Decryption GitHub not working

cancel
Showing results for 
Search instead for 
Did you mean: 

Decryption GitHub not working

L4 Transporter

Hi

 

We are trying to run a api from passbolt to Github. In this we are doind decryption in PA.  If we add a SSL exception *.github.com is working fine or "no decrypt" policy is working fine.  any idea?

 

Here our health check:

 

passbolt]# su -s /bin/bash -c "./bin/cake passbolt healthcheck" nginx

 

____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/

 

Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell........Warning Error: file_get_contents(/var/www/passbolt/config/jwt/jwt.pem): failed to open stream: No such file or directory
In [/var/www/passbolt/plugins/Passbolt/JwtAuthentication/src/Service/AccessToken/JwtKeyPairService.php, line 110]

 

2022-02-22 10:40:33 Warning: Warning (2): file_get_contents(/var/www/passbolt/config/jwt/jwt.pem): failed to open stream: No such file or directory in [/var/www/passbolt/plugins/Passbolt/JwtAuthentication/src/Service/AccessToken/JwtKeyPairService.php, line 110]
-------------------------------------------------------------------------------

 

Environment

 

[PASS] PHP version 7.3.28.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

 

Config files

 

[PASS] The application config file is present
[PASS] The passbolt config file is present

 

Core config

 

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://

[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

 

SSL Certificate

 

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] cURL Error (60) Peer's certificate issuer has been marked as not trusted by the user.

 

Database

 

[PASS] The application is able to connect to the database
[PASS] 37 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

 

GPG Configuration

 

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/nginx/.gnupg.
[PASS] The directory /var/lib/nginx/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.

 

Application configuration

 

[FAIL] Could not connect to passbolt repository to check versions It is not possible check if your version is up to date.
[HELP] Check the network configuration to allow this script to check for updates.
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

 

JWT Authentication

 

[WARN] The JWT Authentication plugin is disabled
[HELP] Set the environment variable PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED to true

 

[FAIL] 3 error(s) found. Hang in there!

-------------------------------

 

2 REPLIES 2

L4 Transporter

@BigPalo The answer is in your output - it is failing because your host does not trust the certificate used by the firewall to decrypt traffic. 

 

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] cURL Error (60) Peer's certificate issuer has been marked as not trusted by the user.

 

 

You can trying ignoring certificate check on your host or import the firewall certificate into your hosts' certificate trust store. 

Cyber Elite
Cyber Elite

@BigPalo,

As @batd2 mentioned you just need to get the certificate to the trust store and your checks will start passing. Alternatively you can also just ignore that health check error, it's not really a requirement for that to succeed without issue. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!