Unable to create adminstrator account "authentification failed" [SELINUX]

Checklist
[x ] I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

– Server operating system name and version : AlmaLinux release 9.1 (Lime Lynx)

Web server name and version: nginx/1.20.1
– Database server name and version: 10.5.16-MariaDB
– Php version: 8.1.15
– Passbolt version: 3.9.0

Status-report :

/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//./_//__/

Open source password manager for teams

Passbolt PRO 3.9.0
Cakephp 4.3.7
Linux SRV-PASSBOLT.XLOCAL 5.14.0-162.6.1.el9_1.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Nov 15 07:49:10 EST 2022 x86_64 x86_64 x86_64 GNU/Linux
PHP 8.1.15 (cli) (built: Jan 31 2023 15:13:17) (NTS gcc x86_64)
mysql Ver 15.1 Distrib 10.5.16-MariaDB, for Linux (x86_64) using EditLine wrapper
gpg (GnuPG) 2.3.3
libgcrypt 1.10.0-unknown
ERROR: /usr/share/php/passbolt/bin/utils.sh: ligne 64: composer : commande introuvable

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 8.1.15.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://srv-passbolt.x.local/
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check Passbolt Help | Troubleshoot SSL
[HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate

Database

[PASS] The application is able to connect to the database
[PASS] 46 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[FAIL] Could not connect to passbolt repository to check versions It is not possible check if your version is up to date.
[HELP] Check the network configuration to allow this script to check for updates.
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[PASS] All email notifications will be sent.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found

SMTP Settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

[FAIL] 3 error(s) found. Hang in there!

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//./_//__/

Open source password manager for teams

Cleanup shell (dry-run)

No issue found, data looks squeaky clean!

