Cannot connect to KeePassXC

[bjorn-l]

Another dreaded "Cannot connect". Some info:

From "About Mozilla Firefox" (from tar file, not snap/flatpak):

• Firefox 110.0 (64-bit)
• Mozilla Firefox for Ubuntu

(Note: It used to work. This problem started around the time that I noticed it automatically upgraded to Firefox 110. But I am not sure there is cause/effect.)

From Keepassxc:

• KeePassXC - Version 2.7.4
• Revision: 63b2394
• Qt 5.15.3
• Debugging mode is disabled.
• Operating system: Ubuntu 22.04.2 LTS
• CPU architecture: x86_64
• Kernel: linux 5.15.0-60-generic

More info on things I've tried:

• Reinstalling Firefox and KeepassXC does not help.
• When I go to settings of the keepassxc-browser extension, the Connected Databases shows "No connected databases found."
• I can start (without any errors) the keepassxc executable. It finds the database and shows the stored login credentials.

More info gleaned from the Troubleshooting guide:

$ cat ~/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json 
{
    "allowed_extensions": [
        "[email protected]"
    ],
    "description": "KeePassXC integration with native messaging support",
    "name": "org.keepassxc.keepassxc_browser",
    "path": "/usr/bin/keepassxc-proxy",
    "type": "stdio"
}
$ 
$ id -u
1001
$ ls -nl $XDG_RUNTIME_DIR/org.keepassxc.KeePassXC.BrowserServer 
lrwxrwxrwx 1 1001 1001 80 Feb 23 20:57 /run/user/1001/org.keepassxc.KeePassXC.BrowserServer -> /run/user/1001/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer
$ 

• keepassxc-proxy is not running. Tried manually without arguments and with
  ~/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json org.keepassxc.keepassxc_browser
  as arguments, but neither made a difference.
• When I run the keepassxc-browser extension under the debugger, it always triggers, not surprisingly, the function logError.
• It prints the following:

KeePassXC-Browser: Connecting to native messaging host org.keepassxc.keepassxc_browser client.js:317:13
[Error ] KeePassXC-Browser - Failed to connect: Unknown error global.js:177:13
[Error client.js:336] KeePassXC-Browser - No content script available for this tab. global.js:177:13
[Error keepass.js:753] KeePassXC-Browser - 9: Key exchange was not successful. global.js:177:13
[Error keepass.js:440] KeePassXC-Browser - No content script available for this tab.

So the questions are:

• It appears keepass-proxy does not start. Why?
• I assume that the "No connected databases found" message is due to keepass-proxy not running?
• If I want to test by starting keepassxc-proxy manually, what arguments does it take?
• How do I proceed to debug or fix this issue?

[droidmonkey]

You didn't strace your Firefox

[bjorn-l]

Sorry - I forgot:

$ sudo strace -f -p $(pgrep firefox) 2>&1 | grep keepass
[pid 2098488] openat(AT_FDCWD, "/home/user/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json", O_RDONLY <unfinished ...>
[pid 2097971] newfstatat(AT_FDCWD, "/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 2097971] newfstatat(AT_FDCWD, "/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 2097971] newfstatat(AT_FDCWD, "/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 2097971] newfstatat(AT_FDCWD, "/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 2097971] newfstatat(AT_FDCWD, "/usr/bin/keepassxc-proxy",  <unfinished ...>
[pid 2098692] execve("/usr/bin/keepassxc-proxy", ["/usr/bin/keepassxc-proxy", "/home/user/.mozilla/native-mess"..., "[email protected]"], 0x7f34e1e0ce00 /* 63 vars */ <unfinished ...>

[varjolintu]

If you want to test the proxy manually, it takes no arguments. It doesn't display anything if the start succeeds.

I'm a little confused by the report that the proxy does not start but you still have strace for it? "No connected databases" error just means you haven't connected the extension to your current database. If you see that error the proxy is running normally.

Sometimes Firefox update can mess the proxy connection, so if there's any problems it's suggested to restart both KeePassXC and the browser, plus possibly kill keepassxc-proxy.

