Version Mismatch on Debian

dburgess · March 10, 2023, 10:28pm

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Debian 11.6
5.10.0-21-amd64
nginx 1.18.0

I just updated per the instructions here, but healthcheck is showing that Passbolt is out of date.

 su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.33.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://test-pwdman.lethbridgepolice.ca
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
 [HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [FAIL] This installation is not up to date. Currently using 3.11.0 and it should be v3.11.1.
 [HELP] See. https://www.passbolt.com/help/tech/update
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] The Self Registration plugin is enabled.
 [PASS] Registration is closed, only administrators can add users.
 [WARN] The deprecated self registration public setting was found in /etc/passbolt/passbolt.php.
 [HELP] You may remove the "passbolt.registration.public" setting.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [PASS] The SMTP Settings source is: database.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

 [FAIL] 3 error(s) found. Hang in there!

dpkg reports that I have the 3.11.1 package installed. I just updated from 3.9.0, so I can’t imagine why healthcheck is report 3.10.0.

dpkg -l|grep passb
ii  passbolt-ce-server  3.11.1-1 all Passbolt, open source password manager for teams

Did I do something wrong? Is this a known issue?

dburgess · March 10, 2023, 10:31pm

I should add, this isn’t my reason for posting, but maybe it’s related. Despite the error in the healthcheck output, I’m not using a self-signed certificate. While visiting my site, I can verify a valid certificate.

garrett · March 10, 2023, 11:07pm

Yes I believe it’s mentioned here Duo error on setup attempt [fixed with 3.11.1] - #10 by clayton

However, 3.11.1 is in fact released.

garrett · March 10, 2023, 11:16pm

Regarding the self signed cert issue, I’m not sure.

Do you possibly have it being redirected internally to a different port that runs a different cert?

Do you have a reverse proxy in front of passbolt serving one cert but the app is running a default cert behind it?

dburgess · March 13, 2023, 3:14pm

Do you possibly have it being redirected internally to a different port that runs a different cert?
Do you have a reverse proxy in front of passbolt serving one cert but the app is running a default cert behind it?

No on both counts. I ran through the steps here and didn’t get any insight into my SSL error. I also rean dpkg-reconfigure passbolt-ce-server && service nginx reload but the healthcheck result is the same. I’m not going to worry about it since the browser displays the correct certificate. Thanks for your responses.

clayton · March 14, 2023, 7:14am

Another potential reason behind the cert issues in the output is if you are using a wildcard cert

dburgess · March 14, 2023, 2:04pm

I am using a wildcard cert. Is this expected output then, or should I be handling it differently?

ronaldgevern · June 6, 2023, 7:31am

This SSL error occurs when the SSL/TLS client cannot verify the server’s certificate due to the absence of the issuer’s certificate in its trusted store. To resolve this, ensure the system time and date are accurate, update the trusted CA certificate bundle, explicitly specify the CA certificate if available, verify the certificate chain for completeness, and check for any network connectivity issues caused by firewalls or proxies. These steps will help address the SSL error “unable to get local issuer certificate” and enable successful establishment of secure connections.