Windows app does not recognize the self-signed certificate

Hi,
I recently installed Passbolt in a docker container, reachable through a local domain using a self-signed certificate.
The problem is encountered on the Windows app, when after importing the kit account and entering the passphrase an invalid certificate error comes up.
I retried the process unsuccessfully after installing the certificate on my computer following the official troubleshooting guide regarding the windows app.

I would like to understand if it was a bug or a problem with the certificate. A similar problem gives it on the android app, even after following the certificate installation guide

Hi @IlGabbo and welcome to the forum!

There’s a problem with the certificate in your situation. What problem exactly? I don’t know yet.

First things first, did you restart your Windows machine after the installation of the certificate? Maybe it didn’t take it into account yet (we never know).

Also, you are using docker, did you reboot your docker? I wonder if the certificate is (or not) recreated at each boot. If it’s the case, it’s a new certificate each time that needs to be trusted (and you will need to make it persistent to avoid these issues).

Did you created the certificate yourself? If yes, do you remember how?

Hi, I tried restarting the windows machine and the app still gives error 400 - the certificate provided is invalid.
I created the certificate with openssl commands; to create a certificate authority I used the commands:

• openssl genpkey -algorithm RSA -out ca.key -aes256
• openssl req -x509 -new -nodes -key ca.key -sha256 -days 1825 -out ca.crt
• openssl genpkey -algorithm RSA -out server.key -aes256
• openssl req -new -key server.key -out server.csr
• openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 825 -sha256

To create the certificate for the passbolt.local domain:

• openssl genpkey -algorithm RSA passbolt.local.key
• openssl req -new -key passbolt.local.key -out passbolt.local.csr
• openssl x509 -req -in passbolt.local.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out passbolt.local.crt -days 2048 -sha256

I also followed the guide for manually configuring HTTPS on docker compose but the problem persists

Which certificate did you trust in your OS? The server’s one of the certificate authority?
I think, in that case the certificate authority is the one that needs to be trusted.

Also, just as a quick check, on your Windows machine, if you access your passbolt instance from a browser, does your browser complains about the certificate not being safe?

I installed both the passbolt.local.crt certificate and the authority certificate and the browser reports the certificate as not secure

If the browser show your certificate as unsecure, the desktop app will not work for sure.

A quick test to try could be to download the certificate from the browser (using the icon on the left of the current web page address) and install the downloaded certificate.
Then restart the desktop app and see. You can also restart (not refresh) your browser to see if the certificate is still consider unsecure.

If the problem persists, it will show that either the certificate is wrong somehow or maybe the certificate has not been installed in the right place on Windows.

If it solves the issue, it could show that the certificate you’ve installed is not the one used (or it could a wrong file). Maybe docker is not using the expected TLS certificate file (and generates a new one?).

I applied the advice you gave me and unfortunately I get the same error, both from the app and the browser.
I also checked if docker was using a different certificate but it is not.
The only solution would be to use a cloudflare domain and use a certificate provided by lets encrypt, only it would be a risk to expose the domain related to the passbolt service

Have you tried to run a healthcheck?
Is the server giving some error on the SSL certificate section?

Hi, sorry for the late reply.
After starting the healthcheck and resolving the opengpg key errors the healthcheck logs look like this:
Environment

[PASS] PHP version 8.2.20.
[PASS] PHP version is 8.1 or above.
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.

Config files

[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables

Core config

[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.local
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in /etc/passbolt/passbolt.php
[HELP] Check the network settings

SSL Certificate

[WARN] SSL peer certificate does not validate.
[WARN] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate.
[HELP] Check Troubleshooting SSL/TLS | Passbolt documentation.

SMTP settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled.
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one.
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (4.9.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema is up to date.

Database

[PASS] The application is able to connect to the database
[PASS] 31 tables found.
[PASS] Some default content is present.

[FAIL] 1 error(s) found. Hang in there!

Hello @IlGabbo , maybe this guide is helpful to clean your healthcheck

If the certificate section is still showing that not match the hostname, you should try to solve this

Hi, I finally found the solution and it was also quite simple.
The problem was the commands with which I generated the certificate, evidently I was skipping some step or some parameter.
With the script below I solved the problem

#!/bin/bash

if [ "$#" -ne 2 ]; then
    echo "Usage: $0 <DOMAIN> <TYPE>"
    echo "TYPE: dns or ip"
    exit 1
fi

DOMAIN=$1
TYPE=$2

if [[ "$TYPE" != "dns" && "$TYPE" != "ip" ]]; then
    echo "Invalid type. Use 'dns' or 'ip'."
    exit 1
fi

cat > san.cnf <<EOF
[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
C  = 
ST = 
L  = 
O  = 
OU = 
CN = 

[ req_ext ]
EOF

if [ "$TYPE" = "dns" ]; then
    echo "subjectAltName = DNS:$DOMAIN" >> san.cnf
elif [ "$TYPE" = "ip" ]; then
    echo "subjectAltName = IP:$DOMAIN" >> san.cnf
fi

mkdir -p $DOMAIN

openssl genpkey -algorithm RSA -out $DOMAIN/$DOMAIN.key
openssl req -new -key $DOMAIN/$DOMAIN.key -out $DOMAIN/$DOMAIN.csr -config san.cnf
openssl x509 -req -in $DOMAIN/$DOMAIN.csr -CA RootCA.crt -CAkey RootCA.key -CAcreateserial -out $DOMAIN/$DOMAIN.crt -days 2048 -extfile san.cnf -extensions req_ext
openssl pkcs12 -export -out $DOMAIN/$DOMAIN.p12 -inkey $DOMAIN/$DOMAIN.key -in $DOMAIN/$DOMAIN.crt

rm san.cnf

openssl x509 -text -noout -in $DOMAIN/$DOMAIN.crt | grep -E 'DNS|IP'

Thank you very much to @Termindiego25 @Steph for directing me to the solution