Firefox Snap / KeepassXC flatpak: KeePassXC-Browser - Failed to connect: Unknown error

[marcelklehr]

Expected Behavior

Connect my Firefox KeePassXC-Brower WebExtension to my KeepassXC flatpak

Current Behavior

It does not.

Possible Solution

I don't know if firefox snap on ubuntu 22.04 is currently supported or not, so that may be the issue, but in that case I recommend making that more clear as firefox snap is the default on ubuntu 22.04 afaik.

Steps to Reproduce (for bugs)

1. Start KeepassXC
2. start firefox snap
3. install KeepassXC-Browser
4. Enable Browser integration in KeepassXC
5. Open Extension in browser
6. See "Cannot connect to KeePassXC. Check that browser integration is enabled in KeePassXC settings."
7. Click Reload in Extension
8. KeepassXC window comes to front with unlocked DB, but nothing else
9. Go back to browser extension
10. See "Key exchange was not successful."

Debug info

KeePassXC - Version 2.7.4
Revision: 63b2394
Distribution: Flatpak

Qt 5.15.8
Debugging mode is disabled.

Operating system: KDE Flatpak runtime
CPU architecture: x86_64
Kernel: linux 5.19.0-32-generic

Enabled extensions:

• Auto-Type
• Browser Integration
• SSH Agent
• KeeShare
• YubiKey
• Secret Service Integration

Cryptographic libraries:

• Botan 2.19.1

KeePassXC-Browser - 1.8.5.1
Operating system: Linux x86_64
Browser: Mozilla Firefox Snap For Ubuntu 110.0.1 (64-bit)

Operating system:

Ubuntu 22.04.2 LTS
GNOME 42.5
X11

Troubleshooting results

• native_messaging-hosts file:

{
    "allowed_extensions": [
        "keepassxc-browser@keepassxc.org"
    ],
    "description": "KeePassXC integration with native messaging support",
    "name": "org.keepassxc.keepassxc_browser",
    "path": "/var/lib/flatpak/exports/bin/org.keepassxc.KeePassXC",
    "type": "stdio"
}

• keepassxc-proxy is not running
• sudo strace -f -p $(pgrep firefox) 2>&1 | grep keepass yields no openat messages whatsoever
• /run/user/1000/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer exists
• /run/user/1000/org.keepassxc.KeePassXC.BrowserServer does not exist

$ flatpak permissions webextensions                                                    
Table         Object                          App          Permissions Data
webextensions org.keepassxc.keepassxc_browser snap.firefox yes         0x00

[droidmonkey]

KeepassXC window comes to front with unlocked DB, but nothing else

This shouldn't happen. Make sure you have the most up to date flatpak version of keepassxc flatpak update and make sure you are not pulling from a beta channel or similar.

After that, uncheck Firefox from the browser settings, press ok, then go back in and check Firefox, press ok.

[varjolintu]

I don't know if firefox snap on ubuntu 22.04 is currently supported or not..

It is. After you have installed the extension to Snap Firefox there should be a separate permissions prompt for Native Messaging.

[marcelklehr]

flatpak update

I installed the flatpak version only yesterday, after having the same problems with the apt version of keepassxc (minus the window comes to front without anything happening) which was, however, outdated.

After that, uncheck Firefox from the browser settings, press ok, then go back in and check Firefox, press ok.

Didn't change anything.

there should be a separate permissions prompt for Native Messaging.

Wow. I've never seen that. I had the extension already installed before upgrading ubuntu to 22.04 from 20.04.

[varjolintu]

@marcelklehr Have you tried to remove the extension and install it again? Maybe the prompt is not appearing because of an update.

[marcelklehr]

Have you tried to remove the extension and install it again?

Just tried. Doesn't help.

[dom21121]

Good morning,
I use snap firefox 110.0.1, everything was working fine until now, the connection is no longer made...
I'm on ubuntu 22.04.2, keepassxc 2.7.4 and keepassxc-browser 1.8.5.1.
...

[varjolintu]

Both KeePassXC Flatpak and Appimage are having the same problem with Firefox Snap: The browser is trying to start the keepassxc process inside the image instead of keepassxc-proxy. So maybe the Firefox Snap is starting something differently with Native Messaging and KeePassXC cannot identify if the process is trying to start the proxy or the main application.

[marcelklehr]

Is there a way to reference keepassxc-proxy inside the flatpak in the native-messaging-hosts file?

Currently it references:

    "path": "/var/lib/flatpak/exports/bin/org.keepassxc.KeePassXC",

[droidmonkey]

• No, you need to reference the start script on order to load the proper environment

[marcelklehr]

How does keepassxc know that firefox wants to start the proxy then?

