Connection refused when doing initial web-based setup after install

Trying to install Passbolt on a Raspberry Pi that I’ve got and I’ve done quite a bit of self-troubleshooting, but I’ve reached a dead end. Hoping to get some help from the community.

During setup, I couldn’t get Let’s Encrypt to verify my URL (more an my URL later), so I ended up manually creating my keys and finally the initial setup completed and it tells me to go to my site (pass.mysite.com). I go to that URL and it says “Connection refused”, so I can’t complete the Passbolt setup.

I am running the RPi on my home network, behind a Netgear R7000 router running AdvancedTomato version 1.28.0000 -3.5-140 K26ARM USB AIO-64K. I have IP forwarding setup as follows:

Protocol      Src Address   Ext Ports   Int Port   Int Address   Description
TCP                         25565       25565      10.0.0.222    Minecraft Server
Both(TCP/UDP)               80,443	               10.0.0.81     Passbolt Server

My website URL is registered through NameCheap and I’m using the NameCheap DDNS, setup on the Tomato router correctly and I can ping my URL (but can only Traceroute to it using the -I option).

Can’t think of what else to share, so now I’ll move to the HealthCheck (see below), which throws several errors, but I have no idea what they mean and I assume these are caused by the fact that I haven’t completed the setup (maybe?).

I have no idea how to proceed. Help in resolving this would be appreciated. Thank you.

HealthCheck:

Warning Error: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_core_translations.cake_console.en_UK): failed to open stream: Permission denied
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 391]

Warning Error: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_core_translations.cake_console.en_UK): failed to open stream: Permission denied
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 391]


     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell......Warning Error: file_get_contents(/etc/passbolt/gpg/serverkey.asc): failed to open stream: No such file or directory
In [/usr/share/php/passbolt/src/Utility/Healthchecks/GpgHealthchecks.php, line 456]

2023-04-03 17:09:22 warning: Warning (2): file_get_contents(/etc/passbolt/gpg/serverkey.asc): failed to open stream: No such file or directory in [/usr/share/php/passbolt/src/Utility/Healthchecks/GpgHealthchecks.php, line 456]
Warning Error: file_get_contents(/etc/passbolt/gpg/serverkey_private.asc): failed to open stream: No such file or directory
In [/usr/share/php/passbolt/src/Utility/Healthchecks/GpgHealthchecks.php, line 458]

2023-04-03 17:09:22 warning: Warning (2): file_get_contents(/etc/passbolt/gpg/serverkey_private.asc): failed to open stream: No such file or directory in [/usr/share/php/passbolt/src/Utility/Healthchecks/GpgHealthchecks.php, line 458]
.Exception: strpos() expects parameter 1 to be string, bool given
In [/usr/share/php/passbolt/src/Utility/Healthchecks.php, line 92]

Hi @Decoy256 Welcome to the forum!

I think for the port forwarding you need to also set internal ports for the raspberry pi. I tried to format that section for clearer viewing of your records. Hopefully I got it right.

@garrett On the Tomato router if no port is listed it uses the same ports on the internal side.

What install guide are you using? What OS version?

I’ve been following the RPi guide found on the Passbolt website: Passbolt Help | Install Passbolt CE on Raspberry PI

As recommended by that guide, the OS is the newest RPi OS Lite (from 2/21/2023). It is running on a RPi 3b and I am connected to my network with a Cat6 cable.

I was setting up the DDNS on the RPi using a script running at startup, but when I discovered that Tomato could handle the DDNS on the router, I just went with that for DDNS handling.

The errors are suggesting the file permissions or ownership are not right.

Check ownership and permissions on the following locations:

• /etc/passbolt and the gpg subdirectory
• /usr/share/php/passbolt
• /var/lib/passbolt

I’m having trouble at the moment finding the reference to what they should be.

