Can't reach passbolt frow other machine other docker

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Long story short

Hello there, i’m trying to set up passbolt on a ubuntu 22.04 machine via docker (v. 20.10.24).

I already have several machines running on the same server including a container with mariadb.

I then followed the guide directly from github GitHub - passbolt/passbolt_docker: Get started with Passbolt CE using docker!, once all the variables that interested me have been set in the docker run command that I leave below, the program starts.

docker run --name passbolt \
             --link mysql:mysql \
             -p 8081:80 \
             -p 44301:443 \
             -e DATASOURCES_DEFAULT_HOST=mysql \
             -e DATASOURCES_DEFAULT_PORT=3306 \
             -e DATASOURCES_DEFAULT_PASSWORD=[password] \
             -e DATASOURCES_DEFAULT_USERNAME=passbolt \
             -e DATASOURCES_DEFAULT_DATABASE=passbolt \
             -e PASSBOLT_KEY_EMAIL=passbolt@botter.it \
             -e APP_FULL_BASE_URL=https://localhost \
             -e EMAIL_DEFAULT_FROM=passbolt@botter.it \
             -e EMAIL_TRANSPORT_DEFAULT_HOST=botter-it.mail.protection.outlook.com \
             -v $PASSBOLT_HOME/config/ssl/wildcard_botter_it.crt:/etc/ssl/certs/certificate.crt:ro \
             -v $PASSBOLT_HOME/config/ssl/wildcard_botter_it.key:/etc/ssl/certs/certificate.key:ro \
             -d \
             passbolt/passbolt:4.0.2-2-ce

At this point the connection url is generated but I can’t reach the program from any machine, only from localhost.

I’ve already checked the firewall and the calls go through correctly, I’ve also tried with a machine on the same subnet but the same result is obtained.

Other containers on other ports work fine.

Below the output of the healtchek.

www-data@fa4575bdce94:/usr/share/php/passbolt$  ./bin/cake passbolt healthcheck

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 8.2.7.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.botter.it
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in /etc/passbolt/passbolt.php
 [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
 [HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 30 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (4.0.2).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [WARN] The SMTP Settings source is: env variables.
 [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

 [FAIL] 3 error(s) found. Hang in there!

I see the errors with certificate but i quite sure that certificate is ok, is the same used with other containers.

I’ve also tried adding port 44301 to the base url but that doesn’t seem to have any effect.

Other log collected by docker logs:

• Call from localhost to DNS seems ok:

root@srvdocker01:~/passbolt/config/ssl# wget https://passbolt.botter.it:44301 --no-check-certificate
--2023-06-27 10:28:22--  https://passbolt.botter.it:44301/
Resolving passbolt.botter.it (passbolt.botter.it)... 10.2.11.33
Connecting to passbolt.botter.it (passbolt.botter.it)|10.2.11.33|:44301... connected.
WARNING: cannot verify passbolt.botter.it's certificate, issued by ‘CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1,O=DigiCert\\, Inc.,C=US’:
  Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 302 Found
Location: /auth/login?redirect=%2F [following]
--2023-06-27 10:28:22--  https://passbolt.botter.it:44301/auth/login?redirect=%2F
Reusing existing connection to passbolt.botter.it:44301.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                                               [ <=>                                                                                                                ]   2.73K  --.-KB/s    in 0s

2023-06-27 10:28:22 (957 MB/s) - ‘index.html’ saved [2792]

• NGINX from docker logs:

2023-06-27 10:26:30,032 INFO reaped unknown pid 580 (exit status 0) <-- a lot of this