[droidmonkey]

Firefox is supposed to add the extension ID as a command line parameter

[varjolintu]

Firefox is supposed to add the extension ID as a command line parameter

Snap Firefox isn't clearly doing that.

[vbatts]

I'm experiencing the same with KeePassXC installed via flatpak and EdgeBrowser.
(Using flatpak version, as it's newer than the v2.6.6 available on Ubuntu 22.04, which I also tried with the "Advanced" configuration to connect to .config/microsoft-edge/NativeMessagingHosts/, but also didn't connect)

This is a fresh install in the last week.

Environment:

OS: Ubuntu 22.04
Edge: microsoft-edge-stable 110.0.1587.69-1
KeePassXC: org.keepassxc.KeePassXC 2.7.4 (Flatpak)
Flatpak: v1.12.7-1
KeePassXC-Browser: 1.8.5.1

Steps

1. installed edge
2. installed keepassxc via flatpak
3. configured keepassxc to allow browser, and checked only the "edge" box
   
4. installed keepassxc-browser extension
5. click the browser icon to "reload"
6. then error:
   

Once I enabled Extensions "Developer Mode" and for Keepassxc-browser to "collect errors", and viewing the inspect views for "background page" I see:

[Leokap]

I'm having this problem in snap and PPA as well. Tested each with a new Firefox Profile.
At the same time plasma-browser-integration is working. About permissions:

$ flatpak permissions webextensions                                                                                                                             (base) 
Tabla         Objeto                             Aplicación   Permisos Datos
webextensions org.keepassxc.keepassxc_browser    snap.firefox yes      0x00
webextensions org.kde.plasma.browser_integration snap.firefox yes      0x00

[varjolintu]

@Leokap Check https://github.com/keepassxreboot/keepassxc-browser/wiki/Troubleshooting-guide#6-apparmor-with-ubuntu

[Leokap]

in #1879 I assumed you told me to install Keepass from PPA. That is what I did. I would rather like to keep my browser sandboxed... (In this guide it says what to do if Firefox is installed from PPA)

[varjolintu]

@Leokap Did the Firefox prompted you for additional permissions when you installed the extension?

[Leokap]

I'm having this problem in snap and PPA as well. Tested each with a new Firefox Profile. At the same time plasma-browser-integration is working. About permissions:

$ flatpak permissions webextensions                                                                                                                             (base) 
Tabla         Objeto                             Aplicación   Permisos Datos
webextensions org.keepassxc.keepassxc_browser    snap.firefox yes      0x00
webextensions org.kde.plasma.browser_integration snap.firefox yes      0x00

well the permission is certainly set. And it has been set by the prompt, yes.
Or are you talking about Addon Permissions within Firefox?

[varjolintu]

@Leokap So are you using KeePassXC from the PPA or Snap now? I'm a little confused. If you are using the PPA, check the troubleshooting guide again and report your findings.

[Leokap]

I have both flatpak and PPA versions of KeepassXC installed. Removed snap (and .deb=2.6.6) since I thought it might interfere. Only 2.6.6 was able to connect. I was able to get it connected with firefox snap.
I also have firefox .deb distributed in KDE Neon (probably from the firefox-PPA, don't know how to check)
the PPA-Keepass version also can't communicate with that firefox. If you want I can also test flatpak and snap of Keepass.

(I tested .deb, snap and flatpak of Firefox for Video Hardware Encoding, only snap was able to do it. (due to 12th gen intel cpu another reason why I want to stay with snap.)

[Leokap]

I'm sorry the Firefox-.deb version works. I didn't see that sudo aa-enforce /etc/apparmor.d/usr.bin.firefox returned an error because I didn't put the text from the guide between the parentheses.

[droidmonkey]

Narrow down to using just the flatpak keepassxc and one version of Firefox. You have a mess on your system and this isn't keepassxc at fault.

[Leokap]

you are right. I tried it on a Live USB and it worked. (firefox-snap and keepass-PPA)
I got it working on my main system by now. Don't know what exactly made the difference. I moved the files in ~/.mozilla/native-messaging-hosts/ to Trash and re-enabled the Browser integration in Keepassxc. Keepassxc wrote the exact same file into the folder (checked with diff) but somehow it works now.
Sorry for having wasted your time, hope this helps others with the same issue. I will definitely test my problems on a clean system first from now on.

[dom21121]

On snap firefox 110.0.1, everything was working fine until now, the connection is no longer made... I'm on ubuntu 22.04.2, keepassxc 2.7.4 and keepassxc-browser 1.8.5.1. ...

1 - ubuntu 22.04.2 : firefox snap 110.0.01+ keepassxc 2.7.4 deb+keepassxc-browser 1.8.5.1 => does not work anymore !

