New user here! I can’t seem to get passbolt working in a subfolder directory.
Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
- Docker compose official image + docker nginx reverse proxy : blank page
- Passbolt install in a subfolder
- How to install passbolt to IP/subfolder?
I provide relevant information about my server (component names and versions, etc.)
- Server operating system name and version: TrueNAS Scale Dragonfish-24.04.2
- Web server name and version: Nginx Proxy Manager v2.11.3
- Php version: 8.2.20
- Passbolt version: 4.9.1
I provide a copy of my logs and healthcheck
2024-09-17 13:11:32.925589-04:00gpg: keybox '/var/lib/passbolt/.gnupg/pubring.kbx' created
2024-09-17 13:11:32.988044-04:00gpg: /var/lib/passbolt/.gnupg/trustdb.gpg: trustdb created
2024-09-17 13:11:32.988379-04:00gpg: key 48227E38AAAEE0BF: public key "Passbolt default user <passbolt@yourdomain.com>" imported
2024-09-17 13:11:33.070414-04:00gpg: Total number processed: 1
2024-09-17 13:11:33.070565-04:00gpg: imported: 1
2024-09-17 13:11:33.076481-04:00gpg: key 48227E38AAAEE0BF: "Passbolt default user <passbolt@yourdomain.com>" not changed
2024-09-17 13:11:33.081055-04:00gpg: key 48227E38AAAEE0BF: secret key imported
2024-09-17 13:11:33.081145-04:00gpg: Total number processed: 1
2024-09-17 13:11:33.081166-04:00gpg: unchanged: 1
2024-09-17 13:11:33.081186-04:00gpg: secret keys read: 1
2024-09-17 13:11:33.081206-04:00gpg: secret keys imported: 1
2024-09-17 13:11:33.989454-04:00..+.........+..+.........................+......+..+.......+...+...+...+..+...+....+......+..+....+.....+......+....+...+...+...+...........+.+..+...............+.+..+.........+......+....+...+........+.......+...............+.....+...+..................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..............+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.+.....+...................+..............+......+.+........+...+............+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2024-09-17 13:11:34.634891-04:00.......+...............+.....+...+.+......+........+...+....+......+..+.......+........................+..+....+...+..+......+...+.......+...+...........+.+........+......+.+..............+.+.....+...+....+........+...+....+......+..+.........+......+....+...........+....+......+...+.....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2024-09-17 13:11:34.714511-04:00-----
2024-09-17 13:11:34.778602-04:00Installing passbolt
2024-09-17 13:11:35.383945-04:002024-09-17T13:11:35.383945696-04:00
2024-09-17 13:11:35.384019-04:00____ __ ____
2024-09-17 13:11:35.384040-04:00/ __ \____ _____ ____/ /_ ____ / / /_
2024-09-17 13:11:35.384059-04:00/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
2024-09-17 13:11:35.384104-04:00/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
2024-09-17 13:11:35.384125-04:00/_/ \__,_/____/____/_.___/\____/_/\__/
2024-09-17 13:11:35.384144-04:002024-09-17T13:11:35.384144032-04:00
2024-09-17 13:11:35.384163-04:00Open source password manager for teams
2024-09-17 13:11:35.384183-04:00-------------------------------------------------------------------------------
2024-09-17 13:11:35.420807-04:00Running baseline checks, please wait...
2024-09-17 13:11:35.540638-04:00The /etc/passbolt/jwt/ directory should not be writable.
2024-09-17 13:11:35.540725-04:00Please run ./bin/cake passbolt healthcheck for more information and help.
2024-09-17 13:11:35.558660-04:00Running migrations
2024-09-17 13:11:35.955020-04:002024-09-17T13:11:35.955020130-04:00
2024-09-17 13:11:35.955105-04:00____ __ ____
2024-09-17 13:11:35.955127-04:00/ __ \____ _____ ____/ /_ ____ / / /_
2024-09-17 13:11:35.955174-04:00/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
2024-09-17 13:11:35.955194-04:00/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
2024-09-17 13:11:35.955214-04:00/_/ \__,_/____/____/_.___/\____/_/\__/
2024-09-17 13:11:35.955232-04:002024-09-17T13:11:35.955232712-04:00
2024-09-17 13:11:35.955252-04:00Open source password manager for teams
2024-09-17 13:11:35.955283-04:00-------------------------------------------------------------------------------
2024-09-17 13:11:35.955315-04:00-------------------------------------------------------------------------------
2024-09-17 13:11:35.956394-04:00Running migration scripts.