172.17.0.1 - - [27/Jun/2023:10:26:16 +0000] "GET / HTTP/2.0" 302 0 "-" "curl/7.88.1"
127.0.0.1 - - [27/Jun/2023:10:26:30 +0000] "GET / HTTP/2.0" 302 0 "-" "curl/7.88.1"
127.0.0.1 - - [27/Jun/2023:10:26:37 +0000] "GET / HTTP/2.0" 302 0 "-" "curl/7.88.1"
172.17.0.5 - - [27/Jun/2023:10:27:02 +0000] "GET / HTTP/2.0" 302 0 "-" "curl/7.88.1"
2023/06/27 10:28:16 [info] 160#160: *9 client closed connection while waiting for request, client: 10.2.11.33, server: 0.0.0.0:443
10.2.11.33 - - [27/Jun/2023:10:28:22 +0000] "GET / HTTP/1.1" 302 5 "-" "Wget/1.21.2"
10.2.11.33 - - [27/Jun/2023:10:28:22 +0000] "GET /auth/login?redirect=%2F HTTP/1.1" 200 2804 "-" "Wget/1.21.2"
2023/06/27 10:28:22 [info] 160#160: *10 client 10.2.11.33 closed keepalive connection

Any suggestion?

Thanks

So the first thing that stands out here is this line from your docker run command:

             -e APP_FULL_BASE_URL=https://localhost \

Is that just an example or do you have it set to localhost as the address?

Sorry my bad, the correct value is: https://passbolt.botter.it
as indicated also by inspecting the container:

 "Env": [
                "DATASOURCES_DEFAULT_PASSWORD=[passoword]",
                "DATASOURCES_DEFAULT_USERNAME=passbolt",
                "DATASOURCES_DEFAULT_DATABASE=passbolt",
                "PASSBOLT_KEY_EMAIL=passbolt@botter.it",
                "EMAIL_DEFAULT_FROM=passbolt@botter.it",
                "DATASOURCES_DEFAULT_HOST=mysql",
                "DATASOURCES_DEFAULT_PORT=3306",
                "APP_FULL_BASE_URL=https://passbolt.botter.it",
                "EMAIL_TRANSPORT_DEFAULT_HOST=botter-it.mail.protection.outlook.com",
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "PASSBOLT_PKG_KEY=0xDE8B853FC155581D",
                "PHP_VERSION=8.2",
                "GNUPGHOME=/var/lib/passbolt/.gnupg",
                "PASSBOLT_FLAVOUR=ce",
                "PASSBOLT_PKG=passbolt-ce-server"
            ],

As mentioned before i tried also https://passbolt.botter.it:44301 without success.

What do you see when you navigate there from a different device? Like what is the error in the browser?

I think the 44301 should be on the end here… maybe it got added to baseUrl instead?

Simply:

ERR_CONNECTION_TIMED_OUT

I see the packet go through the firewall correctly and then docker should match the traffic arriving on port 44301 to the container’s 443 but it doesn’t seem to do so.

Alredy tried, but i check again.

Now my run command is:

docker run --name passbolt \
             --link mysql:mysql \
             -p 8081:80 \
             -p 44301:443 \
             -e DATASOURCES_DEFAULT_HOST=mysql \
             -e DATASOURCES_DEFAULT_PORT=3306 \
             -e DATASOURCES_DEFAULT_PASSWORD=rhg372hu9 \
             -e DATASOURCES_DEFAULT_USERNAME=passbolt \
             -e DATASOURCES_DEFAULT_DATABASE=passbolt \
             -e PASSBOLT_KEY_EMAIL=passbolt@botter.it \
             -e APP_FULL_BASE_URL=https://passbolt.botter.it:44301 \
             -e EMAIL_DEFAULT_FROM=passbolt@botter.it \
             -e EMAIL_TRANSPORT_DEFAULT_HOST=botter-it.mail.protection.outlook.com \
             -v $PASSBOLT_HOME/config/ssl/certs_botter_it-bundle_complete.crt:/etc/ssl/certs/certificate.crt:ro \
             -v $PASSBOLT_HOME/config/ssl/botter.it.private.key:/etc/ssl/certs/certificate.key:ro \
             -d \
             passbolt/passbolt:4.0.2-2-ce && docker attach --sig-proxy=false passbolt

i also can generate the url and send mail but i cannot connect.

here some docker logs:

