Checklist
[
] I have read intro post: About the Installation Issues category
[] I have read the tutorials, help and searched for similar issues
[] I provide relevant information about my server (component names and versions, etc.)
[] I provide a copy of my logs and healthcheck
[] I describe the steps I have taken to trouble shoot the problem
[] I describe the steps on how to reproduce the issue
Problem
So, I installed Passbolt Docker “successfully”, all my healthchecks are now green! But one problem remains: I cannot access the web-portal from my main machine with my main browser, Firefox.
The issue that I encounter is that upon attempting a web login, I get the following message:
Something went wrong!
The operation failed with the following error:
Could not verify the server key. x-gpgauth-authenticated should be set to false during the verify stage
Here are the details of my installation:
- Host: Debian Bookworkm (Latest build) with Docker.
- Client: Debian Bookworkm. Firefox 121 Flatpak (Latest). Several settings from about:config have been modified.
Now, the strange thing is that if I create a new (empty) firefox profile. I can login to the web portal. But I get the above error from my main profile, which is where I will use the password manager.
I have been trying to add my settings to this new profile but cannot reproduce the problem. Any hints or help on why this problem appears or any of the inner workings of passbolt’t browswer-extension integrations would be appreciated.
Healthcheck
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell
-------------------------------------------------------------------------------
Environment
[PASS] PHP version 8.2.7.
[PASS] PHP version is 8.1 or above.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.calli
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate
Database
[PASS] The application is able to connect to the database
[PASS] 31 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.
Application configuration
[PASS] Using latest passbolt version (4.4.2).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] The self registration provider is: Email domain safe list.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found
SMTP Settings
[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[WARN] The SMTP Settings source is: env variables.
[HELP] It is recommended to set the SMTP Settings in the database through the administration section.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No error found. Nice one sparky!
Dockerfile
version: "3.9"
services:
db:
image: mariadb:10.11
container_name: passbolt_database
restart: unless-stopped
environment:
MYSQL_RANDOM_ROOT_PASSWORD: "true"
MYSQL_DATABASE: "ddd"
MYSQL_USER: "uuu"
MYSQL_PASSWORD: "xxx"
PUID: "1005"
PGID: "1005"
volumes:
- db:/var/lib/mysql
networks:
default:
passbolt:
image: passbolt/passbolt:latest-ce
container_name: passbolt
hostname: 'passbolt.calli'
restart: unless-stopped
depends_on:
- db
environment:
# Hostname
APP_FULL_BASE_URL: https://passbolt.ccc
# Database
DATASOURCES_DEFAULT_HOST: "db"
DATASOURCES_DEFAULT_DATABASE: "ddd"
DATASOURCES_DEFAULT_USERNAME: "uuu"
DATASOURCES_DEFAULT_PASSWORD: "xxx"
# Mail
EMAIL_DEFAULT_FROM_NAME: "passbolt"
EMAIL_DEFAULT_FROM: "passbolt@passbolt.ccc"
EMAIL_TRANSPORT_DEFAULT_HOST: "smtp.email.ccc"
EMAIL_TRANSPORT_DEFAULT_PORT: 587
EMAIL_TRANSPORT_DEFAULT_USERNAME: "passbolt@passbolt.ccc"
EMAIL_TRANSPORT_DEFAULT_PASSWORD: "xxx"
EMAIL_TRANSPORT_DEFAULT_TLS: "false"
PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED: "true"
PASSBOLT_EMAIL_VALIDATE_MX: "true"
# Key
PASSBOLT_SSL_FORCE: "true"
PASSBOLT_GPG_SERVER_KEY_FINGERPRINT_FORCE: "true"
# IDs
PUID: "1005"
PGID: "1005"
volumes:
- gpg:/etc/passbolt/gpg
- jwt:/etc/passbolt/jwt
# SSL
- /home/docker/passbolt/certs/passbolt-fullchain.pem:/etc/ssl/certs/certificate.crt:ro
- /home/docker/passbolt/certs/passbolt-cert-key.pem:/etc/ssl/certs/certificate.key:ro
# SSL Certificate Healthcheck
- /home/docker/passbolt/certs/ca.pem:/usr/share/php/passbolt/vendor/composer/ca-bundle/res/cacert.pem:ro
command:
[
"/usr/bin/wait-for.sh",
"-t",
"0",
"db:3306",
"--",
"/docker-entrypoint.sh",
]
networks:
default:
aztlan:
ipv4_address: 10.0.20.35
networks:
default:
ipam:
driver: default
config:
- subnet: 10.0.35.0/28
aztlan:
external: true
name: aztlan
volumes:
db:
gpg:
jwt:
Browser settings.json Network Inspection
GET
scheme
https
host
passbolt.ccc
filename
/settings.json
api-version
v2
Address
10.0.20.35:443
Status
200
VersionHTTP/2
Transferred2.50 kB (1.31 kB size)
Referrer Policysame-origin
DNS ResolutionSystem
Response Headers
access-control-expose-headers
X-GPGAuth-Verify-Response
access-control-expose-headers
X-GPGAuth-Progress
access-control-expose-headers
X-GPGAuth-User-Auth-Token
access-control-expose-headers
X-GPGAuth-Authenticated
access-control-expose-headers
X-GPGAuth-Refer
access-control-expose-headers
X-GPGAuth-Debug
access-control-expose-headers
X-GPGAuth-Error
access-control-expose-headers
X-GPGAuth-Pubkey
access-control-expose-headers
X-GPGAuth-Logout-Url
access-control-expose-headers
X-GPGAuth-Version
cache-control
no-store, no-cache, must-revalidate
content-security-policy
default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self';frame-src 'self' https://*.duosecurity.com;
content-type
application/json
date
Mon, 05 Feb 2024 04:56:51 GMT
expires
Thu, 19 Nov 1981 08:52:00 GMT
pragma
no-cache
referrer-policy
same-origin
server
nginx
strict-transport-security
max-age=31536000; includeSubDomains
x-content-type-options
nosniff
x-download-options
noopen
X-Firefox-Spdy
h2
x-frame-options
sameorigin
x-gpgauth-authenticated
false
x-gpgauth-debug
There is no user associated with this key. No key id set.
x-gpgauth-error
true
x-gpgauth-login-url
/auth/login
x-gpgauth-logout-url
/auth/logout
x-gpgauth-progress
stage0
x-gpgauth-pubkey-url
/auth/verify.json
x-gpgauth-verify-url
/auth/verify
x-gpgauth-version
1.3.0
x-permitted-cross-domain-policies
all
Request Headers
Accept
application/json
Accept-Encoding
gzip, deflate, br
Accept-Language
en-US,en;q=0.5
Connection
keep-alive
content-type
application/json
Cookie
passbolt_session=2n5jj8ukk4ove29q2g855at9lq; csrfToken=3986cf75eb5ecb0a0598125b0925657572930fa700ce7d34846f626aea3f22658277aa932a83030dc8bed798fea8f4c51a23988488648920c4c30ac508246ed7
DNT
1
Host
passbolt.ccc
Referer
https://passbolt.ccc/auth/login?redirect=%2F&locale=en-UK
Sec-Fetch-Dest
empty
Sec-Fetch-Mode
cors
Sec-Fetch-Site
same-origin
Sec-GPC
1
TE
trailers
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0
X-CSRF-Token
3986cf75eb5ecb0a0598125b0925657572930fa700ce7d34846f626aea3f22658277aa932a83030dc8bed798fea8f4c51a23988488648920c4c30ac508246ed7