT key pair was found
SMTP Settings
[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[WARN] The SMTP Settings source is: env variables.
[HELP] It is recommended to set the SMTP Settings in the database through the administration section.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[FAIL] 3 error(s) found. Hang in there!
IOS Log
Device: iPhone iPhone
OS: 16.5.1
App: 1.14.4
----------
[2023-07-11 03:57:50] Initializing the app...
[2023-07-11 03:57:50] ...app initialization completed!
[2023-07-11 03:57:50] Verifying data integrity...
[2023-07-11 03:57:50] ...data integrity verification finished
[2023-07-11 03:57:50] Fetching server configuration...
[2023-07-11 03:57:50] ...server configuration fetching skipped!
[2023-07-11 03:57:51] [F7134D8A-D644-409B-87D8-AF1F8F57054D] HTTP GET /lookup
[2023-07-11 03:57:51] [F7134D8A-D644-409B-87D8-AF1F8F57054D] HTTP 200 /lookup
[2023-07-11 03:57:51] [D0B0C7E8-7A62-484E-AE1B-0F157EBBE8F0] HTTP GET /img/avatar/user_medium.png
[2023-07-11 03:57:52] [D0B0C7E8-7A62-484E-AE1B-0F157EBBE8F0] HTTP 200 /img/avatar/user_medium.png
[2023-07-11 03:58:01] Beginning authorization...
[2023-07-11 03:58:02] ...creating new access token...
[2023-07-11 03:58:02] ...fetching server public RSA key...
[2023-07-11 03:58:02] ...fetching server public PGP key...
[2023-07-11 03:58:02] [76C8D9E4-A1C2-4839-A167-30C1ED73D85F] HTTP GET /auth/verify.json
[2023-07-11 03:58:02] [1022FD2E-D7AC-46E8-8FFA-0764BCF2CFF2] HTTP GET /auth/jwt/rsa.json
[2023-07-11 03:58:02] [1022FD2E-D7AC-46E8-8FFA-0764BCF2CFF2] HTTP 200 /auth/jwt/rsa.json
[2023-07-11 03:58:02] [76C8D9E4-A1C2-4839-A167-30C1ED73D85F] HTTP 200 /auth/verify.json
[2023-07-11 03:58:02] ...verifying server public PGP key...
[2023-07-11 03:58:02] ...preparing authorization challenge...
[2023-07-11 03:58:02] [6DDE6047-9B1A-4291-81FA-9CB3169AC685] HTTP POST /auth/jwt/login.json
[2023-07-11 03:58:02] [6DDE6047-9B1A-4291-81FA-9CB3169AC685] HTTP 200 /auth/jwt/login.json
[2023-07-11 03:58:03] Access token signature verification failed
[2023-07-11 03:58:03] ...authorization failed!
[2023-07-11 03:58:03] Access token signature verification failed
I’m having difficulty debugging and getting past a “Access token signature verification” failure when logging into a self hosted version of passbolt using IOS that i am running on a kubernetes cluster. To deploy it i used the helm charts that the passbolt team published on github. As it stands the web and browser plugin works though when i attempt to login via the ios app i get the above error.
Here are my attempts to debug this.
- Checked the kubernetes ingress to see if it was blocking anything, i could not definitly tell since I had a hard time determining how the ios app was authinticatin itself it seems to be hitting api endpoints that are not documented. So this could be the issue though i dont think so.
- I noticed that the version of passbolt deployed from the helm chart was out of date so i deployed the most recent version using docker-compose keeping the networking identical between the machine running docker-compose and kubernetes, to see if i messed up some networking config on the edge. The version of passbolt using docker-compose worked as intented. So maybe there is a bug in passbolt 4.0.2?
- Changed ENV PASSBOLT_AUTH_JWT_ACCESS_TOKEN, PASSBOLT_AUTH_LOGIN_TOKEN_EXPIRY, PASSBOLT_AUTH_MOBILE_TRANSFER_TOKEN_EXPIRY; to longer times seeing if it was a timing difference between my phone and the server, did not work.
My next idea is to go through the steps to upgrade the container image that helm is deploying to see if that fixes the issue.
If that idea fails it would be great to hear if anyone has any ideas on additional steps i could take to help debug this.