Can not login to Passbolt

[Sir-Valen]

Hello everyone!

Today (2022 May 26) I can not log in to my admin account in Passbolt. My users also can't log in. I tried to recover, but it stuck at the extension checking page. I have the extension. It kept asking me to install the extension and refresh, as a result - a constant requirement to reinstall the extension. Some details: I’m using Passbolt Chrome Extension v3.6.0, passbolt version 3.6.0 (Docker), Chrome version 102.0.5005.61 (Official Build) (x86_64). I already tried clearing the Chrome cache completely (didn't help), tried logging in from different browsers (didn't help), checked for errors in the docker and the system (nothing found).

Anything I can do?

[cedricalfonsi]

Hello @Sir-Valen,

Today (2022 May 26) I can not log in to my admin account in Passbolt.

Prior to initiating a recover. Did you see the sign-in form? If yes, do you remember any specific error message?

I tried to recover, but it stuck at the extension checking page

If the extension is not starting it could be due to an API error. You can either check:

• The docker log: docker-compose logs passbolt
• Or the extension debug in your browser:
  • Go to the url chrome://extensions/
  • Enable the "Developer mode"
  • Click on "Details" on the passbolt tail
  • Inspect views "index.html"
  • Is there any error in the console tab?
  • In the network tab, look for the response of a request which looks like: https://PASSBOLT/setup/install/UUID/UUID

[AnatomicJC]

Hi @Sir-Valen ,

Can you check your passbolt gpg keys ?

# connect to your container
docker exec -it your_passbolt_container_name bash
# Check your server key
gpg --show-keys /etc/passbolt/gpg/serverkey.asc

If you are seeing more than one different PGP fingerprints like this:

pub rsa2048 2021-01-20 [SC]
177C1516F9C1957ABC157CA592D946CDEF1F7583
uid [ unknown] Passbolt default user <passbolt@yourdomain.com>
sub rsa2048 2021-01-20 [E]

pub rsa2048 2021-01-20 [SC]
DA5D26D04A2D7558EEF60E69C8DA4B7205E6E47F
uid [ unknown] Passbolt default user <passbolt@yourdomain.com>
sub rsa2048 2021-01-20 [E]

pub rsa2048 2021-01-20 [SC]
545F22A36F0380984D828F6BE5E5090C6FD6738A
uid [ unknown] Passbolt default user <passbolt@yourdomain.com>
sub rsa2048 2021-01-20 [E]

pub rsa2048 2021-01-20 [SC]
F9D5F72A0D7DB5118FE7146E9A1F3AC2510004EB
uid [ unknown] Passbolt default user <passbolt@yourdomain.com>
sub rsa2048 2021-01-20 [E]

You must rotate your key as described in this documentation: https://help.passbolt.com/faq/hosting/how-to-rotate-server-gpg-keys

Can you tell us if it fixes your issue ?

Cheers,

[Sir-Valen]

Hello @AnatomicJC,

Thank you for your reply, currently working on it 😉

[gileri]

Hi, I got the same issue today, so I rotated the keys (stopped the docker container, removed the keys from the volume, restarted it).

I got a warning from the mobile app that the keys were rotated, but not on the browser extension interestingly.

Now I can login with the extension window on both Firefox and Chromium, but not the "Passbolt homepage". I get the following error in the page :

Cannot verify server key. Internal server error. Contact you administrator (approximate translation).

When debugging the extension, the error is more detailed :

The key should be an openpgp valid armored key string.
    at readKeyOrFail (index.min.js:89239:11)
    at async StartRecoverController._findAndSetAccountServerPublicKey (index.min.js:46593:23)
    at async StartRecoverController.exec (index.min.js:46579:7)
    at async StartRecoverController._exec (index.min.js:46565:7)
    at async Port.<anonymous> (index.min.js:51057:5)

Looking into the API response and related JS variables, the key string seems correct at first glance.

[AnatomicJC]

Thank you for your feedback @gileri. Can you try to clear your firefox browser cache and cookies ? While getting Internal server error, you should have an error logged on your docker container logs. Can you have a look at it ?

Best,

[gileri]

Thank you for your feedback @gileri. Can you try to clear your firefox browser cache and cookies ?

You're welcome @AnatomicJC ! With a clean, freshly recovered browser profile both the homage and extension pop-up login work. With existing profiles it does not.

While getting Internal server error, you should have an error logged on your docker container logs. Can you have a look at it ?