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//./_//__/

Open source password manager for teams

Data check shell
[PASS] Data integrity for AuthenticationTokens.
[PASS] Can validate: 1/1
[PASS] Data integrity for Comments.
[PASS] Can validate: 0/0
[PASS] Data integrity for Favorites.
[PASS] Can validate: 0/0
[PASS] Data integrity for Gpgkeys.
[PASS] Can encrypt: 1/1
[PASS] Pass validation service checks: 1/1
[PASS] Entity data and armored key data matches: 1/1
[PASS] Is not expired: 1/1
[PASS] Is armored key format valid: 1/1
[PASS] Data integrity for Groups.
[PASS] Can validate: 0/0
[PASS] Data integrity for Profiles.
[PASS] Can validate: 1/1
[PASS] Data integrity for Resources.
[PASS] Can validate: 0/0
[PASS] Data integrity for Secrets.
[PASS] Can validate: 0/0
[PASS] Data integrity for Users.
[PASS] Can validate: 1/1
2023-02-08 13:21:42 warning: Warning (2): file_get_contents(/etc/passbolt/gpg/serverkey.asc): Failed to open stream: No such file or directory in [/usr/share/php/passbolt/src/Utility/Healthchecks/GpgHealthchecks.php, line 456]
2023-02-08 13:21:42 warning: Warning (2): file_get_contents(/etc/passbolt/gpg/serverkey_private.asc): Failed to open stream: No such file or directory in [/usr/share/php/passbolt/src/Utility/Healthchecks/GpgHealthchecks.php, line 458]
2023-02-08 13:24:05 warning: Warning (2): Undefined array key “options” in [/usr/share/php/passbolt/plugins/PassboltCe/WebInstaller/templates/Config/passbolt.php, line 32]
2023-02-08 13:24:05 warning: Warning (2): Trying to access array offset on value of type null in [/usr/share/php/passbolt/plugins/PassboltCe/WebInstaller/templates/Config/passbolt.php, line 32]
2023-02-08 13:24:05 warning: Warning (2): Undefined array key “options” in [/usr/share/php/passbolt/plugins/PassboltCe/WebInstaller/templates/Config/passbolt.php, line 60]
2023-02-08 13:24:05 warning: Warning (2): Trying to access array offset on value of type null in [/usr/share/php/passbolt/plugins/PassboltCe/WebInstaller/templates/Config/passbolt.php, line 60]
2023-02-08 13:24:05 warning: Warning (2): Undefined array key “options” in [/usr/share/php/passbolt/plugins/PassboltCe/WebInstaller/templates/Config/passbolt.php, line 63]
2023-02-08 13:24:05 warning: Warning (2): Trying to access array offset on value of type null in [/usr/share/php/passbolt/plugins/PassboltCe/WebInstaller/templates/Config/passbolt.php, line 63]
2023-02-08 13:24:07 warning: Warning (2): chmod(): Operation not permitted in [/usr/share/php/passbolt/plugins/PassboltCe/WebInstaller/src/Service/WebInstallerChangeConfigFolderPermissionService.php, line 52]
2023-02-08 13:24:07 warning: Warning (2): chmod(): Operation not permitted in [/usr/share/php/passbolt/plugins/PassboltCe/WebInstaller/src/Service/WebInstallerChangeConfigFolderPermissionService.php, line 52]
2023-02-08 13:24:07 warning: Warning (2): chmod(): Operation not permitted in [/usr/share/php/passbolt/plugins/PassboltCe/WebInstaller/src/Service/WebInstallerChangeConfigFolderPermissionService.php, line 52]
2023-02-08 13:24:07 warning: Warning (2): chmod(): Operation not permitted in [/usr/share/php/passbolt/plugins/PassboltCe/WebInstaller/src/Service/WebInstallerChangeConfigFolderPermissionService.php, line 52]
2023-02-08 13:24:07 warning: Warning (2): chmod(): Operation not permitted in [/usr/share/php/passbolt/plugins/PassboltCe/WebInstaller/src/Service/WebInstallerChangeConfigFolderPermissionService.php, line 52]
2023-02-08 13:25:27 error: [Cake\Http\Exception\InternalErrorException] The authentication failed. in /usr/share/php/passbolt/src/Controller/Auth/AuthLoginController.php on line 93
Request URL: /auth/login.json?api-version=v2
Client IP: 172...*