Also, see about:support and make sure the Firefox update didn't actually install a Snap version back.

[bjorn-l]

If you want to test the proxy manually, it takes no arguments. It doesn't display anything if the start succeeds.

It makes no visible difference. I still get the "No connected databases found" message.

I'm a little confused by the report that the proxy does not start but you still have strace for it?

The strace is for the firefox executable. But curiously, sometimes I get the following:

[pid 2101526] execve("/usr/bin/keepassxc-proxy", ["/usr/bin/keepassxc-proxy", "/home/user/.mozilla/native-mess"..., "[email protected]"], 0x7f34e1e09000 /* 63 vars */) = -1 EACCES (Permission denied)

and other times this:

[pid 2102023] execve("/usr/bin/keepassxc-proxy", ["/usr/bin/keepassxc-proxy", "/home/user/.mozilla/native-mess"..., "[email protected]"], 0x7f34e2ab3400 /* 63 vars */ <unfinished ...>

The file has mode 755. Apparmor is disabled. So don't know why the EACCESS.

Also, see about:support and make sure the Firefox update didn't actually install a Snap version back.

I believe it is not running under snap. From about:support:

Application Binary 	/usr/lib/firefox/firefox

[varjolintu]

It makes no visible difference. I still get the "No connected databases found" message.

This error is in the console? If this is shown, then the connection is working normally. You just haven't connected your database to the extension if the popup shows the Connect button. I'd suggest that you remove all connection key from KeePassXC side also, just in case.

I'd also suggest that you test a previous version of Firefox (108 or 109) manually to see if those work normally. Does any non-Firefox browser has the problem?

[bjorn-l]

This error is in the console?

It appears when I click on the "Connected Databases" sidebar of the Keepassxc-browser extension "Settings" page.

You just haven't connected your database to the extension if the popup shows the Connect button

There is a "Connect" button on that same page. So how do I connect to the database? No database to select.

I'd suggest that you remove all connection key from KeePassXC side also, just in case.

Not sure what this means. I have tried clearing, and setting again, the "Enable integration for the [firefox] browser" in the keepassxc program.

I'd also suggest that you test a previous version of Firefox (108 or 109) manually to see if those work normally. Does any non-Firefox browser has the problem?

It works properly with the Brave browser. I did try to revert to Firefox 109, but I had some issues - I think the Firefox profile files are not backward compatible. And I thought others must have transitioned to 110.

[varjolintu]

It appears when I click on the "Connected Databases" sidebar of the Keepassxc-browser extension "Settings" page.

It's not an error. It just tells that there's no connected databases with the extension.

There is a "Connect" button on that same page. So how do I connect to the database? No database to select.

It only works if the connection works.

It works properly with the Brave browser. I did try to revert to Firefox 109, but I had some issues - I think the Firefox profile files are not backward compatible. And I thought others must have transitioned to 110.

It's highly possible that this is some kind of Firefox issue with Linux. I have seen multiple similar reports like this after Firefox 109 was released, and seems things are not working properly with 110 either. I'll have to give this a try myself.

[varjolintu]

Tested Ubuntu 22.04.2 LTS with KeePassXC and Firefox both from PPA. Had no problems.

[bjorn-l]

Thought I'd provide an update of my status:

I downgraded from Firefox 110.0 to 109.0.1. And KeepassXC works again. So it seems that in my installation, Firefox 110.0 does not work. So still curious if Firefox 110.0 works for others.

In response to prior comments:

It appears when I click on the "Connected Databases" sidebar of the Keepassxc-browser extension "Settings" page.

It's not an error. It just tells that there's no connected databases with the extension.

Correct. I did not call it an error, but rather a "message." But it is an indication that something is not working correctly, as I expected my database to be listed.

Tested Ubuntu 22.04.2 LTS with KeePassXC and Firefox both from PPA. Had no problems.

What version of Firefox is installed?

[varjolintu]

What version of Firefox is installed?

110.0. The only difference is that I'm using an ARM, not x64. This is somehow related to Firefox updates, but not sure how. If the Native Messaging connection is broken, just restarting the proxy process (and/or KeePassXC plus the browser) should solve the issue.

