Checklist
I have read intro post: about-the-installation-issues-category/12
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
I have a DigitalOcean droplet which hosts an API endpoint to a website, and I want to add a password manager alongside it. I followed the installation process for Passbolt as described in passbolt dot com/hosting/install/ce/debian/debian.html. I only got to step 2 and got stuck. Im using Cloudflares origin certificate for my API and wanted to use the same certificated for Passbolt, but got the following error doing sudo nginx -t
:
nginx: [emerg] cannot load certificate "/etc/ssl/certs/1680535322-my_key-key.key": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed
From googling I gathered that the cert has to look like:
-----BEGIN TRUSTED CERTIFICATE-----
...
-----END TRUSTED CERTIFICATE-----
, but I cannot find a process by which to add that text, and I am sure adding it manually is not it.
I get the same error even if I try to follow help dot passbolt dot com/configure/https/ce/debian/manual and generate their recommended certificates.
As per this question, I tried using ca-certificates
and linking those instead of whatever Passbolts sudo dpkg-reconfigure passbolt-ce-server
command does with the key/cert, but Im getting the same issue and am stuck.
Maybe my understanding of certificates is lacking. What am I doing wrong?
Thanks ahead!
Relevant nginx.conf files:
/etc/nginx/sites-available/nginx-passbolt.conf
:
server {
listen 800;
listen [::]:800;
# Managed by Passbolt
# server_name
client_body_buffer_size 100K;
client_header_buffer_size 1K;
client_max_body_size 5M;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
root /usr/share/php/passbolt/webroot;
index index.php;
error_log /var/log/nginx/passbolt-error.log info;
access_log /var/log/nginx/passbolt-access.log;
include /etc/passbolt/nginx-ssl.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass unix:/run/php/__PHP_SOCK__;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SERVER_NAME $http_host;
fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M";
}
}
/etc/passbolt/nginx-ssl.conf:
listen [::]:4043 ssl http2;
ssl_certificate /etc/ssl/certs/1680535322-losslessly-api_djkato_net-key.key;
ssl_certificate_key /etc/ssl/private/1680535322-losslessly-api_djkato_net-crt.crt;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;