2 - ubuntu 22.04.2 : firefox deb 110.0.01+ keepassxc 2.7.4 deb+keepassxc-browser 1.8.5.1 => everything is OK !

A try
ubuntu lunar lobster (developpement branch) : firefox snap 110.0.01+ keepassxc 2.7.4 deb+keepassxc-browser 1.8.5.1 => everything is OK !

what is broken in case 1?

enough, i don't use firefox snap anymore!

[varjolintu]

@dom21121 Probably the AppArmor profile. See the previous messages for solution.

[dom21121]

ubuntu 22.10 fresh install (firefox snap + keepassxc deb), not working...

I will try to understand the AppArmor profile question.

In the initial popup that authorizes the connection (attachment), it is written:
"this permission can be changed at any time from the privacy settings"

Sorry but I'm an average user and I don't see where? I would like to check.

THANKS

[droidmonkey]

That is likely done in the ubuntu store app while looking at the Firefox snap entry. Unless they have introduced a dedicated privacy settings panel for snaps.

[dom21121]

I've run

• sudo apt install flatpak
• flatpak permission-set webextensions org.keepassxc.keepassxc_browser snap.firefox yes

everything is working fine again... understand nothing... (I've keepassxc deb installed...)
Sorry to bother you

[EmPeWe]

1 - ubuntu 22.04.2 : firefox snap 110.0.01+ keepassxc 2.7.4 deb+keepassxc-browser 1.8.5.1 => does not work anymore !

2 - ubuntu 22.04.2 : firefox deb 110.0.01+ keepassxc 2.7.4 deb+keepassxc-browser 1.8.5.1 => everything is OK !

It's the same setup (1) with the exact same versions mentioned. I've just dropped firefox as snap and reinstalled it as deb from PPA. Now everything is working as expected again. I wanted to get rid of snap anyway, so canonical just give me another reason.

[Matth3wW]

I've run

* sudo apt install flatpak

* flatpak permission-set webextensions org.keepassxc.keepassxc_browser snap.firefox yes

everything is working fine again... understand nothing... (I've keepassxc deb installed...) Sorry to bother you

This worked for me. Thanks! Not sure if this has anything to do with Canonical changing me over from deb firefox to snap firefox during an upgrade to Ubuntu 23.04 Lunar Lobster.

[marcelklehr]

I've now removed the firefox snap and installed firefox via the mozillateam apt repo. Smooth sailing.

[esemeniuc]

I'm experiencing a similar issue. Running firefox 113.0.1 on Arch with KeepassXC 2.7.5 and extension 1.8.6.1. Tried deleting ~/.mozilla/native-messaging-hosts/ and re-enabling through the UI, same issue. On the Connected Databases tab of the extension, pressing Connect doesn't do anything.

[nidomiro]

for me using the ppa version of keepassxc (instead of flatpak) solved the issue

[TCB13]

I've run

• sudo apt install flatpak
• flatpak permission-set webextensions org.keepassxc.keepassxc_browser snap.firefox yes

everything is working fine again... understand nothing... (I've keepassxc deb installed...) Sorry to bother you

What about ungoogled-chromium + keepassxc both installed via flatpak?

[varjolintu]

@TCB13 AFAIK Chromium-based browsers will not work, installed with Snap or Flatpak.

[TCB13]

@TCB13 AFAIK Chromium-based browsers will not work, installed with Snap or Flatpak.

Thank you for the clarification.

It would be nice to have ungoogled-chromium working as it is one of the most private options avialable. Since it doesn't contact any servers / have updates built in I essentially would like to keep running it as a flatpak. Extra isolation is just a bonus.

Related: #1267 (comment)

[varjolintu]

For Flatpak, see: flatpak/xdg-desktop-portal#705 and https://bugzilla.mozilla.org/show_bug.cgi?id=1621763.

[teicors]

Hi all,
in my system I have those files:
more org.keepassxc.keepassxc_browser.json_ok org.keepassxc.keepassxc_browser.json
::::::::::::::
org.keepassxc.keepassxc_browser.json_ok
::::::::::::::

{
    "allowed_extensions": [
        "keepassxc-browser@keepassxc.org"
    ],
    "description": "KeePassXC integration with native messaging support",
    "name": "org.keepassxc.keepassxc_browser",
    "path": "/usr/bin/keepassxc-proxy",
    "type": "stdio"
}`

Any 

::::::::::::::
org.keepassxc.keepassxc_browser.json
::::::::::::::

{
    "allowed_extensions": [
        "keepassxc-browser@keepassxc.org"
    ],
    "description": "KeePassXC integration with native messaging support",
    "name": "org.keepassxc.keepassxc_browser",
    *path": "/home/angelo/bin/KeePassXC-2.7.5-x86_64.AppImage",
    "type": "stdio"
}

At every restart, fie file org.keepassxc.keepassxc_browser.json is overwritten by an erroroneus string: I must replace with the "ok" file and after a restart of KeppassXC works well.
I'm working on Ubuntu 22.04, Keepass as appimage and keepassxc-browser 1.8.7 (2023-07-06).