2023-02-08 13:25:27 error: The authentication failed.
2023-02-08 13:25:27 error: #0 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Controller/Controller.php(539): App\Controller\Auth\AuthLoginController->loginPost()
#1 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Controller/ControllerFactory.php(140): Cake\Controller\Controller->invokeAction()
#2 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Controller/ControllerFactory.php(115): Cake\Controller\ControllerFactory->handle()
#3 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/BaseApplication.php(317): Cake\Controller\ControllerFactory->invoke()
#4 /usr/share/php/passbolt/src/Application.php(131): Cake\Http\BaseApplication->handle()
#5 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(77): App\Application->handle()
#6 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/SecurityHeadersMiddleware.php(255): Cake\Http\Runner->handle()
#7 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): Cake\Http\Middleware\SecurityHeadersMiddleware->process()
#8 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php(138): Cake\Http\Runner->handle()
#9 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): Cake\Http\Middleware\CsrfProtectionMiddleware->process()
#10 /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtCsrfDetectionMiddleware.php(55): Cake\Http\Runner->handle()
#11 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): Passbolt\JwtAuthentication\Middleware\JwtCsrfDetectionMiddleware->process()
#12 /usr/share/php/passbolt/src/Middleware/GpgAuthHeadersMiddleware.php(40): Cake\Http\Runner->handle()
#13 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): App\Middleware\GpgAuthHeadersMiddleware->process()
#14 /usr/share/php/passbolt/plugins/PassboltCe/Locale/src/Middleware/LocaleMiddleware.php(47): Cake\Http\Runner->handle()
#15 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): Passbolt\Locale\Middleware\LocaleMiddleware->process()
#16 /usr/share/php/passbolt/plugins/PassboltCe/MultiFactorAuthentication/src/Middleware/InjectMfaFormMiddleware.php(66): Cake\Http\Runner->handle()
#17 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): Passbolt\MultiFactorAuthentication\Middleware\InjectMfaFormMiddleware->process()
#18 /usr/share/php/passbolt/plugins/PassboltCe/MultiFactorAuthentication/src/Middleware/MfaRequiredCheckMiddleware.php(82): Cake\Http\Runner->handle()
#19 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): Passbolt\MultiFactorAuthentication\Middleware\MfaRequiredCheckMiddleware->process()
#20 /usr/share/php/passbolt/vendor/cakephp/authentication/src/Middleware/AuthenticationMiddleware.php(124): Cake\Http\Runner->handle()
#21 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): Authentication\Middleware\AuthenticationMiddleware->process()
#22 /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtDestroySessionMiddleware.php(43): Cake\Http\Runner->handle()
#23 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): Passbolt\JwtAuthentication\Middleware\JwtDestroySessionMiddleware->process()
#24 /usr/share/php/passbolt/src/Middleware/SessionAuthPreventDeletedUsersMiddleware.php(46): Cake\Http\Runner->handle()
#25 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): App\Middleware\SessionAuthPreventDeletedUsersMiddleware->process()
#26 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/BodyParserMiddleware.php(162): Cake\Http\Runner->handle()
#27 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): Cake\Http\Middleware\BodyParserMiddleware->process()
#28 /usr/share/php/passbolt/src/Middleware/SessionPreventExtensionMiddleware.php(66): Cake\Http\Runner->handle()
#29 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): App\Middleware\SessionPreventExtensionMiddleware->process()
#30 /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtRouteFilterMiddleware.php(47): Cake\Http\Runner->handle()
#31 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): Passbolt\JwtAuthentication\Middleware\JwtRouteFilterMiddleware->process()
#32 /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtAuthDetectionMiddleware.php(58): Cake\Http\Runner->handle()
#33 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): Passbolt\JwtAuthentication\Middleware\JwtAuthDetectionMiddleware->process()
#34 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php(161): Cake\Http\Runner->handle()
#35 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): Cake\Routing\Middleware\RoutingMiddleware->process()
#36 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware.php(77): Cake\Http\Runner->handle()
#37 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): Cake\Routing\Middleware\AssetMiddleware->process()
#38 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Error/Middleware/ErrorHandlerMiddleware.php(126): Cake\Http\Runner->handle()
#39 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): Cake\Error\Middleware\ErrorHandlerMiddleware->process()
#40 /usr/share/php/passbolt/src/Middleware/ContentSecurityPolicyMiddleware.php(39): Cake\Http\Runner->handle()
#41 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): App\Middleware\ContentSecurityPolicyMiddleware->process()
#42 /usr/share/php/passbolt/src/Middleware/ContainerInjectorMiddleware.php(54): Cake\Http\Runner->handle()
#43 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(73): App\Middleware\ContainerInjectorMiddleware->process()
#44 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(58): Cake\Http\Runner->handle()
#45 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Server.php(90): Cake\Http\Runner->run()
#46 /usr/share/php/passbolt/webroot/index.php(40): Cake\Http\Server->run()
#47 {main}
2023-02-08 13:25:36 error: [Cake\Http\Exception\BadRequestException] The user does not exist or is already active. in /usr/share/php/passbolt/src/Service/Users/UserGetService.php on line 85
Request URL: /setup/start/4b062c30-8ab2-4d6a-863b-4f0519dab3ab/fed0c213-8588-47a5-b544-39904dca3412.json?api-version=v2
Client IP: 172...*

2023-02-08 13:25:42 error: [Cake\Http\Exception\BadRequestException] The user does not exist or is already active. in /usr/share/php/passbolt/src/Service/Users/UserGetService.php on line 85
Request URL: /setup/start/4b062c30-8ab2-4d6a-863b-4f0519dab3ab/fed0c213-8588-47a5-b544-39904dca3412.json?api-version=v2
Client IP: 172...*