[idrilirdi]

I've had the same problem on 110.0 with x64. Downgrading to 109.0.1 has worked

[droidmonkey]

Sounds like we have a Firefox problem...

[wosym]

I might be experiencing the same on Firefox v109.0, on a Ubuntu machine.

However... on another computer (Arch Linux) with v110.0 I do not experience the problem.

[evert]

Most Ubuntu+Firefox problems are solved by not using the Snap version I find

[wosym]

@evert Tried the non-snap version today. It was totally broken and suffered from pretty extreme rendering issues. I quickly switched back to the snap version.

It makes me curious why the snap and deb are different? snap and apt are package managers. They shouldn't change code, right? How can the same version of a program be so different, depending on what package manager you use to install it?

Anyways, I guess that would be a little bit off-topic here. In any case: switching to snap doesn't appear to be a viable alternative. At least not for me. Is it possible to derive from the traces where exactly it is going wrong?

[idrilirdi]

Most Ubuntu+Firefox problems are solved by not using the Snap version I find

The problem I and OP have is specifically not using the snap. I installed 110 using the ppa on Ubuntu 22.04 (yes, I made sure it's not the snap) and later downgraded to 109 using the .deb
And my keepassxc is also from ppa

[evert]

@wosym did you use the 'team mozilla ppa' ? sudo add-apt-repository ppa:mozillateam/ppa

Works perfectly for me (aside from Snap occasionally ignoring my wishes and reinstalling itself)

[wosym]

@evert I followed these steps: https://www.omgubuntu.co.uk/2022/04/how-to-install-firefox-deb-apt-ubuntu-22-04

So, yes. I used that ppa.

[idrilirdi]

@evert yes, that's the ppa I use too

[saveli]

I have the same issue on Windows since 25. Feb: Keepass can no longer connect to the database.
Firefox 110.0.1 x64.

So I would go for the "Firefox problem" direction...

[varjolintu]

1.8.4. was released in Dec 19, 2022. 1.8.5 in Feb 26, 2023. So if the error showed up between this time period and Firefox was updated, the error probably isn't in the extension. Especially if it worked normally.

[bjorn-l]

Update:

Both Firefox (to 100.0.1) and KeepassXC-Browser (to 1.8.5.1) have had new (sub)-releases since Feb. 28th. But the problem persists. Firefox 109.0.1 with KeepassXC-Browser 1.8.5.1 works. (That is, in my environment, for both cases.)

1.8.4. was released in Dec 19, 2022. 1.8.5 in Feb 26, 2023. So if the error showed up between this time period and Firefox was updated, the error probably isn't in the extension. Especially if it worked normally.

But that still doesn't tell us where/why the problem occurs, or where/how to fix it. (And the 'where' includes Firefox, KeepassXC-Browser, and my environment.) The question remains, how do we debug and fix this issue? It seems that the first step is understanding why it doesn't either connect to the database, or request to pair with one (key association request) if it can't find one.

(Note: KeepassXC-Browser 1.8.5 was released for Chrome on Feb. 26, but the Firefox version, under 1.8.5.1, seemed to not be available until today.)

[varjolintu]

@bjorn-l I would gladly debug this situation if I could reproduce it myself. In my VM everything works normally. Maybe I'll have to wait for a Firefox update? Don't know. Current version I use is 110.

(For some reason 1.8.5 was pending a long time in the Mozilla's review queue, but 1.8.5.1 went through instantly.)

[Slater91]

I've been having this issue on a newly-configured computer with Firefox installed through .deb on KDE Neon (Ubuntu 22.04 base). As the computer has no personal data on it, I'd be glad to give developers remote access to it to debug the issue.

