Change the expired SSL certificate (not letsencrypt)

Hello, we run the Passbolt Community Edition since a year ago.
Now our SSL certificate expires in a few days. The new one is ready and all other services workes well with it.
I try to change the certificate like the Manual Passbolt Help | Manual HTTPS configuration on Debian and Ubuntu with user provided certificates.
But after i changed the settings to the new certificates the service starts well, but i cant get a connection to the site or the service.
Is there an other solution to change the files?!
Thx!

Hi @wisi :wave:

To update the SSL certificate, you just have to run sudo dpkg-reconfigure passbolt-ce-server command and fill the full path of your new certificates.
Once done, reload nginx service.

What do you mean by you can’t get a connection to the site or service ? Do you got any error message on your browser ?

While trying to connect to Passbolt, do you have any logs in /var/log/nginx or /var/log/passbolt ?

Which version of passbolt are you using, and on which OS ?

Can you also post here the output of this command:

sudo  /usr/share/php/passbolt/bin/status-report

Thanks !

chrome tells me: ERR_SSL_PROTOCOL_ERROR
Firefox tells me: SSL_ERROR_RX_RECORD_TOO_LONG

before i updated the certificate files the service workes well.

sudo  /usr/share/php/passbolt/bin/status-report
-------------------------------------------------------------------------------
Passbolt CE 3.3.1
Cakephp 4.2.9
Linux pass 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
PHP 7.3.27-1~deb10u1 (cli) (built: Feb 13 2021 16:31:40) ( NTS )
mysql  Ver 15.1 Distrib 10.3.27-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
 ERROR: /usr/share/php/passbolt/bin/utils.sh: Zeile 64: composer: Kommando nicht gefunden.


-------------------------------------------------------------------------------
 Healthcheck shell........Warning Error: file_get_contents(/etc/passbolt/jwt/jwt.pem): failed to open stream: No such file or directory
In [/usr/share/php/passbolt/plugins/Passbolt/JwtAuthentication/src/Service/AccessToken/JwtKeyPairService.php, line 110]

2021-11-29 14:34:52 Warning: Warning (2): file_get_contents(/etc/passbolt/jwt/jwt.pem): failed to open stream: No such file or directory in [/usr/share/php/passbolt/plugins/Passbolt/JwtAuthentication/src/Service/AccessToken/JwtKeyPairService.php, line 110]
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.27-1~deb10u1.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.our.domain <- not the productive ;-)
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in config/passbolt.php
 [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1408F10B:SSL routines:ssl3_get_record:wrong version number
fopen(): Failed to enable crypto
fopen(https://passbolt.our.domain/healthcheck/status.json): failed to open stream: operation failed

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (3.3.1).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [WARN] The JWT Authentication plugin is disabled
 [HELP] Set the environment variable PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED to true

 [FAIL] 3 error(s) found. Hang in there!



-------------------------------------------------------------------------------
 Cleanup shell (dry-run)
-------------------------------------------------------------------------------
Warning Error: Invalid argument supplied for foreach()
In [/usr/share/php/passbolt/src/Command/CleanupCommand.php, line 167]

2021-11-29 14:34:52 Warning: Warning (2): Invalid argument supplied for foreach() in [/usr/share/php/passbolt/src/Command/CleanupCommand.php, line 167]
No issue found, data looks squeaky clean!

 Open source password manager for teams
-------------------------------------------------------------------------------
Data check shell
[PASS] Data integrity for AuthenticationTokens.
  [PASS] Can validate: 213/213
[PASS] Data integrity for Comments.
  [PASS] Can validate: 2/2
[PASS] Data integrity for Favorites.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Gpgkeys.
  [PASS] Can encrypt: 5/5
  [PASS] Can validate: 5/5
[PASS] Data integrity for Groups.
  [PASS] Can validate: 9/9
[PASS] Data integrity for Profiles.
  [PASS] Can validate: 16/16
[PASS] Data integrity for Resources.
  [PASS] Can validate: 81/81
[PASS] Data integrity for Secrets.
  [PASS] Can validate: 153/153
[PASS] Data integrity for Users.
  [PASS] Can validate: 16/16
2021-11-29 07:03:53 Error: [Cake\Http\Exception\ForbiddenException] You need to login to access this location. (/usr/share/php/passbolt/src/Auth/GpgAuthenticate.php:84)
Request URL: /auth/is-authenticated.json


2021-11-29 07:53:23 Error: [Cake\Http\Exception\ForbiddenException] You need to login to access this location. (/usr/share/php/passbolt/src/Auth/GpgAuthenticate.php:84)
Request URL: /auth/is-authenticated.json


2021-11-29 08:10:05 Error: [Cake\Http\Exception\ForbiddenException] You need to login to access this location. (/usr/share/php/passbolt/src/Auth/GpgAuthenticate.php:84)
Request URL: /auth/is-authenticated.json


2021-11-29 08:10:12 Error: [Cake\Routing\Exception\MissingRouteException] A route matching "/password-generator/settings.json" could not be found. (/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php:216)
Request URL: /password-generator/settings.json?api-version=v2


2021-11-29 08:21:27 Error: [Cake\Http\Exception\ForbiddenException] You need to login to access this location. (/usr/share/php/passbolt/src/Auth/GpgAuthenticate.php:84)
Request URL: /auth/is-authenticated.json


2021-11-29 08:21:30 Error: [Cake\Http\Exception\ForbiddenException] You need to login to access this location. (/usr/share/php/passbolt/src/Auth/GpgAuthenticate.php:84)
Request URL: /auth/is-authenticated.json


