"Something Went Wrong" on android phone

Asquadia · June 21, 2025, 4:31pm

Hello,

I just deployed Passbolt on my homelab, and everything seems to be working correctly, although I haven’t set up an SMTP server yet, so email notifications are disabled.

The issue arises when I try to connect my phone. The QR code scans without any problem, but when I enter my passphrase, I get a “Something went wrong” error.

From the research I’ve done on the forums, it seems a similar issue was fixed and was related to a self-signed certificate used by Docker.

In my setup, I have my own domain and use Nginx as a reverse proxy to handle the SSL certificate.

Could I have your advice on this issue? For better clarification, here are my docker-compose.yml and nginx.nix configurations.

docker-compose-ce.yaml :

services:
  db:
    image: mariadb:10.11
    restart: unless-stopped
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      MYSQL_PASSWORD: "P4ssb0lt"
    volumes:
      - database_volume:/var/lib/mysql

  passbolt:
    image: passbolt/passbolt:latest-ce
    restart: unless-stopped
    depends_on:
      - db
    environment:
      APP_FULL_BASE_URL: "https://passbolt.my.domain"
      DATASOURCES_DEFAULT_HOST: "db"
      DATASOURCES_DEFAULT_USERNAME: "passbolt"
      DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
      DATASOURCES_DEFAULT_DATABASE: "passbolt"
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
    command:
      [
        "/usr/bin/wait-for.sh",
        "-t",
        "0",
        "db:3306",
        "--",
        "/docker-entrypoint.sh",
      ]
    ports:
      - "127.0.0.1:8080:80"

volumes:
  database_volume:
  gpg_volume:
  jwt_volume:

# /etc/nixos/network/nginx.nix
{ config, pkgs, ... }:

{
  # --- Firewall Configuration for Web ---
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  # --- ACME (Let's Encrypt) Configuration ---
  security.acme = {
    acceptTerms = true;
    defaults.email = "myusername@domai.domain";
  };

  # --- Nginx Service ---
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    
    # --- Add this Virtual Host for Passbolt ---
    virtualHosts."passbolt.my.domain" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8080";
        proxyWebsockets = true;
      };
    };
  };
}

Checklist
I have read intro post: https://community.passbolt.com/t/about-the-installation-issues-category/12
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

grzegorz · June 24, 2025, 7:40am

Hi @Asquadia
Thanks for the report.

Have you imported your server certificate to your Android device? You can do it by this method or this one. If any error still persists, then please enable logs (under the “?” sign on various screens) record error, and provide them after anonymisation.

dewa_santa · July 16, 2025, 6:02am

Hi @grzegorz ,
I have the same problem. Here’s the error log from my phone:

5.57.56 PM --> GET https://my.domain/auth/jwt/rsa.json h2
5.57.57 PM <-- 500 https://my.domain/auth/jwt/rsa.json (147ms, unknown-length body)
5.57.57 PM retrofit2.HttpException: HTTP 500 
	at retrofit2.KotlinExtensions$await$2$2.onResponse(SourceFile:53)
	at retrofit2.OkHttpCall$1.onResponse(SourceFile:164)
	at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:519)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
	at java.lang.Thread.run(Thread.java:1012)

retrofit2.HttpException: HTTP 500 
	at retrofit2.KotlinExtensions$await$2$2.onResponse(SourceFile:53)
	at retrofit2.OkHttpCall$1.onResponse(SourceFile:164)
	at okhttp3.internal.connection.RealCall$AsyncCall.run(SourceFile:519)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
	at java.lang.Thread.run(Thread.java:1012)
5.57.57 PM There was an error during checking if MFA is required
java.lang.ClassCastException: java.lang.String cannot be cast to java.util.Map
	at com.passbolt.mobile.android.core.networking.ErrorHeaderMapper.checkMfaRequired(SourceFile:71)
	at com.passbolt.mobile.android.core.networking.ResponseHandler.checkIfMfaRequired(SourceFile:76)
	at com.passbolt.mobile.android.core.networking.ResponseHandler.handleException(SourceFile:50)
	at com.passbolt.mobile.android.passboltapi.auth.AuthRepository.getServerPublicRsaKey(SourceFile:97)
	at com.passbolt.mobile.android.passboltapi.auth.AuthRepository$getServerPublicRsaKey$1.invokeSuspend(Unknown Source:11)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(SourceFile:33)
	at kotlinx.coroutines.DispatchedTask.run(SourceFile:102)
	at android.os.Handler.handleCallback(Handler.java:959)
	at android.os.Handler.dispatchMessage(Handler.java:100)
	at android.os.Looper.loopOnce(Looper.java:249)
	at android.os.Looper.loop(Looper.java:337)
	at android.app.ActivityThread.main(ActivityThread.java:9500)
	at java.lang.reflect.Method.invoke(Native Method)
	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:636)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1005)

java.lang.ClassCastException: java.lang.String cannot be cast to java.util.Map
	at com.passbolt.mobile.android.core.networking.ErrorHeaderMapper.checkMfaRequired(SourceFile:71)
	at com.passbolt.mobile.android.core.networking.ResponseHandler.checkIfMfaRequired(SourceFile:76)
	at com.passbolt.mobile.android.core.networking.ResponseHandler.handleException(SourceFile:50)
	at com.passbolt.mobile.android.passboltapi.auth.AuthRepository.getServerPublicRsaKey(SourceFile:97)
	at com.passbolt.mobile.android.passboltapi.auth.AuthRepository$getServerPublicRsaKey$1.invokeSuspend(Unknown Source:11)
	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(SourceFile:33)
	at kotlinx.coroutines.DispatchedTask.run(SourceFile:102)
	at android.os.Handler.handleCallback(Handler.java:959)
	at android.os.Handler.dispatchMessage(Handler.java:100)
	at android.os.Looper.loopOnce(Looper.java:249)
	at android.os.Looper.loop(Looper.java:337)
	at android.app.ActivityThread.main(ActivityThread.java:9500)
	at java.lang.reflect.Method.invoke(Native Method)
	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:636)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1005)
5.57.57 PM Generic error occurred

And about your solution. I’m using cloudflare zero trust to host my server. I already get my CA certificate with this method, but when i uploaded the .pem file, it said “Private key required to install a certificate”, but i can’t upload the .key file (can’t select it). Could you help me what to do here?

thank you.

grzegorz · July 16, 2025, 3:40pm

@dewa_santa Please take a look at this conversation and the workaround described here: https://github.com/passbolt/mobile-passbolt-android/issues/22#issuecomment-3056109262 — I suspect you’re encountering similar JWT-related issues.

According to the logs, you were able to reach the server, so the certificate is not required on your Android device (the auth/verify.json endpoint must succeed before accessing auth/jwt/rsa.json).

Asquadia attempted to run the server on his homelab using a self-signed CA certificate, which does require installing the .pem file on the Android device.

If, for any reason, you still need to install the certificate (which is NOT recommended in your case), try placing the .pem file in the Downloads folder and initiate the CA certificate installation from Android system settings.

Asquadia · July 16, 2025, 5:23pm

To clarify how I resolved this issue, as Grzegorz pointed out, if you stick with a self-signed CA, your only option is to install the certificate on your phone. Personally, I don’t really like that option, so I used Cloudflare instead.

Cloudflare offers a free plan with an API to expose applications and generate certificates. Using Nginx as my reverse proxy, I just generated a certificate with Certbot and the Cloudflare API (which is pretty easy and doesn’t require much configuration). This option also has the benefit of not needing to install any certificate on your phone and hiding your real IP address.