Passbolt SSL alert number 42

[chandr-andr]

Hi!
I'm trying to deploy passbolt on my cluster. Unfortunately, I've hit an unsolvable error.

I'm using K3s.

There are my configuration files (I masked my domain with domain).
My values.yaml:

redisDependencyEnabled: false

redis:
  auth:
    password: my_redis_password

mariadb:
  auth:
    password: my_mariadb_password
  primary:
    persistence:
      storageClass: openebs-hostpath
  secondary:
    persistence:
      storageClass: openebs-hostpath

passboltEnv:
  plain:
    APP_FULL_BASE_URL: https://passbolt.domain.net
    PASSBOLT_SSL_FORCE: true
  secret:
    CACHE_CAKE_DEFAULT_PASSWORD: my_redis_password
    DATASOURCES_DEFAULT_PASSWORD: my_mariadb_password

app:
  # -- Configure pasbolt deployment init container that waits for database
  databaseInitContainer:
    # -- Toggle pasbolt deployment init container that waits for database
    enabled: false
  # Allowed options: mariadb, mysql or postgresql
  database:
    kind: mariadb
  cache:
    # Use CACHE_CAKE_DEFAULT_* variables to configure the connection to redis instance
    # on the passboltEnv configuration section
    redis:
      # -- By enabling redis the chart will mount a configuration file on /etc/passbolt/app.php
      # That instructs passbolt to store sessions on redis and to use it as a general cache.
      enabled: false
      sentinelProxy:
        # -- Inject a haproxy sidecar container configured as a proxy to redis sentinel
        # Make sure that CACHE_CAKE_DEFAULT_SERVER is set to '127.0.0.1' to use the proxy
        enabled: false

cronJobEmail:
  enabled: false
  schedule: "* * * * *"
  extraPodLabels: {}

# -- Configure passbolt container livenessProbe
livenessProbe:
  httpGet:
    port: https
    scheme: HTTPS
    path: /healthcheck/status.json
    httpHeaders:
      - name: Host
        value: my-passbolt.passbolt.svc.cluster.local
  initialDelaySeconds: 20
  periodSeconds: 10
# -- Configure passbolt container RadinessProbe
readinessProbe:
  httpGet:
    port: https
    scheme: HTTPS
    httpHeaders:
      - name: Host
        value: my-passbolt.passbolt.svc.cluster.local
    path: /healthcheck/status.json
  initialDelaySeconds: 5
  periodSeconds: 10

tls:
  # -- Generates a secret with a self-signed cerfificate that is injected on ingress and passbolt container
  autogenerate: false
  # -- Name of an existing kubernetes secret that contains a SSL certificate to inject on ingress and passbolt container
  existingSecret: passbolt-cert-secret

ingress:
  # -- Enable passbolt ingress
  enabled: true
  # -- Configure passbolt ingress annotations
  annotations: {}
  # -- Configure passbolt ingress hosts
  hosts:
    - host: passbolt.domain.net
      paths:
        - path: /
          pathType: ImplementationSpecific
  # -- Configure passbolt ingress tls
  tls:
    # If secretname is not empty, the tls entry will use it, otherwise will
    # have a default name based on the release
    - secretName: passbolt-cert-secret
      hosts:
        - passbolt.domain.net

My certificate.yaml:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: passbolt-cert-secret
  namespace: passbolt
spec:
  secretName: passbolt-cert-secret

  subject:
    organizations:
      - domain.net

  duration: 2160h # 90d
  renewBefore: 360h # 15d
  usages:
    - digital signature
    - key encipherment
  dnsNames:
    - passbolt.domain.net
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
    group: cert-manager.io

The certificate is ready and a secret is created.

When I go to any browser and make a request to https://passbolt.domain.net, I get Internal Server Error and logs show this error.

2024/04/04 23:00:06 [info] 184#184: *8 SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.42.0.34, server: 0.0.0.0:443

Could you please tell me what I did wrong?

[Jozefiel]

Certificates are probably not correctly imported.

I'm testing passbolt external secret operator with helm deployment.

Log from passbolt

SSL_do_handshake() failed (SSL: error:0A000412:SSL routines::sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.42.0.213, server: 0.0.0.0:443

Log from external secrets operator

...  Request: Doing Request: Request: Post \"https://passbolt.passbolt.svc.cluster.local/auth/login.json?api-version=v2\": tls: failed to verify certificate: x509: certificate is valid for www.passbolt.local, not passbolt.passbolt.svc.cluster.local", ...

And this is from passbolt depl pod, passbolt container.