2024-09-17 13:11:35.956420-04:00-------------------------------------------------------------------------------
2024-09-17 13:11:36.188785-04:00using migration paths
2024-09-17 13:11:36.201195-04:00- /etc/passbolt/Migrations
2024-09-17 13:11:36.201300-04:00using seed paths
2024-09-17 13:11:36.201322-04:00- /etc/passbolt/Seeds
2024-09-17 13:11:36.228516-04:00using environment default
2024-09-17 13:11:36.228581-04:00using adapter mysql
2024-09-17 13:11:36.228603-04:00using database passbolt
2024-09-17 13:11:36.228623-04:00ordering by creation time
2024-09-17 13:11:36.273289-04:002024-09-17T13:11:36.273289814-04:00
2024-09-17 13:11:36.273583-04:00All Done. Took 0.0446s
2024-09-17 13:11:36.290151-04:00Clearing cake caches
2024-09-17 13:11:36.677127-04:00Clearing _cake_model_
2024-09-17 13:11:36.694173-04:00Cleared _cake_model_ cache
2024-09-17 13:11:37.096876-04:00Clearing _cake_core_
2024-09-17 13:11:37.096964-04:00Cleared _cake_core_ cache
2024-09-17 13:11:37.108914-04:00Enjoy! ☮
2024-09-17 13:11:37.109023-04:002024-09-17T13:11:37.109023506-04:00
2024-09-17 13:11:38.825894-04:002024-09-17 17:11:38,825 INFO Included extra file "/etc/supervisor/conf.d/cron.conf" during parsing
2024-09-17 13:11:38.825997-04:002024-09-17 17:11:38,825 INFO Included extra file "/etc/supervisor/conf.d/nginx.conf" during parsing
2024-09-17 13:11:38.826038-04:002024-09-17 17:11:38,825 INFO Included extra file "/etc/supervisor/conf.d/php.conf" during parsing
2024-09-17 13:11:38.850577-04:002024-09-17 17:11:38,850 INFO RPC interface 'supervisor' initialized
2024-09-17 13:11:38.850762-04:002024-09-17 17:11:38,850 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2024-09-17 13:11:38.851335-04:002024-09-17 17:11:38,851 INFO supervisord started with pid 1
2024-09-17 13:11:39.855620-04:002024-09-17 17:11:39,855 INFO spawned: 'php-fpm' with pid 89
2024-09-17 13:11:39.863401-04:002024-09-17 17:11:39,860 INFO spawned: 'nginx' with pid 90
2024-09-17 13:11:39.866032-04:002024-09-17 17:11:39,865 INFO spawned: 'cron' with pid 91
2024-09-17 13:11:40.167807-04:00time="2024-09-17T17:11:40Z" level=info msg="read crontab: /etc/cron.d/passbolt-ce-server"
2024-09-17 13:11:40.386745-04:00[17-Sep-2024 17:11:40] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root
2024-09-17 13:11:40.386838-04:00[17-Sep-2024 17:11:40] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root
2024-09-17 13:11:40.386859-04:00[17-Sep-2024 17:11:40] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root
2024-09-17 13:11:40.386905-04:00[17-Sep-2024 17:11:40] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root
2024-09-17 13:11:40.386926-04:00[17-Sep-2024 17:11:40] NOTICE: fpm is running, pid 89
2024-09-17 13:11:40.388358-04:00[17-Sep-2024 17:11:40] NOTICE: ready to handle connections
2024-09-17 13:11:40.388503-04:00[17-Sep-2024 17:11:40] NOTICE: systemd monitor interval set to 10000ms
2024-09-17 13:11:41.389860-04:002024-09-17 17:11:41,389 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2024-09-17 13:11:41.390059-04:002024-09-17 17:11:41,389 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2024-09-17 13:11:41.390211-04:002024-09-17 17:11:41,390 INFO success: cron entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2024-09-17 13:11:43.762723-04:00172.16.0.1 - - [17/Sep/2024:17:11:43 +0000] "GET /healthcheck/status HTTP/1.1" 200 12 "-" "kube-probe/1.26"
2024-09-17 13:11:43.763623-04:002024-09-17 17:11:43,762 INFO reaped unknown pid 110 (exit status 0)
2024-09-17 13:11:43.877369-04:00172.16.0.1 - - [17/Sep/2024:17:11:43 +0000] "GET /healthcheck/status HTTP/1.1" 200 12 "-" "kube-probe/1.26"
