Extension Cannot Connect to KeePassXC - "Key Exchange Was Not Successful"

[ThisNekoGuy]

Expected Behavior

The extension should be able to connect to desktop KeePass desktop application

Current Behavior

Every time a webpage with password fields loads or I try to manually re-connect the database, it gives me a "Key Exchange Was Not Successful" error.

Possible Solution

I had installed KeePassXC from the source code but rolling back to my Linux distro's (Arch Linux) officially packaged version resulted in the same problem.
(This didn't used to happen before; it just suddenly started recently.)

Steps to Reproduce (for bugs)

1. Have KeePassXC and a Firefox-based web browser with the extension startup on system login
2. Navigate to a webpage with a login form (note: remember to already have previously had connected the desktop app to the extension)
3. See that the extension fails to connect

Debug info

KeePassXC - unknown
KeePassXC-Browser - 1.7.9.1
Operating system: Linux x86_64
Browser: Mozilla Firefox 91.0

KeePassXC - Version 2.6.6
Revision: 9c108b9

Qt 5.15.2
Debugging mode is disabled.

Operating system: Arch Linux
CPU architecture: x86_64
Kernel: linux 5.10.53-183-tkg-upds

Enabled extensions:
- Auto-Type
- Browser Integration
- SSH Agent
- KeeShare (signed and unsigned sharing)
- YubiKey
- Secret Service Integration

Cryptographic libraries:
- libgcrypt 1.9.3-unknown

[varjolintu]

Check https://github.com/keepassxreboot/keepassxc-browser/wiki/Troubleshooting-guide and report your findings.

[JKAbrams]

I believe this has to do with some recent changes in Firefox, another plugin I use (Open with) also stopped working at the same time as KeePassXC stopped working in the most recent update ("Open with cannot communicate with the outside world").
I use a browser based on Firefox 91.0.1.

[varjolintu]

Please check that your distro is not providing Firefox as Snap/Flatpak. Use a "normal" package manager for browsers instead.

[JKAbrams]

I will walk through the troubleshooting guide and see if I can pinpoint more closely what goes wrong.
Not using Snap or Flatpak.
It worked all up until the most recent update which I did yesterday.

[varjolintu]

You can also try a different browser. I've seen a few cases where something went wrong when packaging a browser update for a certain distro. Another update (or downgrade) has fixed the issue.

[JKAbrams]

Ok reporting back now.

The problem was that the org.keepassxc.keepassxc_browser.json file in my browsers profile directory was removed or not recreated in the most recent update.

It is fixed by creating this file:

/home/USER/.PROFILE_DIRECTORY/native-messaging-hosts/org.keepassxc.keepassxc_browser.json

Contents:

{
    "allowed_extensions": [
        "keepassxc-browser@keepassxc.org"
    ],
    "description": "KeePassXC integration with native messaging support",
    "name": "org.keepassxc.keepassxc_browser",
    "path": "/usr/bin/keepassxc-proxy",
    "type": "stdio"
}`

[lehmann-labs]

Thanks @JKAbrams - that helped as well in my situation.
However my path was a little different: /home/USER/.mozilla/native-messaging-hosts

[ThisNekoGuy]

@JKAbrams This works for me as well; I use Librewolf (Firefox Quantum fork) and the native-messaging-hosts directory didn't even exist after the 91 update

Thanks

[QasimK]

@JKAbrams That helped resolve the issue for me as well, but my path was also a little different.

I copied ~/.mozzila.xps/native-messaging-hosts to ~/.mozilla/native-messaging-hosts et voilà!

[Francis1993Z]

Still have problem with that in 2022.
I use Tor browser on Linux QubesOS. I built from source version 2.7 and 2.6.6 and I have the same problem.
I think keepassxc-proxy hang on starting.
tried every single workaround on the internet!
I know it was working with native messaging set to ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts and the proxy custom pointing to my build. But for some reason, one day, it stopped working.

debug report:
Use of nsIFile in content process is deprecated. NetUtil.jsm:253:8
Layout was forced before the page was fully loaded. If stylesheets are not yet loaded this may cause a flash of unstyled content. popup.html
Error 7: Message encryption failed. Is KeePassXC running? keepass.js:1187:13
Error: No content script available for this tab. keepass.js:1307:25
Connecting to native messaging host org.keepassxc.keepassxc_browser keepass.js:1104:13
Error 9: Key exchange was not successful. keepass.js:1187:13
Error: No content script available for this tab. keepass.js:1307:25

KeePassXC - 2.7.0
KeePassXC-Browser - 1.7.11
Operating system: Linux x86_64
Browser: Mozilla Firefox 91.0

KeePassXC - Version 2.7.0
Revision: ed7acf3

Qt 5.15.2
Debugging mode is disabled.