# cat /etc/ssl/certs/certificate.crt

-----BEGIN CERTIFICATE-----
MIIFvjCCA6agAwIBAgIUYAvvJqFWH/+NOCoguKid6Y8OFbMwDQYJKoZIhvcNAQEL
BQAwXzELMAkGA1UEBhMCRlIxDzANBgNVBAgMBkRlbmlhbDEUMBIGA1UEBwwLU3By
aW5nZmllbGQxDDAKBgNVBAoMA0RpczEbMBkGA1UEAwwSd3d3LnBhc3Nib2x0Lmxv
Y2FsMB4XDTI0MDUxMDIwMjQzMloXDTI1MDUxMDIwMjQzMlowXzELMAkGA1UEBhMC
RlIxDzANBgNVBAgMBkRlbmlhbDEUMBIGA1UEBwwLU3ByaW5nZmllbGQxDDAKBgNV
BAoMA0RpczEbMBkGA1UEAwwSd3d3LnBhc3Nib2x0LmxvY2FsMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEArFbPUdUrcP3r2e5lq4l/3OLU1tHIqs3nxaDf
UgijrpzVEQK/HqDI/9sMctXrRuYS94OKfSHVSWJCFRA0XYB1YK3iQUVVz7xaIJ2H
xoFdCE0frO+Zks6pSKK1XZ2pdfF1kPGKdLWYtb7cCz/JOgUSyVViz8URtKCdOFyT
4RjF2qscARC+YaEfbbkfdyIZK+diHic5LOcrSSnxx80IoXlOraYtGoSgeqKX0vRd
NyfN0zqBUMo2eZ9A5pZ00KtlbQ8Ug72Ndn4onASj1LUxoZWertnYVZpEktVq0+JV
CqvlBuyvl0A9tgNXHBINCuajKSEO6P/VDnAPD5jyBxeGTNG9ofHitVtEI9PtjR1v
CHQJ9b2DzsTtsPsPX0ax1KsDLr9Axr72hiy1rP5RPsuWE5ltsqCwmM3W1a+s/7jz
uLLehHIyMmW4/WYTWUBPhuteSFFxL3cAsXGN1HfhUdfGvCJM8A/LhRxY9dBsNITX
OfTtc5wmgb6o/eiY2qscjMXgZL+ofBAxzgG352r+tM3vAD/UJlcpgHAFQG+a+Lcc
kn8Rzx+oPt26gX2glkIRPyCtIn5MQiu0w6ekbQoOVcdjKUnw+7gC1sMP9fJ4fE5O
Q2HQRh9SI5gOF3R+1u4YlaNCCc7/1FMY3oqwMMcVoP+RgEew1FAQ4Hf/A5/O31OG
gy/ejKUCAwEAAaNyMHAwHQYDVR0OBBYEFP7axmSiKy8Em5JrMKLCzzm+ZzODMB8G
A1UdIwQYMBaAFP7axmSiKy8Em5JrMKLCzzm+ZzODMA8GA1UdEwEB/wQFMAMBAf8w
HQYDVR0RBBYwFIISd3d3LnBhc3Nib2x0LmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IC
AQAxdyu7hBb8gTvKa+ifBiNSlcbmOVfvrwj1QRBmXc9gnP5ER1hrvPYqCbPZBC8O
YpIIQeSmbNwAZ1wN163n0Fwwv6sLsul1K6WvGw3eXVWsPJ0D/WZbYzljai4aVOaR
OfrJnu+6WsBxIm+nS1m9nFFxkuZXPsFojmakL7eVhSth5NDjKXiE4PNf4edweKI5
jG36LeiALZS8W4m+wZQ08xkcABRU3h2tGDkSc3bpGLvu665ZauktIXCTqBod+1X8
hLdrlhlGErOEFBaUqWgdOJnd+ay29/VIQqlTx5THZOx47w/mjM3C/VsZw+qIk/qm
9YGndIM9B8KcoA/O3I6EY1RImyji7BkgGOKUnsU/kw7sH8iX7/zzKlEC8Nwwc/cw
G02lWEnKVwQPjfYxaC6KQ3fByOkiwa7j1V8FRdZLDsm2/rUZ2hIkpV4rzvFsX6ar
o9512fBMGXifIkBpKGGC0YeHk5hsizWY3wBzL/B+bi4HeI9AjnZR+pPVElUrA1y8
DNJ2nmlmlh/sxy+lupdpCTHqtueVeq31q/skT3KPTNQ9dTBCsH97pU750OpS8tow
1aTRxltIvITi71H9rbZtd4V9fL9ETAS41Mzpb6P6Z7Iw5GIyw24uYIzEm7y1UWgg
2bsLhUsxDF1cc7RZTN9vWsrpFO04aJlyKL8HJ1Nk15kRSA==
-----END CERTIFICATE-----

Decoded output|

Certificate Information:
Common Name: www.passbolt.local
Subject Alternative Names: www.passbolt.local
Organization: Dis
Organization Unit:
Locality: Springfield
State: Denial
Country: FR
Valid From: May 10, 2024
Valid To: May 10, 2025
Issuer: www.passbolt.local, Dis
Key Size: 4096 bit
Serial Number: 600bef26a1561fff8d382a20b8a89de98f0e15b3