Hello,

I’m experiencing an issue when configuring my docker instance.
When I enable the option PASSBOLT_SSL_FORCE: “true” on the docker-compose-ce.yaml I get an infinite redirection error.
I have already tried this solution - it didn’t help.
I’m also configuring all of my app settings via env variables. So I think it’s safe to ignore the passbolt.php errors.

Logs:

Installing passbolt

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
Running baseline checks, please wait...
The /etc/passbolt/jwt/ directory should not be writable.
Please run ./bin/cake passbolt healthcheck for more information and help.
Running migrations

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
 Running migration scripts.
-------------------------------------------------------------------------------
using migration paths
 - /etc/passbolt/Migrations
using seed paths
using environment default
using adapter mysql
using database passbolt
ordering by creation time

All Done. Took 0.0353s
Clearing cake caches
Clearing _cake_model_
Cleared _cake_model_ cache
Clearing _cake_core_
Cleared _cake_core_ cache
Enjoy! ☮

/usr/lib/python3/dist-packages/supervisor/options.py:474: UserWarning: Supervisord is running as root and it is searching for its configuration file in default locations (including its current working directory); you probably want to specify a "-c" argument specifying an absolute path to a configuration file for improved security.
  self.warnings.warn(
2024-10-15 17:32:54,566 CRIT Supervisor is running as root.  Privileges were not dropped because no user is specified in the config file.  If you intend to run as root, you can set user=root in the config file to avoid this message.
2024-10-15 17:32:54,566 INFO Included extra file "/etc/supervisor/conf.d/cron.conf" during parsing
2024-10-15 17:32:54,566 INFO Included extra file "/etc/supervisor/conf.d/nginx.conf" during parsing
2024-10-15 17:32:54,566 INFO Included extra file "/etc/supervisor/conf.d/php.conf" during parsing
2024-10-15 17:32:54,576 INFO RPC interface 'supervisor' initialized
2024-10-15 17:32:54,576 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2024-10-15 17:32:54,577 INFO supervisord started with pid 1
2024-10-15 17:32:55,587 INFO spawned: 'php-fpm' with pid 107
2024-10-15 17:32:55,596 INFO spawned: 'nginx' with pid 108
2024-10-15 17:32:55,602 INFO spawned: 'cron' with pid 109
[15-Oct-2024 17:32:55] NOTICE: fpm is running, pid 107
[15-Oct-2024 17:32:55] NOTICE: ready to handle connections
[15-Oct-2024 17:32:55] NOTICE: systemd monitor interval set to 10000ms
2024-10-15 17:32:56,862 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2024-10-15 17:32:56,862 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2024-10-15 17:32:56,863 INFO success: cron entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
.......
172.18.0.4 - - [15/Oct/2024:17:34:05 +0000] "GET / HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0"
..... 
172.18.0.4 - - [15/Oct/2024:17:37:19 +0000] "GET /auth/is-authenticated.json?api-version=v2 HTTP/1.1" 301 162 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 LibreWolf/131.0.2"

Healthcheck:

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell.....
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 8.2.20.
 [PASS] PHP version is 8.1 or above.
 [PASS] PCRE compiled with unicode support.
 [PASS] Mbstring extension is installed.
 [PASS] Intl extension is installed.
 [PASS] GD or Imagick extension is installed.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Cache is working.
 [PASS] Debug mode is off.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.example.com
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in /etc/passbolt/passbolt.php
 [HELP] Check the network settings

 SSL Certificate

 [WARN] SSL peer certificate does not validate.
 [WARN] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate.
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl

 SMTP settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [WARN] The SMTP Settings source is: env variables.
 [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
 [PASS] No custom SSL configuration for SMTP server.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled.
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [FAIL] The server OpenPGP key is not set.
 [HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [FAIL] The server key fingerprint doesn't match the one defined in /etc/passbolt/passbolt.php.
 [HELP] Double check the key fingerprint, example:
 [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
 [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
 [HELP] Import the private server key in the keyring of the webserver user.
 [HELP] you can try:
 [HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
 [FAIL] The server key does not have a valid email id.
 [HELP] Edit or generate another key with a valid email id.
 [FAIL] The private key cannot be used to decrypt a message
 [FAIL] The private key cannot be used to decrypt and verify a message
 [FAIL] The public key cannot be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (4.9.1).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.
 [PASS] The database schema is up to date.

