Connection timed out

HI,
I’m having some troubles with passbolt.
Everything went well during the install but when I try to reach the server from the browser with the ip:port i got a connection timed out.

I checked the passbot health check and I got :

Environment

[PASS] PHP version 5.4.16
[PASS] PCRE compiled with unicode support
[PASS] The temporary directory and its content are writable
[PASS] The public image directory and its content are writable

Config files

[PASS] The core config file is present
[PASS] The database config file is present
[PASS] The email config file is present
[PASS] The application config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Unique value set for security.cipherSeed
[PASS] Full base url is set to http://10.0.20.127:3001
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in app/Config/core.php
[HELP] Check the network settings

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate

Database

[PASS] Configured to use a supported database backend
[PASS] The application is able to connect to the database
[PASS] Not using a prefix for database tables
[PASS] 20 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded
[PASS] The server gpg key is not the default one
[PASS] The environment variable GNUPGHOME is set to /var/cache/nginx/.gnupg
[PASS] The directory /var/cache/nginx/.gnupg containing the keyring is writable by the user the webserver is running as.
[PASS] The public key file is defined in app/config.php and readable.
[PASS] The private key file is defined in app/config.php and readable.
[PASS] The server key fingerprint matches the one defined in app/config.php.
[PASS] The server key defined in the app/Config.php is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.

Application configuration

[FAIL] Could not connect to passbolt repository to check versions. It is not possible check if your version is up to date.
[HELP] Check the network configuration to allow this script to check for updates
[FAIL] Passbot is not configured to force SSL use
[HELP] Set App.ssl.force to true in app/Config/app.php
[FAIL] App.fullBaseUrl is not set to HTTPS
[HELP] Check App.fullBaseUrl url scheme in app/Config/core.php
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

Development Tools (optional)

[PASS] Phpunit is installed
[PASS] Phpunit version is 3.7.38

6 error(s) found. Hang in there!

I didnt set the https, that’s why i got error on this part but the health check also tell me it couldnt reach the health check through the URL.
So I tried to see what i did wrong during the install but I dont see.
I followed this guide : https://medium.com/passbolt/passbolt-on-centos-7-with-nginx-php7-fpm-mariadb-from-scratch-7b2a9b15f3a4
After a quick look on the web i didnt found anything interesting.
I also double checked the guide in case i failed something but everything looks good.
If someone can help me that would be nice.
thank you and sorry for bad english.

Hello,

Can you check the logs:

  • of the application in app/tmp/
  • of the webserver

Maybe there will be some pointers on what’s causing the timeout there.
Are you sure the host is reachable? Do you see the webserver port open (like with nmap)?

thanks for your fast answer.

In app/tmp/logs i have a file name empty
in /var/log/nginx in error.log i have this :

2018/02/08 11:38:52 [emerg] 21619#21619: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/02/08 11:38:52 [emerg] 21619#21619: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/02/08 11:38:52 [emerg] 21619#21619: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/02/08 11:38:52 [emerg] 21619#21619: bind() to 0.0.0.0:80 failed (98: Address already in use)
2018/02/08 11:38:52 [emerg] 21619#21619: still could not bind()
2018/02/08 15:10:18 [notice] 31631#31631: signal process started
2018/02/08 15:25:34 [notice] 31686#31686: signal process started
2018/02/08 15:26:00 [error] 31687#31687: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 10.0.20.127, server: , request: “GET /healthcheck/status.json HTTP/1.0”, upstream: “fastcgi://127.0.0.1:9000”, host: "10.0.20.127"
2018/02/08 15:34:38 [error] 31687#31687: *3 connect() failed (111: Connection refused) while connecting to upstream, client: 10.0.20.127, server: , request: “GET /healthcheck/status.json HTTP/1.0”, upstream: “fastcgi://127.0.0.1:9000”, host: "10.0.20.127"
2018/02/08 15:37:51 [error] 31687#31687: *5 connect() failed (111: Connection refused) while connecting to upstream, client: 10.0.20.127, server: , request: “GET /healthcheck/status.json HTTP/1.0”, upstream: “fastcgi://127.0.0.1:9000”, host: "10.0.20.127"
2018/02/08 15:37:51 [error] 31687#31687: *7 connect() failed (111: Connection refused) while connecting to upstream, client: 10.0.20.127, server: , request: “GET /healthcheck/status.json HTTP/1.0”, upstream: “fastcgi://127.0.0.1:9000”, host: "10.0.20.127"
2018/02/08 15:42:54 [notice] 31830#31830: signal process started

the host was reachable by a ping from windows, will do an nmap asap
thanks you again

Hi @tox,
looks like nginx is not able to connect with php-fpm there must be a problem with your nginx setup and/or php-fpm service is not running.

Please check that php-fpm process is running and listening on localhost port 9000 (you can restart it using systemctl restart php-fpm if you are using centos).
If you happen to check that php-fpm is running and listening on network host:port 127.0.0.1:9000 (and not using the linux socket ) but still not going forward please provide your nginx configuration files.