[droidmonkey]

I'm very curious, please provide credentials and access method (rdp, etc) to [email protected]

[BHSPitMonkey]

On a recent install of Ubuntu 22.10 with Firefox installed via the PPA I've been having the same problem, including similar strace output as bjorn-l's earlier comment:

[pid 244930] execve("/usr/bin/keepassxc-proxy", ["/usr/bin/keepassxc-proxy", "/home/stephen/.mozilla/native-me"..., "[email protected]"], 0x7fa671396470 /* 60 vars */) = -1 EACCES (Permission denied)

But reviewing dmesg output did seem to indicate AppArmor as the culprit:

[647960.021231] audit: type=1400 audit(1678091293.969:13480): apparmor="DENIED" operation="exec" class="file" profile="firefox" name="/usr/bin/keepassxc-proxy" pid=243636 comm=444F4D20576F726B6572 requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Disabling the AppArmor profile distributed with the Firefox deb package did finally allow me to connect successfully:

sudo apt install -y apparmor-utils
sudo aa-disable /etc/apparmor.d/usr.bin.firefox

This probably isn't an ideal/sustainable solution as it probably introduces some vulnerabilities in the browser; My next step would be to find a surgical edit to the profile that would just allow keepassxc-proxy to run, but I'm out of energy for now.

[varjolintu]

@BHSPitMonkey Thanks for the info. I can try to reproduce the error using AppArmor.

EDIT: Reproduced it with aa-enforce. Trying to find a solution. Btw, related thread here: #281. I will comment my findings there.

EDIT 2: Got it working with PPA Firefox. See the linked thread.

[Slater91]

I've taken a look at my logs and I see the same issues with AppArmor. I've compared the /etc/apparmor.d/usr.bin.firefox file to that on my main machine where things work and they're identical, so I don't understand where the issue might be. I suspect, though of course I might be wrong, that the difference between the two systems lies in the fact that the main machine was updated from 20.04, whereas the new machine was installed cleanly.

Editing the AppArmor profile as suggested in the other report leads to the extension working.

[varjolintu]

@Slater91 Are you sure the profile is in use? In my system I had to enable it using aa-enforce. The profile was there but it wasn't active.

[Slater91]

I have indeed tested enabling the profile without the section included in the other report and it does seem to work without issues, so it looks like it wasn't enabled before.

[varjolintu]

@bjorn-l Can you check if AppArmor is the cause for your problems?

[bjorn-l]

Can you check if AppArmor is the cause for your problems?

Sounds likely. I thought I had stopped it:

$ systemctl status apparmor.service ○ apparmor.service - Load AppArmor profiles Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: inactive (dead) Docs: man:apparmor(7) https://gitlab.com/apparmor/apparmor/wikis/home/ $

But it looks like it is actually running:

$ apparmor_status apparmor module is loaded. 48 profiles are loaded. 32 profiles are in enforce mode. . . . firefox firefox//browser_java firefox//browser_openjdk firefox//lsb_release firefox//sanitized_helper . . . $

I'll try upgrading firefox later this afternoon, and trying it again.

[varjolintu]

@bjorn-l Try this if you encounter any problems: #281 (comment)

[bjorn-l]

It works!

Thanks, @varjolintu, for the patch to the apparmor parameters in your other thread. And to the other thread contributors that helped identify the issue.

In summary, it is now working with Firefox 110.0.1, with KeepassXC-Browser 1.8.5.1, and apparmor enabled.

[bjorn-l]

P.S. For those encountering this in the future...

My code posting earlier got mangled (I thought that the 'code' formatting would preserve newlines). I was trying to show the systemctl status apparmor output. It included:

Active: inactive (dead)

But it appears that apparmor_status or aa-status provides a better indication of whether it is running.
(My system does have the default Type=oneshot and RemainAfterExit=yes settings.)

[varjolintu]

@bjorn-l Excellent! I'll close the ticket, but doing some more testing with KeePassXC AppImage/Flatpak and Firefox Snap/PPA to check if any other combination needs similar patching.

[Qfl3x]

@varjolintu Not exactly sure where to put that code snippet. I've put it under the big "profile firefox" and it still has a permission error. Although the permission error now is at:

[pid 12328] connect(6, {sa_family=AF_UNIX, sun_path="/run/user/1002/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer"}, 110) = -1 EACCES (Permission denied)

I've run the aa-enforce command as well as reloading apparmor entirely using systemctl.

And yes, I still can't connect to the DB.