 Database

 [PASS] The application is able to connect to the database
 [PASS] 31 tables found.
 [PASS] Some default content is present.

 [FAIL] 8 error(s) found. Hang in there!

Hello @nixer, as you are using docker with environment variables, you should type “source /etc/environment” before executing healthcheck command. This will give you a cleaner output.

Also, we need more context to try to find the problem. Trying to follow the guide showed when creating a post, we need to know your system os and version, how is installed, if you are using proxy, your configuration (in your case docker-compose and environment variables)…

Hi,
I am digging this up, because the SSL error is my last error in the health check.

I am using traefik (and it seems to be working).

#Alternatively you can use rootless:
#image: passbolt/passbolt:latest-ce-non-root
restart: unless-stopped
depends_on:
  - db

environment:
  APP_FULL_BASE_URL: "https://pass.acme.com"

  PASSBOLT_EMAIL_VALIDATE_MX: "true"
  PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED: "true"
  DATASOURCES_DEFAULT_HOST: "db"
  DATASOURCES_DEFAULT_USERNAME: "RandoCarissian"
  DATASOURCES_DEFAULT_PASSWORD: "obfuscated"
  DATASOURCES_DEFAULT_DATABASE: "RandoCarissianDB"

Uncomenting the PASSBOLT_SSL_FORCE will make passbolt do the infinite redirect thingy. What can I do to help?

Server is 5.3.1

Hello @SSintermann,To help you, we need information about your infrastructure, such as the operating system, the full healthcheck and configuration files (mask sensitive information), whether you use proxies like Cloudflare tunnels, and so on.

Without this information, we can’t help you, as we have many variables that are out of context.

Sure, if you need more, I am happy to dig up more ;-). No fancy stuff installed, just traefik and passbolt. Though the traefikl serves two other sites as well

Thanks for your help

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

#Alternatively you can use rootless:
#image: passbolt/passbolt:latest-ce-non-root
restart: unless-stopped
depends_on:
  - db

environment:
  APP_FULL_BASE_URL: "https://obfuscated"

  PASSBOLT_EMAIL_VALIDATE_MX: "true"
  PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED: "true"
  DATASOURCES_DEFAULT_HOST: "db"
  DATASOURCES_DEFAULT_USERNAME: "rando"
  DATASOURCES_DEFAULT_PASSWORD: "rando"
  DATASOURCES_DEFAULT_DATABASE: "passboltdb"

volumes:
  - gpg_volume:/etc/passbolt/gpg
  - jwt_volume:/etc/passbolt/jwt
networks:
  - traefik
  - default
command:
  [
    "/usr/bin/wait-for.sh",
    "-t",
    "0",
    "db:3306",
    "--",
    "/docker-entrypoint.sh",
  ]
labels:
  traefik.enable: "true"
  traefik.http.routers.passbolt-http.entrypoints: "web"
  traefik.http.routers.passbolt-http.rule: "Host(`obfuscated`)"
  traefik.http.routers.passbolt-http.middlewares: "SslHeader@file"

  traefik.http.routers.passbolt-https.middlewares: "SslHeader@file"
  traefik.http.routers.passbolt-https.entrypoints: "websecure"
  traefik.http.routers.passbolt-https.rule: "Host(`obfuscated`)"
  traefik.http.routers.passbolt-https.tls: "true"
  traefik.http.routers.passbolt-https.tls.certresolver: "letsencrypt"

#Alternatively for non-root images:

OS for docker host (hostnamectl):
Operating System: Debian GNU/Linux 12 (bookworm)
Kernel: Linux 6.1.0-35-cloud-amd64

I think I have the problem, but if anyone is reading this and I’m wrong, please correct me.