There is no error in Docker logs, or in the browser network debugging window. Here is an extract when refreshing the homepage while getting the Internal Server error :

passbolt_1  | 141.101.69.34 - - [30/May/2022:11:45:13 +0000] "GET /auth/login?locale=fr-FR HTTP/2.0" 200 1093 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
passbolt_1  | 2022-05-30 11:45:13,792 INFO reaped unknown pid 3360 (exit status 0)
passbolt_1  | 2022-05-30 11:45:13,793 INFO reaped unknown pid 3362 (exit status 0)
passbolt_1  | 141.101.69.34 - - [30/May/2022:11:45:13 +0000] "GET /settings.json?api-version=v2 HTTP/2.0" 200 1061 "https://passbolt.yurplan.com/auth/login?locale=fr-FR" "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
passbolt_1  | 2022-05-30 11:45:13,955 INFO reaped unknown pid 3365 (exit status 0)
passbolt_1  | 2022-05-30 11:45:13,955 INFO reaped unknown pid 3367 (exit status 0)
passbolt_1  | 141.101.68.67 - - [30/May/2022:11:45:14 +0000] "GET /settings.json?api-version=v2 HTTP/2.0" 200 1061 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
passbolt_1  | 2022-05-30 11:45:14,446 INFO reaped unknown pid 3370 (exit status 0)
passbolt_1  | 2022-05-30 11:45:14,446 INFO reaped unknown pid 3372 (exit status 0)
passbolt_1  | 141.101.68.67 - - [30/May/2022:11:45:14 +0000] "POST /auth/verify.json?api-version=v2 HTTP/2.0" 200 250 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
passbolt_1  | 2022-05-30 11:45:14,568 INFO reaped unknown pid 3375 (exit status 0)
passbolt_1  | 2022-05-30 11:45:14,569 INFO reaped unknown pid 3377 (exit status 0)
passbolt_1  | 2022-05-30 11:45:14,569 INFO reaped unknown pid 3380 (exit status 2)
passbolt_1  | 141.101.68.67 - - [30/May/2022:11:45:14 +0000] "GET /auth/verify.json?api-version=v2 HTTP/2.0" 200 2178 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0"
passbolt_1  | 2022-05-30 11:45:14,649 INFO reaped unknown pid 3382 (exit status 0)
passbolt_1  | 2022-05-30 11:45:14,653 INFO reaped unknown pid 3384 (exit status 0)

I guess this is a catch-all error message when hitting Error: The key should be an openpgp valid armored key string. in the extension

[cedricalfonsi]

@gileri The error you got on the Firefox passbolt home page is related to the previous gpg server key. This key is stored in the browser extension local storage, and in some cases, the key is parsed and compared to the current gpg server key. This mechanism is useful to support the gpg server key rotation feature.

To give a little bit of details about the problem. While upgrading to opengpgjs v5.2, the multiple server keys issue we encountered with docker sometimes back was not taken into account, and this multiple gpg keys in one unique armored block cannot be parsed with the current implementation, where the client expect only one key per armored key block.

The workaround for people having this kind gpg server key already present in their local storage is to recover their accounts after rotating the server key.

I'm sorry for the inconvenience, let us know how it goes.

[gileri]

Thank you for clarifying the situation @cedricalfonsi !

The workaround for people having this kind gpg server key already present in their local storage is to recover their accounts after rotating the server key.

Wouldn't it be possible to detect this case in the extension and ignore/remove the problematic server key ? For example, logging in through the extension popup works (maybe it doesn't check the server key in that process ?).

We are using Passbolt CE so I understand we may not make "demands", but recovering all users is kind of painful.

[cedricalfonsi]

Au contraire, demands can be made ;) How many users do you have to recover?

[Sir-Valen]

Wouldn't it be possible to detect this case in the extension and ignore/remove the problematic server key ? For example, logging in through the extension popup works (maybe it doesn't check the server key in that process ?).

We have the same issue. We have 500+ users, so it will be complicated to organize recovery process for each of them. Now every user have to delete extension and then reinstall it and go through recovery procedure. Maybe you have any workarounds to avoid this?

Looking forward to hearing from you soon.

[cedricalfonsi]

A v3.6.1 was just released to address the latest part of the problem, Firefox is already published (edge and chrome in review).

After rotating the server key, the users should be able to accept the new server key without having to perform a recover.

@Sir-Valen @gileri Can you checkout if this solves the issue on your side?

[cedricalfonsi]

The Chrome extension was published this morning.

[gileri]

Thank you for the patch @cedricalfonsi !

Now I hit this case : https://github.com/passbolt/passbolt_browser_extension/blob/e15d351da04d4d2f2bc948594a54326a9cd25c58/src/all/background_page/controller/auth/authVerifyServerKeyController.js#L96-L99

With the same error : Error: The key should be an openpgp valid armored key string.", due to remoteServerKey being assigned undefined here : https://github.com/passbolt/passbolt_browser_extension/blob/f66ca3f5a440c5b6bd1288ca69ec79016a891d72/src/all/background_page/model/gpgauth.js#L127-L128

This test succeeds (it doesn't enter this branch) in my setup :

https://github.com/passbolt/passbolt_browser_extension/blob/e15d351da04d4d2f2bc948594a54326a9cd25c58/src/all/background_page/controller/auth/authVerifyServerKeyController.js#L88-L90

Please note that I'm on Firefox with an "old" profile, and rotated the keys on the server.

[cedricalfonsi]

Thank you for your report, I confirm the issue, a ticket was created (ref: PB-16736) and is already in progress.

[cedricalfonsi]

@gileri A fix was just published on Firefox with v3.6.2. Chrome is in review, Edge is schedule for later. Let us know how it goes.

[gileri]

Wonderful ! I can confirm that both the PB homepage and extension popup logins works as expected, on Firefox at least.

[cedricalfonsi]

Great, I'm closing the ticket. Thank you for the reports and the follow-up on it.