Ownership and permissions are as follows:

/etc/passbolt - root:www-data - drwxrwx—

/usr/share/php/passbolt - root:root - drwxr-xr-x

/var/lib/passbolt - www-data:www-data - drwxr-xr-x

I agree.

Start with :
sudo apt install passbolt-ce-server

and if it says already installed, then try:
sudo dpkg-reconfigure passbolt-ce-server

to kickstart a refresh on the configuration steps.

I’ve done that a dozen times. Just did it again. Same result.

I’m thinking of starting over with a fresh Pi OS install. I’ve got an extra SD card that I could insert into the Pi and try again. Maybe my initial attempts screwed something up? I’ll try that this afternoon and report back.

OK, re-installed on the new SD card, carefully went through all of the steps and I’m getting the same result.

This time I noticed that at the end of the manual HTTPS configuration page (Passbolt Help | Manual HTTPS configuration on Debian and Ubuntu with user provided certificates), it says " Finally, ensure ‘fullBaseUrl’ value in /etc/passbolt/passbolt.php starts with https:// ."

The issue is that this file does not exist. I have passbolt.default.php, but not passbolt.php. When is this file created? Do I need to create it myself?

EDIT: So on a lark, I decided to enter the local IP address assigned to my Pi into my browser and it brings up the “Welcome to nginx” page.

On a package install it gets created in the setup and is a copy of passbolt.default.php. My guess is the install steps assume you come back to do https.

Install pages borrow sections from each other so new installs instructions are sometimes prone to this kind of thing as they are created - a missing section or the wrong section selected.

Sorry for the headache - and if you want to report this on github it would be helpful. There’s a link on the help site install pages.

So do I just copy passbolt.default.php and I’m good or…? I’m looking through it right now and there seems to be a lot of stuff that requires information that I don’t know.

Also, where would you recommend on the Github I report this? Sorry… I haven’t ever done that before.

First, try setting up passbolt without https. It should create the passbolt.php with populated info from your install steps. Then go back and do the https step.

How do I do that? I’m not getting anything when I go to my URL and punching in my server’s local IP address just gives me the nginx welcome page.

The passbolt package install is meant for a fresh system without anything else installed on it like NGINX, mariadb, etc. If you already had these things installed, it may not work correctly.

Once you have completed the install process, there should be a NGINX config file for passbolt like passbolt.conf found somewhere in the vicinity of /etc/nginx/. If it’s not there, the install is not complete and/or is not installing correctly.

If there is a passbolt.conf but it uses a domain name you established, this might explain why NGINX is directing you to its Welcome page when using the ip address. You will want to try with your domain name instead.

To get some clarity on whether NGINX is configured in a functional way, test it with:
sudo nginx -t

If there are conflicts it will tell you. If there is no NGINX for passbolt, this means the install did not work (see below).

If passbolt.php is missing, you could try copying it from passbolt.default.php. The configuration parameters of that file are collected during the install process - some find their way into that passbolt.php file and some are enterered into secure storage in the database.

So, if the package install process does not seem to be working for you, you could always attempt an installation from source using these instructions here: Passbolt Help | Install passbolt API from source

Those instructions do work, but create an installation that is updated via git, etc. rather than the package. However, it will also give you a high level overview of the different parts of the app.

Note: the package install places files into locations that the source code install will not. They are not the same kind of installation, but do produce a functional passbolt installation either way.

To give a complete view of how I proceeded with this install, this is what I’ve done:

1. Use the Raspiberry Pi Imager to install a fresh copy of the 64-bit RasPi OS.
2. Boot to the RasPi OS and do basic configuration (locale, time zone, enable SSH)
3. Run “sudo apt update” and “sudo apt upgrade”
4. Manually generate SSL keys
5. Immediately start following steps I linked to previously for the RasPi install.
6. When prompted, point to the keys created in Step 4
7. Complete setup without errors
8. Attempt to access the web setup using my URL, with no success