You’re using Traefik with Let’s Encrypt to manage your SSL certificates. This means Traefik will terminate your HTTPS connection and then forward it to your Passbolt instance over HTTP.
Therefore, if you enable the PASSBOLT_SSL_FORCE environment variable, you’ll get an error, as you haven’t configured the certificates in Passbolt, and Traefik doesn’t send HTTPS traffic to Passbolt, so it’s left waiting for something that never arrives.

This is normal behavior, as described in the official guide (you can see that there’s no mention of enabling this environment variable). Since the connection between Traefik and Passbolt is internal to the Docker network, it’s not necessary to maintain this last step in HTTPS: https://www.passbolt.com/docs/hosting/configure/https/ce/docker-auto/

If you want to maintain the entire connection from the client to the Passbolt server in HTTPS mode, you must configure Traefik as passthrough and Passbolt with SSL certificates (but Traefik won’t manage your certificate renewals, as it will transfer them directly to the instance). You’ll need to configure certificate renewal in another way or do it manually.

In short: It should work perfectly without enabling the environment variable. If this isn’t happening, we can move on to troubleshooting that issue.

Where did you put your certificate on the traefik ? Passbolt?
If you are putting your certificate on traefik then no need to set the force SSL at the passbolt level.

Here is a lab config:

traefik:
    image: traefik:v3.3
    restart: unless-stopped
    ports:
      - "80:80" 
      - "443:443"  
      - "8080:8080" 
    volumes:
      - ./logs/traefik:/logs
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik/traefik.yml:/etc/traefik/traefik.yml
      - ./traefik/dynamic.yml:/etc/traefik/dynamic.yml
      - ./traefik/certs:/etc/traefik/certs   

traefik.yml

# traefik.yml
entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: ":443"

api:
  dashboard: true
  insecure: true

accessLog:
  filePath: "/etc/traefik/access.log"

providers:
  docker:
    exposedByDefault: false
  file:
    filename: /etc/traefik/dynamic.yml

tls:
  certificates:
    - certFile: "/etc/traefik/certs/passbolt.pem"
      keyFile: "/etc/traefik/certs/passbolt.pem"

log:
  level: INFO
  filePath: "/logs/traefik.log"
  format: json

Dynamic.yml

# dynamic.yml
http:
  routers:
    passbolt:
      rule: "Host(`passbolt.local`)"
      entryPoints:
        - websecure
      service: "passbolt"
      tls: true
      middlewares:
        - securityHeaders
        - passboltHeaders
    passbolt-http:
      rule: "Host(`passbolt.local`)"
      entryPoints:
        - web
      middlewares:
        - redirect-to-https
      service: "passbolt"
    www-redirect:
      rule: "Host(`www.passbolt.local`)"
      entryPoints:
        - "websecure"
      middlewares:
        - "www-stripper"
      service: "noop@internal"
  
  services:
    passbolt:
      loadBalancer:
        servers:
          - url: "http://passbolt1:80"
          - url: "http://passbolt2:80"
          - url: "http://passbolt3:80"
  
  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: https
        permanent: true
    www-stripper:
      redirectRegex:
        regex: "^https?://www\\.(.+)"
        replacement: "https://${1}"
        permanent: true
    passboltHeaders:
      headers:
        customRequestHeaders:
          X-Forwarded-Proto: "https"
          X-Forwarded-Port: "443"
          Host: "passbolt.local"
    securityHeaders:
      headers:
        customResponseHeaders:
          Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
          X-Content-Type-Options: "nosniff"
          X-Frame-Options: "DENY"
          X-XSS-Protection: "1; mode=block"

This is not production ready so to take with a pinch of salt and adapt to your need.

Hi @Termindiego25 ,

indeed traefik is working fine with SSL - so I ignore the error.

Maybe there is a way for passbolt to ‘know’ that some https proxy is sitting in front of it and the error is omitted.

For documentation purposes I am happy now.

Thank you