Email 1 was sent
2023-06-28 08:14:52,053 INFO reaped unknown pid 204 (exit status 0)
2023-06-28 08:14:52,053 INFO reaped unknown pid 206 (exit status 0)
2023-06-28 08:14:52,053 INFO reaped unknown pid 208 (exit status 0)
2023-06-28 08:14:52,053 INFO reaped unknown pid 210 (exit status 0)
2023-06-28 08:14:52,053 INFO reaped unknown pid 212 (exit status 0)
2023-06-28 08:14:52,053 INFO reaped unknown pid 214 (exit status 0)
2023-06-28 08:14:52,054 INFO reaped unknown pid 216 (exit status 0)
10.2.11.33 - - [28/Jun/2023:08:14:52 +0000] "GET / HTTP/1.1" 302 5 "-" "Wget/1.21.2"
10.2.11.33 - - [28/Jun/2023:08:14:52 +0000] "GET /auth/login?redirect=%2F HTTP/1.1" 200 2876 "-" "Wget/1.21.2"
2023-06-28 08:14:52,169 INFO reaped unknown pid 219 (exit status 0)
2023-06-28 08:14:52,169 INFO reaped unknown pid 221 (exit status 0)
2023/06/28 08:14:52 [info] 160#160: *1 client 10.2.11.33 closed keepalive connection

the connection work only from the same machine where docker is hosted.

I have also resolved the certificate issue, the vendor not complete the chain so i put a correct certificate, now the Healthcheck seems ok:

www-data@3665fdad6310:/usr/share/php/passbolt$ ./bin/cake passbolt healthcheck

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 8.2.7.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.botter.it:44301
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 30 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (4.0.2).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [WARN] The SMTP Settings source is: env variables.
 [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

 [PASS] No error found. Nice one sparky!

You are saying you can’t connect - what happens when you navigate to https://passbolt.botter.it:44301? Any response at all?

Exactly.
from any machine the result is the same as see in photo.

image1174×579 35.9 KB

with wget from the ubuntu machine:

root@srvdocker01:~/passbolt/config# wget passbolt.botter.it:44301
URL transformed to HTTPS due to an HSTS policy
--2023-06-28 12:10:08--  https://passbolt.botter.it:44301/
Resolving passbolt.botter.it (passbolt.botter.it)... 10.2.11.33
Connecting to passbolt.botter.it (passbolt.botter.it)|10.2.11.33|:44301... connected.
HTTP request sent, awaiting response... 302 Found
Location: /auth/login?redirect=%2F [following]
URL transformed to HTTPS due to an HSTS policy
--2023-06-28 12:10:08--  https://passbolt.botter.it:44301/auth/login?redirect=%2F
Reusing existing connection to passbolt.botter.it:44301.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                                             [ <=>                                                                                                            ]   2.80K  --.-KB/s    in 0s

2023-06-28 12:10:08 (887 MB/s) - ‘index.html’ saved [2864]

the index file is the login page as expected.

It seems either a firewall or an app of some kind in front of your passbolt is blocking the port 44301 access.

it would seem the most logical thing.

But if I have 2 machines on the same subnet there shouldn’t be any firewalls blocking the connection.

On ubuntu it doesn’t seem to me that there is anything active by default doing a check on ufw it turns out to be inactive:

root@srvdocker01:~/passbolt/config# sudo ufw status verbose
Status: inactive

i can try stop one of other container and test with port 443.

I just tried using port 443:443 and it worked as intended.

When I swapped to port 8444, it no longer worked as before.

Is it okay for Passbolt in Docker to run with a different exposed port than 443?

Yes, it should be. However, some hosts have limits on what ports can be used for incoming traffic. These are blocked at the host level and are not changeable… not sure if this applies to your situation or not.

If you have more than one site that needs to be served on 443 than you might need to put an NGINX reverse proxy in front of the different services in order to make it work all on port 443.

Another consideration is whether old container settings are still in play. Considering rebuilding from scratch, clearing cache, etc.

Also, there should be errors in docker logs when access is not working… in the case of trying to bind a port that’s already being used, etc. If docker is not getting traffic, maybe the service is blocked for that project root location?

Given other containers are working on non-443 ports it is generally safe to assume passbolt should also work.

Yesterday I took a break to clear my head, today I picked up docker also in view of the security updates of the other containers.

Once updated the other containers started not working like the one for passbolt.

This was too absurd and I did the last thing that came to my mind, which probably should have been among the first: restart the host machine.

Once restarted everything started to work like a well oiled mechanism.

Thank you soo much for help.