[Y] I have read intro post: About the Installation Issues category
[Y] I have read the tutorials, help and searched for similar issues
[Y] I provide relevant information about my server (component names and versions, etc.)
[Y] I provide a copy of my logs and healthcheck
[Y] I describe the steps I have taken to trouble shoot the problem
[Y] I describe the steps on how to reproduce the issue
I’ve successfully got Passbolt running, after a few tries. To say the least on AlmaLinux
I am accessing the passwords server via another local IP address which is acting as a proxy.
Internally, no issues at all - can create users, add passwords, folders etc (AFTER setting the SELinux policy).
*Faild to activate Passbolt CE with AlmaLinux - #20 by amr.salem
*SELinux causes issues - preventing PGP from running, run these as root; BEFORE SETTING UP A USER!!!
setsebool -P httpd_use_gpg=on
setsebool -P gpg_web_anon_write=on
semanage permissive -a gpg_web_t
However, from external browsers I get an error stating that Strict-Transport-Security has been enabled, and it can’t be worked around. (On Firefox Ver 117.0.1).
After a bit of digging around by doing a curl on the domain;
$ curl --head https://passwords.blah.com
curl: (60) Peer’s Certificate has expired.
More details here: curl - SSL CA Certificates
curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
Ok, lets see if we can do an update on the certificate…
[root@localhost lib64]# certbot renew --dry-run
/opt/certbot/lib64/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
from cryptography.hazmat.bindings.openssl.binding import Binding
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Python 3.6 support will be dropped in the next release of Certbot - please upgrade your Python version.
Failed to renew certificate passwords.blah.com with error: HTTPSConnectionPool(host=‘acme-staging-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(‘<urllib3.connection.HTTPSConnection object at 0x7f9d80504470>: Failed to establish a new connection: [Errno -2] Name or service not known’,))
All simulated renewals failed. The following certificates could not be renewed:
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
If I attempt to remove Python3.6 (Python 3.9 is installed)
python36 x86_64 3.6.8-38.module_el8.5.0+2569+5c5719bc @appstream 13 k
Removing dependent packages:
fail2ban noarch 1.0.2-3.el8 @epel 0
Removing unused dependencies:
esmtp x86_64 1.2-15.el8 @epel 100 k
fail2ban-firewalld noarch 1.0.2-3.el8 @epel 319
fail2ban-selinux noarch 1.0.2-3.el8 @epel 31 k
fail2ban-sendmail noarch 1.0.2-3.el8 @epel 12 k
fail2ban-server noarch 1.0.2-3.el8 @epel 1.4 M
libesmtp x86_64 1.0.6-18.el8 @epel 160 k
liblockfile x86_64 1.14-2.el8 @baseos 51 k
python3-pip noarch 9.0.3-22.el8 @appstream 2.8 k
Not something I’d like to do. Just yet.
Have I missed something in the install process, or does Passbolts version of Certbot rely on Python 3.6
Or is there a work-around?