BR,
Angelo

[varjolintu]

@teicors Your issue is not related to this thread. Please make a new one to the https://github.com/keepassxreboot/keepassxc/issues list.

[apelly]

To clarify,

According to @varjolintu:

For Flatpak, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1621763.

So it seems that it is fundamentally problematic for flatpacks and snaps to engage in native messaging.

If you install the PPA instead of the flatpack there are no such limitations and everything is rosy.

A clear note to that effect in troubleshooting tips would have saved me some hours. This appears to have been a recurring issue for so long that google can only surface incomplete, outdated, or unclear results for it.

[TCB13]

If you install the PPA instead of the flatpack there are no such limitations and everything is rosy.

Will the PPA version of keepassxc with a flatpak browser such as Firefox or Ungoogled Chromium?

[varjolintu]

If you install the PPA instead of the flatpack there are no such limitations and everything is rosy.

Will the PPA version of keepassxc with a flatpak browser such as Firefox or Ungoogled Chromium?

No. It's up to Flatpak to solve problems with Native Messaging in their browser packages. For now, it seems there's no easy solutions for it.

[TCB13]

No. It's up to Flatpak to solve problems with Native Messaging in their browser packages. For now, it seems there's no easy solutions for it.

So looks like I'll just wait for a fix and enjoy. No way I'm going to install both of those on my system.

[apelly]

If you install the PPA instead of the flatpack there are no such limitations and everything is rosy.

Will the PPA version of keepassxc with a flatpak browser such as Firefox or Ungoogled Chromium?

I have the PPA version of keepassxc, and snap firefox beta

[Scoth42]

I've run

* sudo apt install flatpak

* flatpak permission-set webextensions org.keepassxc.keepassxc_browser snap.firefox yes

This also worked for me after trying basically everything else with my snap-based Firefox including reinstalling things, resetting the database, snaps, PPAs, manual deb, and ultimately flatpak. I was about to go through the trouble of reverting back to non-snap-based Firefox (it's a pain anyway) but this did it.

So I finally have the browser integration working on Kubuntu 23.10 with default system-provided firefox snap and the PPA KeepassXC 2.7.6. I also manually installed webext-keepassxc-browser from the default system repos but I have no idea if it was necessary or not.

[vincejv]

@varjolintu was there any reason why the change from TCP sockets to native messaging? I think years back when I was using windows, it used TCP connections. (correct me if i'm wrong? or maybe that was another keepass addon)

IMO it makes things complicated for linux users which has varying setups, the usual installation for Ubuntu new comers Firefox Snap + KeepassXC appimage and it isn't working right out of the box

And it seems like this guide is out of date: https://github.com/keepassxreboot/keepassxc-browser/wiki/Troubleshooting-guide, should probably update that to reflect the events that transpired here

A lot of Chrome users will be switching to Firefox the following year due to this, I hope this can be addressed at least documentation wise, on which setup is working (i.e. which to use, Snap/PPA/AppImage for KeepassXC or Firefox) https://arstechnica.com/gadgets/2022/09/chromes-new-ad-blocker-limiting-extension-platform-will-launch-in-2023/

What worked for me personally is KeepassXC PPA + Firefox Snap on Ubuntu 22.04 LTS, what didn't work for me before was KeepassXC AppImage (which was the default or recommended way of installing KeepassXC)

KeepassXC AppImage + Chrome Deb however works for me.

[varjolintu]

@varjolintu was there any reason why the change from TCP sockets to native messaging? I think years back when I was using windows, it used TCP connections. (correct me if i'm wrong? or maybe that was another keepass addon)

In short, you cannot restrict TCP sockets to a certain user or process. Native Messaging and Unix sockets restricted to user level gives slightly better security compared to a socket that any user or process can listen with minimal effort. This was one of the biggest faults in the old KeePassHTTP: anyone could listen the TCP socket and capture keys from the encryption handshake (because it was faulty as well). If i have understood correctly, many other password managers (1Password, Bitwarden..) have later switched to Native Messaging for the same reason.

IMO it makes things complicated for linux users which has varying setups, the usual installation for Ubuntu new comers Firefox Snap + KeepassXC appimage and it isn't working right out of the box

This is due Snap's way to handle Native Messaging. I haven't looked at the AppImage case yet, but it seems Snap only knows how to start normal binaries. Anything wrapped in AppImage tries to start the main KeePassXC process instead (IIRC).