Errors installing on Debian/Apache2

I’m trying to install on Debian (buster) with Apache2, served on a subdirectory on the webserver and am running into a few problems. I’m not sure which ones are cause and which are the effect.

config/passbolt.php:

'fullBaseUrl' => 'https://mydomain.com',
'base' => '/passbolt'

apache config:

Alias "/passbolt" "/www/passbolt"
<Directory "/www/passbolt">
   <FilesMatch \.php>
      SetHandler "proxy:unix:/var/run/php/php8.2-fpm.sock|fcgi://localhost/"
   </FilesMatch>
   Options Indexes FollowSymLinks
   AllowOverride All
   Require all granted
</Directory>

If I include the base directive in the passbolt config, the installation works, and when I browse to the registration URL given after install, it works to the point of assigning a pass phrase, but then I get:

The operation failed with the following error:

Could not verify the server key. That version of GPGAuth is not supported. (undefined)

At that point, a heath check comes up with:

 [PASS] Full base url is set to https://mydomain.com
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl

If I remove the base directive, and add /passbolt onto the App.fullBaseUrl and run healthcheck again, it succeeds:

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 8.2.6.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://mydomain.com/passbolt
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 30 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/www/.gnupg.
 [PASS] The directory /var/www/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in /www/passbolt/config/passbolt.php and readable.
 [PASS] The private key file is defined in /www/passbolt/config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /www/passbolt/config/passbolt.php.
 [PASS] The server public key defined in the /www/passbolt/config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (4.0.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /www/passbolt/config/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /www/passbolt/config/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /www/passbolt/config/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [WARN] The SMTP Settings source is: /www/passbolt/config/passbolt.php.
 [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /www/passbolt/config/passbolt.php.

 [PASS] No error found. Nice one sparky!

Checklist
[ x] I have read intro post: About the Installation Issues category
[ x] I have read the tutorials, help and searched for similar issues
[ x] I provide relevant information about my server (component names and versions, etc.)
[ x] I provide a copy of my logs and healthcheck
[ x] I describe the steps I have taken to trouble shoot the problem
[ x] I describe the steps on how to reproduce the issue

Starting from scratch again, here are the steps and the results:

Edit config/passbolt.php to Ensure fullBaseUrl is 'https://mydomain.com' and base is '/passbolt'

Reconfigure passbolt: sudo su -s /bin/bash -c "./bin/cake passbolt install --force" www-data

It drops all the tables, and then goes through all the migration steps (I won’t copy’n’paste everything), but gets to the end with no errors and one warning:

 == 20220913233909 V380SaveSmtpSettingsInDb: migrating
2023-05-22 03:51:20 info: SMTP Settings were detected in file.
2023-05-22 03:51:20 info: No admin were found in the database. Ignoring the import of the SMTP Settings.
 == 20220913233909 V380SaveSmtpSettingsInDb: migrated 0.0669s

...

All Done. Took 42.2363s
Import the server private key in the keyring
-------------------------------------------------------------------------------
Importing /www/passbolt/config/gpg/serverkey_private.asc
Keyring init OK
Registering the admin user
-------------------------------------------------------------------------------
User email (also called username)
>

I enter in my email address and name, and then it gives me:

User saved successfully.
To start registration follow the link provided in your mailbox or here:
https://mydomain.com/passbolt/setup/install/xxxx-xxxx-xxxx
Passbolt installation success! Enjoy!

At this point, cli-debug.log is the only file in the logs directory, and it contains two lines:

2023-05-22 03:51:20 info: SMTP Settings were detected in file.
2023-05-22 03:51:20 info: No admin were found in the database. Ignoring the import of the SMTP Settings.

So I’m not expecting to receive an email, but I past the URL into my browser. I’m prompted for a passphrase, I download a recovery kit, and I’m prompted with a color/3-character token.

Click through to Next, and I get this:

And I now have an error.log that contains:

2023-05-22 03:53:35 error: The access token provided for '/setup/install/xxxx-xxxx-xxxx' is not valid.
2023-05-22 03:53:35 error: The access token provided for '/settings.json' is not valid.
2023-05-22 03:53:36 error: The access token provided for '/setup/install/xxxx-xxxx-xxxx.json' is not valid.
2023-05-22 03:56:02 error: [Cake\Http\Exception\BadRequestException] The route /auth/login is not permitted with JWT authentication. in /www/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtRouteFilterMiddleware.php on line 75
Request URL: /auth/login.json?api-version=v2
Client IP: 192.168.1.1

If I click Try again, I get this:

At this point, a health presents the following:

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://mydomain.com
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in /www/passbolt/config/passbolt.php
 [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl

If I edit config/passbolt.php and change fullBaseUrl to https://mydomain.com/passbolt the healthcheck actually completes with no errors (but with warnings about SMTP needing to be set up through the admin section) but I still get presented with the GPGAuth error message.

Hi @stiebs Welcome to the forum!

Thanks for the great info on what you did it’s very helpful.

I think you have to move the project to a subdirectory called passbolt but the root must remain /var/www/passbolt.

/var/www/passbolt/passbolt

The help site is currently missing mention of this but there is a PR Add mention of using fixed path in URL by garrettboone · Pull Request #89 · passbolt/passbolt_help · GitHub

… which mentions this post which has an NGINX example Passbolt install in a subfolder

Thanks for your response @garrett, but I’m not sure what you are suggesting is correct - and certainly putting passbolt into a subdirectory is not what that other link suggests. I have however added the apache equivalent to the nginx rewrite rule in that link, but my results are the same.

I’ve just done another install --force.
After entering an email address for Registering the admin user step, the following appeared in my cli-debug.log file:

2023-05-23 14:38:29 info: SMTP Settings were detected in file.
2023-05-23 14:38:29 info: No admin were found in the database. Ignoring the import of the SMTP Settings.

After cut’n’pasting the registration link (https://mydomain.com/passbolt/setup/install/xxx-xxx-xxx-xxx/xxx-xxx-xxx-xxx) into a browser, I was once again presented with the passphrase input box (so the apache config is serving up the correct pages!), but my error.log showed the same errors as previously:

2023-05-23 14:39:26 error: The access token provided for '/setup/install/xxx-xxx-xxx-xxx/xxx-xxx-xxx-xxx' is not valid.
2023-05-23 14:39:26 error: The access token provided for '/settings.json' is not valid.
2023-05-23 14:39:27 error: The access token provided for '/setup/install/xxx-xxx-xxx-xxx/xxx-xxx-xxx-xxx.json' is not valid.

And if I try to continue, also get this error in error.log:

2023-05-23 14:47:11 error: [Cake\Http\Exception\BadRequestException] The route /auth/login is not permitted with JWT authentication. in /www/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtRouteFilterMiddleware.php on line 75
Request URL: /auth/login.json?api-version=v2
Client IP: 192.168.1.1

I’m sure it’s something small that I’m missing, or is undocumented - but the logging isn’t quite verbose enough to point me in the right direction

It was was noted as a local subdirectory up to 6 months ago, sorry for the confusion.

Forgive me, but what you are saying, and the comments that you are referring to do not make sense to me.

The way I read that commentary, it is configuring the URL subdirectory, not the physical subdirectory that Passbolt is installed in. The Alias and Directory blocks in my apache config file should match the base directive in the passbolt config. At least, that’s how every other PHP app works.

Anyway, I removed that section from my Apache config, and moved the passbolt application subdirectory to /www/root/passbolt (my web service root is actually /www/root, not /www) and tried again.
Exactly the same result.

If it were me I’d put an NGINX reverse proxy in front of the install and handle the path that way.