In the ‘/etc/nginx/sites-available’ directory, I do have a file called ‘nginx-passbolt.conf’. The contents of that file are as follows (sorry, it looks like automatic formatting has messed up certain sections, but maybe you can still decipher it):

#
#  Passbolt.conf - Nginx configuration file to run the Passbolt software.
#

server {

  listen 80;
  listen [::]:80;

  # Managed by Passbolt
  # server_name

  client_body_buffer_size     100K;
  client_header_buffer_size   1K;
  client_max_body_size        5M;

  client_body_timeout   10;
  client_header_timeout 10;
  keepalive_timeout     5 5;
  send_timeout          10;

  root /usr/share/php/passbolt/webroot;
  index index.php;
  error_log /var/log/nginx/passbolt-error.log info;
  access_log /var/log/nginx/passbolt-access.log;

  # Managed by Passbolt
  # include __PASSBOLT_SSL__

  location / {
    try_files $uri $uri/ /index.php?$args;
  }

  location ~ \.php$ {
    try_files                $uri =404;
    include                  fastcgi_params;
    fastcgi_pass             unix:/run/php/__PHP_SOCK__;
    fastcgi_index            index.php;
    fastcgi_intercept_errors on;
    fastcgi_split_path_info  ^(.+\.php)(.+)$;
    fastcgi_param            SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param            SERVER_NAME $http_host;
    fastcgi_param PHP_VALUE  "upload_max_filesize=5M \n post_max_size=5M";
  }

}

— end of file —

Running sudo nginx -t results in:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If there is no way to get this to work, I suppose I will try wiping this SD again and try installing it from the source. But I’ll wait to do that until we’ve exhausted all other options. Just let me know when we’ve reached that point.

Everything seems ok. Can you confirm that passbolt is installed into the location above? The root directive is correct.

And if there were any changes along the way, try sudo systemctl reload nginx to restart NGINX - maybe settings are not being applied?

The contents of the /usr/share/php/passbolt/webroot/ directory are:

-rw-r–r-- 1 root root 3684 Mar 17 10:04 apple-touch-icon-114x114-precomposed.png
-rw-r–r-- 1 root root 2098 Mar 17 10:04 apple-touch-icon-57x57-precomposed.png
-rw-r–r-- 1 root root 2336 Mar 17 10:04 apple-touch-icon-72x72-precomposed.png
-rw-r–r-- 1 root root 2098 Mar 17 10:04 apple-touch-icon.png
-rw-r–r-- 1 root root 2098 Mar 17 10:04 apple-touch-icon-precomposed.png
drwxr-xr-x 3 root root 4096 Apr 4 17:32 css
-rw-r–r-- 1 root root 3467 Mar 17 10:02 favicon_128.png
-rw-r–r-- 1 root root 5257 Mar 17 10:02 favicon_192.png
-rw-r–r-- 1 root root 6040 Mar 17 10:02 favicon_228.png
-rw-r–r-- 1 root root 1302 Mar 17 10:02 favicon_32.png
-rw-r–r-- 1 root root 1815 Mar 17 10:02 favicon_57.png
-rw-r–r-- 1 root root 2307 Mar 17 10:02 favicon_76.png
-rw-r–r-- 1 root root 2709 Mar 17 10:02 favicon_96.png
-rw-r–r-- 1 root root 318 Mar 17 10:02 favicon.ico
-rw-r–r-- 1 root root 573 Mar 17 10:04 favicon.png
drwxr-xr-x 2 root root 4096 Apr 4 17:32 fonts
drwxr-xr-x 10 root root 4096 Apr 4 17:32 img
-rw-r–r-- 1 root root 1361 Mar 17 10:03 index.php
drwxr-xr-x 6 root root 4096 Apr 4 17:32 js
drwxr-xr-x 15 root root 4096 Apr 4 17:32 locales

Yes, I have reloaded nginx and have rebooted the system periodically just to be sure.

What are the results of:
curl http://10.0.0.81