Hi All,

Hopefully someone can help with this. Issue:

1. The server doesn’t seem to like using our wildcard cert as seen below in the healthcheck output. however the browser is fine with it and says the connection is secure once it finally connects. Activity in the web ui is very slow, each of these steps take 30/45 seconds.
2. The server doesn’t recognize users after the initial login and it never prompts for the password when connecting to the server, it just starts into password recovery and when I click on the password recover link in the email I get “Please wait” in the browser for a while, and then prompts for private key file/recover kit. However, it won’t accept the key. I get “This key does not match any account” or I get “Something went wrong”
3. Activity in the web ui is very slow, each of these steps take 30/45 seconds and occasionally I get a 504 error. This is the error from nginx\error.log:
   2023/04/18 23:14:44 [error] 38379#0: *33 upstream timed out (110: Connection timed out) while reading response header from upstream, client: IP, server: hostname, request: “GET / HTTP/2.0”, upstream: “fastcgi://unix:/run/php-fpm/www.sock”, host: “hostname”

I’m not sure what other logs, etc might be needed.

Server Version - RHEL 8.7
Webserver - nginx/1.14.1
DB Server - mysqladmin Ver 9.1 Distrib 10.3.35-MariaDB, for Linux on x86_64
PHP Version - PHP 8.1.18 (cli) (built: Apr 11 2023 16:47:45) (NTS gcc x86_64)
Passbolt - rpm -qa |grep passbolt
passbolt-server-selinux-0.4-1.el8.noarch
passbolt-ce-server-3.12.0-2.noarch

su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck” nginx

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 8.1.18.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://pblt.sbctc.edu
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check Passbolt Help | Troubleshoot SSL
[HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate

Database

[PASS] The application is able to connect to the database
[PASS] 30 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (3.12.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found

SMTP Settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

[FAIL] 2 error(s) found. Hang in there!

For the SSL issue, this likely isn’t impacting the performance, but yes Passbolt does complain when you use a wildcard cert.

The server not recognizing them is a surprising issue. Can you check the users panel to make sure they activated? Also are you by chance using VDIs for users? Sometimes in environments with that you have to persist some data for the browser extension

UI being slow can be a couple different things. We have a page with some tweaks you can try to see if that improves things.

Additionally since it is RHEL, it is worth checking the SELinux log to make sure nothing is being blocked. This comes up as an issue from time to time

Thanks for the reply Clayton.

The server is running in AWS on an 2 core / 4 GB RAM instance, and the clients so far are just my laptop and desktop, no VM’s or VDI’s. It’s just me testing it. I was able to connect 1 time, then after that it stopped recognizing me, I assumed I broke it somehow during my troubleshooting, so I created another admin account via command line and was never successfully able to fully login to the UI, I did get the email saying I activated my account, but it’s not fully activated. I’m suspecting our security software may be impacting it in some way or SELinux as you mentioned. On a related note, if I uninstall and reinstall the browser plugin, I should expect it to starts into password recovery, but do I need to check for extra keys or other stuff saved on the client and delete?

Thanks for the performance tweaks link, I’ll check into that and the SELinux log today.

If you remove the browser plugin and then reinstall it will ask for your email and make you do the recovery step with the key. You won’t need to worry about having other keys on your device, just be sure to use the right one at that step.

I gave up on the instance and went through the process with a fresh install on a fresh instance, same results. The first login works but if I try on another browser it’s really slow, and doesn’t recognize the key: “This key does not match any account.”

Same issue if I have another user try to login. He gets the email and tries to setup his account. It’s super slow but is able to activate his account, however when he tries to login for the first time he gets the “something went wrong, internal error occurred” or “Gateway timeout”, and if he tries to refresh sometimes he gets “This email is not associated with any approved users on this domain”.

When I set it up this time, I tried to minimize it to eliminate any extra variables, so it currently does not have our standard security software and is just a vanilla RHEL 8 with the minimum needed to get passbolt running. I’m at a loss on this issue.

Additionally, I saw no indication that SELinux was causing problems.

Thanks for the additional info and followup. As the problem persists after a fresh install, and the other items were checked, we could assume you are installing the same way and some other things need to be checked.

If we consider the slowness and timeouts, that could be from a routing /resolution problem. This can happen when it’s trying one method to resolve, that times out do it tries another method which times out, etc.

From the server itself can you ping the domain and is the ip address returned the one you would expect?

Do you have any network filtering or reverse proxies in front of passbolt? You mention your “security software”… can you share what it is?

When you said you could connect one time and then not… I am understanding you got to the setup but then could not complete it and were subsequently unable to access the site. This sounds to me like fail2ban or something else blacklisting you.