Create First Admin User

krozz · April 16, 2023, 9:42am

Checklist
[Y] I have read intro post: About the Installation Issues category
[Y] I have read the tutorials, help and searched for similar issues
[Y] I provide relevant information about my server (component names and versions, etc.)
[N] I provide a copy of my logs and healthcheck
[Y] I describe the steps I have taken to trouble shoot the problem
[Y] I describe the steps on how to reproduce the issue

I have created my first admin user, and my APP_FULL_BASE_URL is “https://localhost”.

I was going to host this in-house and have it routed to my a subdomain of mine using Cloud Flare’s Zero Trust. However… because I am hosting this locally, when I submit my admin user creation, I get a message telling me to go to the following url:

https:// localhost/setup/install/

This is not possible as the host OS is Ubuntu Server and there is no web browser or GUI for that matter.

How can I access this?

I tried going to that link on another computer (but instead of “localhost” I put the IP address of that machine, to no avail.

Also, when I navigate to the host’s IP in a web browser on another machine it spits out “ERR_SSL_UNRECOGNIZED_NAME_ALERT”, (and that is using Traefik within the container. Before I setup Traefik, I was just getting a white page that had nothing in it.

This is frustrating.

garrett · April 16, 2023, 6:55pm

Hi @krozz Welcome to the forum!

I would think using the default value in this case would have been much easier.

From https://help.passbolt.com/hosting/install/ce/docker.html:

The APP_FULL_BASE_URL environment variable is set by default to https://passbolt.local, using a self-signed certificate.

It is assumed that if passbolt is running on a server the users of passbolt will be coming from other devices.

Try doing this:

Change to the default above
From a computer (not phone) set the domain and ip address of the server in your hosts file so you can resolve it in the browser.

On windows machines the hosts file often has to get dragged out of its folder before being editable, then edited, then dragged back in. It’s located at C:\Windows\System32\drivers\etc\hosts.

Linux machines have /etc/hosts.

If your server address is 192.168.1.10, the record should be:

passbolt.local 192.168.1.10

If you can access from a device in the same network as the server locally, that’s ideal so you don’t have to mess with network routing.

Hope this helps!

krozz · April 16, 2023, 7:29pm

@garrett
So I can ping passbolt.local from the host machine, and it resolves as the correct IP (192.168.0.51), but on other machines, I (obviously) cannot ping “passbolt.local” but I can ping the IP address.

I’m not sure if I’m just missing something and I’m being stupid, or if there’s something funky going on. When I try to navigate to 192.168.0.51 (the docker host machine), I get “ERR_SSL_UNRECOGNIZED_NAME_ALERT”

In my /etc/hosts file, I have added “192.168.0.51 passbolt.local”.
Below is my docker-compose-ce.yaml file.

version: ‘3.9’
services:
db:
image: mariadb:10.3
restart: unless-stopped
environment:
MYSQL_RANDOM_ROOT_PASSWORD: “true”
MYSQL_DATABASE: “passbolt”
MYSQL_USER: “passbolt”
MYSQL_PASSWORD: “P4ssb0lt”
volumes:
- database_volume:/var/lib/mysql

passbolt:
image: passbolt/passbolt:latest-ce
#Alternatively you can use rootless:
#image: passbolt/passbolt:latest-ce-non-root
restart: unless-stopped
depends_on:
- db
environment:
APP_FULL_BASE_URL: https://passbolt.local
DATASOURCES_DEFAULT_HOST: “db”
DATASOURCES_DEFAULT_USERNAME: “passbolt”
DATASOURCES_DEFAULT_PASSWORD: “P4ssb0lt”
DATASOURCES_DEFAULT_DATABASE: “passbolt”
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
command: [“/usr/bin/wait-for.sh”, “-t”, “0”, “db:3306”, “–”, “/docker-entrypoint.sh”]
#ports:
# - 80:80
# - 443:443
#Alternatively for non-root images:
# - 80:8080
# - 443:4433
labels:
traefik.enable: “true”
traefik.http.routers.passbolt-http.entrypoints: “web”
traefik.http.routers.passbolt-http.rule: “Host(passbolt.local)”
traefik.http.routers.passbolt-http.middlewares: “SslHeader@file”
traefik.http.routers.passbolt-https.middlewares: “SslHeader@file”
traefik.http.routers.passbolt-https.entrypoints: “websecure”
traefik.http.routers.passbolt-https.rule: “Host(passbolt.local)”
traefik.http.routers.passbolt-https.tls: “true”
traefik.http.routers.passbolt-https.tls.certresolver: “letsencrypt”
traefik:
image: traefik:2.6
restart: always
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yaml:/traefik.yaml:ro
- ./conf/:/etc/traefik/conf
- ./shared/:/shared
volumes:
database_volume:
gpg_volume:
jwt_volume:

krozz · April 16, 2023, 7:30pm

Also, here is a snippet of the /etc/hosts

garrett · April 16, 2023, 7:35pm

This is because you have not added the DNS entry on the other machine’s hosts file as I described. Once you do, you should be able to ping the domain name.

krozz · April 17, 2023, 4:40am

I have updated the host files (Windows) on my main workstation, and still having the same results.

garrett · April 17, 2023, 4:44am

I’m assuming you mean you cannot ping from Windows and get the passbolt local address? What subnet is your Windows machine on? Same as passbolt server?

(And sorry about the mixup with the DNS listing!)

The error you were referencing…maybe it is related to the CloudFlare settings and there is a mismatch in the domain name or something?

krozz · April 17, 2023, 6:21am

My CloudFlare settings are working great with everything else I’m running. Yes they are all in the same subnet. My main goal here is to just broadcast Passbolt over my local network. I’ll configure the SSL and tunnel forward to my domain with a different method. I’m just trying to access Passbolt locally, which I seem to suck at lol

garrett · April 17, 2023, 12:07pm

I need to use one of the tunnels to understand but I’m assuming since they call it zero trust that includes blocking on local as well.

Do you provide local access on your other services while using a Cloudflare tunnel?

Almost all of my networks are zero trust so that means even same subnet is blocked. I don’t use Cloudflare tunnels, but that’s the idea of zero trust. No matter where the incoming is coming from, no one gets a free pass. All traffic is verified.

krozz · April 17, 2023, 1:29pm

Example. I have UptimeKuma running in a container as well. It’s running on 192.168.0.51:3001

I can access it locally at that IP, or I can go to kuma.mydomain.com. Both links work from any device on or off my network.

I’m basically trying to get Passbolt running the same way. Running over LAN then configure CF’s Zero Trust (pointing to internal IP:Port) to access it over my domain.

garrett · April 17, 2023, 1:40pm

So the different containers would have the same ip address? Are you running the containers using the host network instead of isolated?

Edit: I think I see what you mean. It is using port 3001 on the host but the container is not using that ip.

garrett · April 17, 2023, 1:48pm

The passbolt install should work like the others… you aren’t accessing those locally, it’s all routed thru Cloudflare.

The error is the problem at this point I think. It’s not a passbolt error and it’s a generic error. Do you need a cert in the Cloudflare settings too?

krozz · April 17, 2023, 1:49pm

I’m gonna make another VM and install Passbolt on there to see if the problem is other containers clashing with it.

krozz · April 17, 2023, 3:54pm

Yes, but no. I do access my other services locally. When I’m away from home, I can access them via my domain.