2021-11-29 08:21:31 Error: [Cake\Http\Exception\ForbiddenException] You need to login to access this location. (/usr/share/php/passbolt/src/Auth/GpgAuthenticate.php:84)
Request URL: /auth/is-authenticated.json


2021-11-29 08:21:32 Error: [Cake\Http\Exception\ForbiddenException] You need to login to access this location. (/usr/share/php/passbolt/src/Auth/GpgAuthenticate.php:84)
Request URL: /auth/is-authenticated.json


2021-11-29 08:21:46 Error: [Cake\Routing\Exception\MissingRouteException] A route matching "/password-generator/settings.json" could not be found. (/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/RouteCollection.php:216)
Request URL: /password-generator/settings.json?api-version=v2


2021-11-29 08:41:46 Error: [Cake\Http\Exception\ForbiddenException] You need to login to access this location. (/usr/share/php/passbolt/src/Auth/GpgAuthenticate.php:84)
Request URL: /auth/is-authenticated.json


2021-11-29 08:42:13 Error: [Cake\Http\Exception\ForbiddenException] You need to login to access this location. (/usr/share/php/passbolt/src/Auth/GpgAuthenticate.php:84)
Request URL: /auth/is-authenticated.json


2021-11-29 09:33:30 Error: [Cake\Http\Exception\ForbiddenException] Forbidden in /usr/share/php/passbolt/src/Controller/Healthcheck/HealthcheckIndexController.php on line 49
Request URL: /healthcheck
Client IP: 192.168.0.149


2021-11-29 09:33:54 Error: [Cake\Http\Exception\ForbiddenException] Forbidden in /usr/share/php/passbolt/src/Controller/Healthcheck/HealthcheckIndexController.php on line 49
Request URL: /healthcheck
Client IP: 192.168.0.149


2021-11-29 13:38:24 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /usr/share/php/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP: 192.168.0.149


2021-11-29 13:54:28 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /usr/share/php/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?api-version=v2
Client IP: 192.168.0.149


2021-11-29 13:54:28 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /usr/share/php/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?api-version=v2
Client IP: 192.168.0.149


2021-11-29 13:56:48 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /usr/share/php/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?api-version=v2
Client IP: 192.168.0.149


2021-11-29 13:56:48 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /usr/share/php/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?api-version=v2
Client IP: 192.168.0.149


2021-11-29 14:17:48 Error: [Cake\Http\Exception\ForbiddenException] Forbidden in /usr/share/php/passbolt/src/Controller/Healthcheck/HealthcheckIndexController.php on line 49
Request URL: /healthcheck
Client IP: 192.168.0.149

Thank you, too!

Looks like a type in your path:

file_get_contents(/etc/passbolt/jwt/jwt.pem): failed to open stream: No such file or directory

This makes it highly likely that all subsequent errors you get trace back to this one encountered first.

Does the file really exist? (as root: # ls /etc/passbolt/jwt/jwt.pem)

And so it is!
in /etc/passbolt/ is no jwt folder.
this is strange.
is it an solution to copy that folder to this directory again?!

I searched in an older backup. There is no jwt folder.

Hi, this kind of error means your server is not correctly configured to handle https connections. The jwt missing folder error is related to the mobile application, and not to your issue.

You first have to fix your SSL configuration.

Can you post here content of /etc/nginx/sites-enabled/nginx-passbolt.conf file ? You can hide your domain name.

As you are using Debian, this file should be like this one:

#
#  Passbolt.conf - Nginx configuration file to run the Passbolt software.
#

server {

  listen 443 ssl http2;
  listen [::]:80;

  # Managed by Passbolt
  server_name passbolt.domain.tld;

  client_body_buffer_size     100K;
  client_header_buffer_size   1K;
  client_max_body_size        5M;

  client_body_timeout   10;
  client_header_timeout 10;
  keepalive_timeout     5 5;
  send_timeout          10;

  root /usr/share/php/passbolt/webroot;
  index index.php;
  error_log /var/log/nginx/passbolt-error.log info;
  access_log /var/log/nginx/passbolt-access.log;

  # Managed by Passbolt
  include /etc/passbolt/nginx-ssl.conf;

  location / {
    try_files $uri $uri/ /index.php?$args;
  }

  location ~ \.php$ {
    try_files                $uri =404;
    include                  fastcgi_params;
    fastcgi_pass             unix:/run/php/php7.3-fpm.sock;
    fastcgi_index            index.php;
    fastcgi_intercept_errors on;
    fastcgi_split_path_info  ^(.+\.php)(.+)$;
    fastcgi_param            SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param            SERVER_NAME $http_host;
    fastcgi_param PHP_VALUE  "upload_max_filesize=5M \n post_max_size=5M";
  }

}

Can you also post the content of /etc/passbolt/nginx-ssl.conf ?

It should be like this one:

#
#  nginx-passbolt.conf
#
#  Passbolt provided file to be included from nginx main virtual hosts file.
#  It allows to pull common SSL settings from a central place.
#
#  Use the nginx include directive to pull this information in.
#

  # Managed by Passbolt
  listen [::]:443 ssl http2;

  ssl_certificate /etc/ssl/certs/1638198884-cert.pem;
  ssl_certificate_key /etc/ssl/private/1638198884-key.pem;


  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions

  ssl_session_tickets off;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;

In my configuration file, my certificates are located in this path:

  ssl_certificate /etc/ssl/certs/1638198884-cert.pem;
  ssl_certificate_key /etc/ssl/private/1638198884-key.pem;

You can check yours and see if these 2 files contain your updated new certificate.

Best regards,

Hello again,

the problem was the “nginx-passbolt.conf”.
The default config was server { listen 443;
I changed it like in your example to server { listen 443 ssl http2;.
Restart nginx and it runs well again.

Thank you so much!

2 Likes