Operating system: Debian GNU/Linux 11 (bullseye)
CPU architecture: x86_64
Kernel: linux 5.10.76-1.fc32.qubes.x86_64

Enabled extensions:

• Auto-Type
• Browser Integration
• SSH Agent
• KeeShare
• Secret Service Integration

Cryptographic libraries:

• Botan 2.17.3

Application Basics

Name: Firefox
Version: 91.7.0esr
Build ID: 20220602080101
Distribution ID:
Update Channel: release
User Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
OS: Linux 5.10.76-1.fc32.qubes.x86_64 #1 SMP Fri Oct 29 03:58:58 CEST 2021
Multiprocess Windows: 1/1
Fission Windows: 0/1 Disabled by default
Remote Processes: 4
Enterprise Policies: Inactive
Google Location Service Key: Missing
Google Safebrowsing Key: Missing
Mozilla Location Service Key: Missing
Safe Mode: false

Name: KeePassXC-Browser
Type: extension
Version: 1.7.11
Enabled: true
ID: keepassxc-browser@keepassxc.org

[droidmonkey]

If you are using a custom install of the extension itself then you need to add that extension id to the native messaging json. You might also have a firejail blocking the proxy. Or tor browser changed their folders again. Or any number of a thousand reasons.

[varjolintu]

@Francis1993Z You can use strace to confirm the path for proxy.

[Francis1993Z]

Can it be Apparmor blocking keepasxc-proxy?

user@host:~$ sudo apparmor-info --boot | grep DENIED
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/sys/bus/pci/devices/" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/1403/cgroup" comm="firefox.real" requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/proc/1580/cgroup" comm=46532042726F6B65722031353830 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/sys/bus/" comm=4950444C204261636B67726F756E64 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/sys/class/" comm=4950444C204261636B67726F756E64 requested_mask="r" denied_mask="r"
AVC apparmor="DENIED" operation="exec" profile="/**/*-browser/Browser/firefox" name="/usr/local/bin/keepassxc-proxy" comm=444F4D20576F726B6572 requested_mask="x" denied_mask="x"

I dont know apparmor that much.
I think this thread can help.
keepassxreboot/keepassxc#3096

[EDIT]
OMG it worked!
The problem was apparmor.
The mentioned thread helped me.

The Fix:
ls /etc/apparmor.d/
home.tor-browser.firefox indicate apparmor profile.

Set your firefox profile to complain by invoking aa-complain home.tor-browser.firefox or your respective profile path.
Run aa-logprof and set your keepassxc-proxy to (C)hild
Press I for the other entries.
Set your new Torbrowser profile by invoking aa-enforce home.tor-browser.firefox

By the way, I use default system keepassxc-proxy (disabled custom proxy path), installed by make install, and native messaging path is set to ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/.mozilla/native-messaging-hosts

I think this trick should be added to Troubleshooting guide.

[lammel]

Had the same issue on Debian 12 Bookworm (Testing) using Chromium (other like Vivaldi and Firefox are OK).

To resolve I followed the hint @JKAbrams gave above and
created the file ~/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json:

{
    "allowed_origins": [
        "chrome-extension://pdffhmdngciaglkoonimfcmckehcpafo/",
        "chrome-extension://oboonakemofpalcgghocfoadofidjkkk/"
    ],
    "description": "KeePassXC integration with native messaging support",
    "name": "org.keepassxc.keepassxc_browser",
    "path": "/usr/bin/keepassxc-proxy",
    "type": "stdio"
}

Note: allowed_origins may be wrong here (copied from vivaldi)

[nopeitsnothing]

I had a similar issue with connecting the database. This is my fix for those struggling to get this to work in Debian/Whonix with Kicksecure.

Find the name paths using sudo apparmor-info --boot | grep DENIED:

AVC apparmor="DENIED" operation="open" profile="/**/*-browser/Browser/firefox" name="/home/user/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json" comm=[redacted]
AVC apparmor="DENIED" operation="exec" profile="/**/*-browser/Browser/firefox" name="/usr/bin/keepassxc-proxy" comm=[redacted] requested_mask="x" denied_mask="x"

Open the Tor Browser AppArmor profile:

sudo nano /etc/apparmor.d/home.tor-browser.firefox

Add the following lines

After /**/*-browser/Browser/firefox flags=(attach_disconnected) {:
Note the two spaces before them both:

  /home/user/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rix,
  /usr/bin/keepassxc-proxy rix,

Restart AppArmor:

sudo service apparmor reload*

Now disable sdwdate and bootclockrandomization to fix time delays in TOTP:

sudo service sdwdate stop && sudo service bootclockrandomization stop

Restart KeePassXC, then restart Tor Browser, and you should be able to connect to the database. Mine connected automatically with the settings already corrected in the Browser Integration tab.

[varjolintu]

Related thread: #281.

[electrotype]

In case it helps someone someday: I was unable to make the extension work in the Chrome instance started from my VSCode's launch configuration (with: "type": "chrome" and "runtimeExecutable": "/usr/bin/google-chrome-stable"). I got the "Key Exchange Was Not Successful" error. I'm on Manjaro Linux and the installed Chrome version is "google-chrome" from AUR.

I fixed the issue by copying
~/.config/google-chrome/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
to
/etc/opt/chrome/native-messaging-hosts/org.keepassxc.keepassxc_browser.json

So by adding the native messaging's manifest file to a global location. I guess the home folder used when launching Chrome from VS Code is not the current user's one.

[aneshodza]

Had the same issue. Fixed it by first running which keepassxc_proxy. That gave me the directory of the proxy executable. Then I opened my org.keepassxc.keepassxc_browser.json and pasted the path under "path".

[adrelanos]

Could you please contribute Whonix specific documentation here?

• https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#KeePassXC_Browser_Extension
• https://forums.whonix.org/t/keepassxc-browser-doesnt-work-out-of-the-box/16877