Hi,
I may be wrong buy it looks like php-fpm is listening on network host :
php-fpm 5657 nginx 0u IPv4 58920 0t0 TCP localhost:cslistener (LISTEN)
I copy pasted the nginx conf in the tutorial, here it is :

server {
listen 80;

client_body_buffer_size 100K;
client_header_buffer_size 1k;
client_max_body_size 100k;
large_client_header_buffers 2 1k;

client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;

root /var/www/passbolt;

X-Frame-Options is to prevent from clickJacking attack

add_header X-Frame-Options SAMEORIGIN;

disable content-type sniffing on some browsers.

add_header X-Content-Type-Options nosniff;

This header enables the Cross-site scripting (XSS) filter

add_header X-XSS-Protection “1; mode=block”;

This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack

add_header Strict-Transport-Security “max-age=31536000; includeSubdomains;”;

location / {
try_files $uri $uri/ /index.php?$args;
index index.php;
}

location ~ .php$ {
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^(.+.php)(.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SERVER_NAME $http_host;
}

location ~* .(jpe?g|woff|woff2|ttf|gif|png|bmp|ico|css|js|json|pdf|zip|htm|html|docx?|xlsx?|pptx?|txt|wav|swf|svg|avi|mp\d)$ {
access_log off;
log_not_found off;
try_files $uri /app/webroot/$uri /index.php?$args;
}

}

It’s wrong ?
thank you for your answers

I noticed these lines on your logs:

Could you check if you have two conflicting nginx processes or any other process is binding port 80 already?
The nginx configuration file is fine (some characters are missing such as ‘\’ I guess due to html escaping when pasting).

By the way the guide https://medium.com/passbolt/passbolt-on-centos-7-with-nginx-php7-fpm-mariadb-from-scratch-7b2a9b15f3a4 has been updated with more accurate centos specifics. I would recommend to take a look on the updated version of the guide, follow the new procedure from scratch and if you experience problems again update this post.

i think this is the problem, i have this :
nginx 1618 root 6u IPv4 17415 0t0 TCP *:http (LISTEN)
nginx 1619 nginx 6u IPv4 17415 0t0 TCP *:http (LISTEN)

how can i shutdown one ?

kill -9 process_identifier

thank you but it’s still not working. As the tutorial has been updated i think i’ll do it again from scratch and hope it works.
Thank you

1 Like

Following the new information you provided on Semanage errors Could it be that you have some firewall running?

Are you able to access passbolt from the server? If you execute the following commands what is the output?
curl -ilkvv -H "Host: your_fullbaseurl_hostname" http://your_passbolt_ip_or_domain
or just
curl -ilkvv http://your_passbolt_ip_or_domain

Are you forcing SSL from passbolt? If you do, do you have the nginx ssl enabled configuration in place and the SSL certificates?

Are ports 80 and or 443 open in the server? Could you check that you can access those ports from the client?

Yes i have a fw on the network but according to my network admin, it’s not the problem.
I tried this curl -ilkvv http://X.X.X.X and i got
About to connect() to X.X.X.X port 8081 (#0)

  • Trying X.X.X.X
  • Connection refused
  • Failed connect to X.X.X.X:8081; Connection refused
  • Closing connection 0
    curl: (7) Failed connect to X.X.X.X:8081; Connection refused

I gave the same ip for passbolt as the server hosting passbolt maybe it’s the problem ?
ssl is currently disabled.

netstat -lntu

tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
udp 0 0 0.0.0.0:47071 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp6 0 0 ::1:323 :::*
udp6 0 0 :::49675 :::*

If i’m right 80 and 443 are not open

try run systemctl start nginx to see if there is any log message

the logs remain empty

Are you aware of that port redirect to port 8081? Are you doing a port mapping from port 8081 to port 80?

Plus if you do ps aux |grep nginx do you have nginx processes running?

i just chose the 8081 port in core.php on Configure::write(‘App.fullBaseUrl’, ‘http://{ip_of_your_server:8081}’);
like in the guide.
The healthcheck tell me :

[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in app/Config/core.php
[HELP] Check the network settings

but i didnt put any domain name in this file only an ip, that’s the problem ?

Yes i have some nginx processes running

I think it’s a dumb question but do you have a listen 8081 on the nginx configuration file for passbolt?

i have tried with 80 and 8081 and got the same result

So, you set:

  • nginx to run on port 8081
  • core.php fullBaseUrl is pointing to http://your_ip:8081
  • SSL force is false on app.php
  • php-fpm is running
  • nginx is running listening on 0.0.0.0:8081
  • you don’t require selinux

With this scenario you still get a connection refused using curl locally from the server and remotely (from another computer)?
With this scenario can you scan port 8081 from a computer that is not the server using, for example, nmap: nmap -p 8081 ip_of_your_server or some other port scanning tool?

1 Like

Hi,

This morning i first tried a curl locally and it works !
I got this

  • About to connect() to 10.0.20.129 port 80 (#0)
  • Trying 10.0.20.129…
  • Connected to 10.0.20.129 (10.0.20.129) port 80 (#0)
    GET / HTTP/1.1
    User-Agent: curl/7.29.0
    Host: 10.0.20.129
    Accept: /

and a long html file

I also tried it from an another server and i got the same error as yesterday.
However nmap is working.
Maybe the problem is the firewall ? I’ll try to find out.
Do you have any other idea ?
Thank you so much

1 Like