2023-02-08 13:25:43 error: [Cake\Http\Exception\BadRequestException] The user does not exist or is already active. in /usr/share/php/passbolt/src/Service/Users/UserGetService.php on line 85
Request URL: /setup/install/4b062c30-8ab2-4d6a-863b-4f0519dab3ab/fed0c213-8588-47a5-b544-39904dca3412.json?api-version=v2
Referer URL: https://srv-passbolt.x.local/setup/install/4b062c30-8ab2-4d6a-863b-4f0519dab3ab/fed0c213-8588-47a5-b544-39904dca3412?locale=fr-FR&first-install=1
Client IP: 172...*

Hi everyone,

After installing passbolt Pro on a server test, I tried to install it to a clean server for production.

After installing it, I can’t create the administrator account.

First time, i’ve the message “authentication failed” and after I just have to log in with a enxisting account, but I don’t have one…

I reinstalled it many times, but same error.

I hope you can help :slight_smile:

Thank you

Hello @Cedric2, thanks for all the logs you shared.

May this problem be related to the issue you were experiencing a few weeks ago?
Can you confirm that the owner of /usr/share/php/passbolt/.gnupg/pubring.kbx is www-data:www-data?

Does your server has time synchronization (NTP) enabled ?

Thanks in advance.

Hi antony,

It was the first thing I checked :wink:

Pubring is own by nginx, so this is ok.
NTP is enabled and is working.

I’m using Firefox ESR, but I use it since the beginning and didn’t have other issues.

I may try with another browser mais I don’t know how to restart the web installation setup right now.

Regards

Please set the rights on files that are in /etc/passbolt/gpg to nginx:nginx
The datacheck shows warning “Failed to open stream”

Thanks in advance.

Hi antony,

I did this but didn’t worked.

I reinstalled from scratch on another server, but without SSL, and it worked.

I had some problems just after “trying” to put the certificates.

This is very strange…

Bonjour,

Grâce à @max et @clayton, le souci a été résolu. Cela venait de SE LINUX qui n’avait pas les bons droits.

Cela a été résolu grâce aux commandes suivantes :

#setsebool -P httpd_use_gpg=on
#setsebool -P gpg_web_anon_write=on
#semanage permissive -a gpg_web_t

Nous avons eu confirmation de ce souci en voyant que le processus “setroubleshootd” prenait beaucoup de ressources CPU, et en vérifiant les logs en faisant :

#tail -f /var/log/audit/audit.log

Plusieurs erreurs apparaissaient dont :

type=AVC msg=audit(1677225939.076:3158): avc: denied { getattr } for pid=21057 comm=“gpg” path=“/run/user/989/gnupg/d.51ock8mbjgy5imwtzxjtijzc/S.gpg-agent” dev=“tmpfs” ino=31748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0

Merci encore à eux :wink:


Hi,

Thanks to @max and @clayton, the issue has been resolved. It was from SE LINUX which didn’t have the right permissions.

This was resolved with the following commands:

#setsebool -P httpd_use_gpg=on
#setsebool -P gpg_web_anon_write=on
#semanage permissive -a gpg_web_t

We had confirmation of this problem by seeing that the “setroubleshootd” process was taking a lot of CPU resources, and by checking the logs by doing:

#tail -f /var/log/audit/audit.log

Several errors appeared including:

type=AVC msg=audit(1677225939.076:3158): avc: denied { getattr } for pid=21057 comm=“gpg” path=“/run/user/989/gnupg/d.51ock8mbjgy5imwtzxjtijzc/S.gpg-agent” dev=“tmpfs” ino=31748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0

Thanks again to them :wink:

2 Likes

Thanks for sharing it with the community @Cedric2 !

1 Like