2024-09-17 13:11:43.877629-04:002024-09-17 17:11:43,877 INFO reaped unknown pid 125 (exit status 0)
2024-09-17 13:11:47.980039-04:00172.16.0.1 - - [17/Sep/2024:17:11:47 +0000] "GET /healthcheck/status HTTP/1.1" 200 12 "-" "kube-probe/1.26"
2024-09-17 13:11:47.980254-04:002024-09-17 17:11:47,979 INFO reaped unknown pid 141 (exit status 0)
2024-09-17 13:11:47.984051-04:00172.16.0.1 - - [17/Sep/2024:17:11:47 +0000] "GET /healthcheck/status HTTP/1.1" 200 12 "-" "kube-probe/1.26"
2024-09-17 13:11:57.980167-04:00172.16.0.1 - - [17/Sep/2024:17:11:57 +0000] "GET /healthcheck/status HTTP/1.1" 200 12 "-" "kube-probe/1.26"
2024-09-17 13:11:57.980248-04:002024-09-17 17:11:57,979 INFO reaped unknown pid 151 (exit status 0)
2024-09-17 13:11:57.982768-04:00172.16.0.1 - - [17/Sep/2024:17:11:57 +0000] "GET /healthcheck/status HTTP/1.1" 200 12 "-" "kube-probe/1.26"
2024-09-17 13:12:00.018802-04:00time="2024-09-17T17:12:00Z" level=info msg=starting iteration=0 job.command="$PASSBOLT_BASE_DIR/bin/cron > $PASSBOLT_LOG_DIR/cron.log 2> $PASSBOLT_LOG_DIR/cron-error.log" job.position=0 job.schedule="* * * * *"
2024-09-17 13:12:00.510368-04:00time="2024-09-17T17:12:00Z" level=info msg="job succeeded" iteration=0 job.command="$PASSBOLT_BASE_DIR/bin/cron > $PASSBOLT_LOG_DIR/cron.log 2> $PASSBOLT_LOG_DIR/cron-error.log" job.position=0 job.schedule="* * * * *"
2024-09-17 13:12:07.981953-04:00172.16.0.1 - - [17/Sep/2024:17:12:07 +0000] "GET /healthcheck/status HTTP/1.1" 200 12 "-" "kube-probe/1.26"
2024-09-17 13:12:07.982063-04:002024-09-17 17:12:07,981 INFO reaped unknown pid 177 (exit status 0)
...
2024-09-17 13:14:00.058786-04:00time="2024-09-17T17:14:00Z" level=info msg=starting iteration=2 job.command="$PASSBOLT_BASE_DIR/bin/cron > $PASSBOLT_LOG_DIR/cron.log 2> $PASSBOLT_LOG_DIR/cron-error.log" job.position=0 job.schedule="* * * * *"
2024-09-17 13:14:00.510806-04:00time="2024-09-17T17:14:00Z" level=info msg="job succeeded" iteration=2 job.command="$PASSBOLT_BASE_DIR/bin/cron > $PASSBOLT_LOG_DIR/cron.log 2> $PASSBOLT_LOG_DIR/cron-error.log" job.position=0 job.schedule="* * * * *"
2024-09-17 13:14:07.986552-04:00172.16.0.1 - - [17/Sep/2024:17:14:07 +0000] "GET /healthcheck/status HTTP/1.1" 200 12 "-" "kube-probe/1.26"
2024-09-17 13:14:07.986672-04:002024-09-17 17:14:07,984 INFO reaped unknown pid 329 (exit status 0)
2024-09-17 13:14:07.986733-04:002024-09-17 17:14:07,984 INFO reaped unknown pid 330 (exit status 0)
2024-09-17 13:14:07.986756-04:002024-09-17 17:14:07,985 INFO reaped unknown pid 333 (exit status 0)
2024-09-17 13:14:07.986778-04:002024-09-17 17:14:07,985 INFO reaped unknown pid 334 (exit status 0)
2024-09-17 13:14:07.986799-04:00172.16.0.1 - - [17/Sep/2024:17:14:07 +0000] "GET /healthcheck/status HTTP/1.1" 200 12 "-" "kube-probe/1.26"
2024-09-17 13:14:11.979277-04:00172.16.1.212 - - [17/Sep/2024:17:14:11 +0000] "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"
2024-09-17 13:14:11.979414-04:002024-09-17 17:14:11,979 INFO reaped unknown pid 339 (exit status 0)
2024-09-17 13:14:11.980489-04:002024/09/17 17:14:11 [info] 100#100: *67 client 172.16.1.212 closed keepalive connection
2024-09-17 13:14:11.980540-04:002024-09-17 17:14:11,979 INFO reaped unknown pid 340 (exit status 0)
2024-09-17 13:14:11.980602-04:002024-09-17 17:14:11,979 INFO reaped unknown pid 343 (exit status 0)
2024-09-17 13:14:11.980625-04:002024-09-17 17:14:11,979 INFO reaped unknown pid 344 (exit status 0)
2024-09-17 13:14:11.981322-04:00172.16.1.212 - - [17/Sep/2024:17:14:11 +0000] "GET /app/administration/mfa HTTP/1.1" 302 5 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)"
2024-09-17 13:14:12.221998-04:00172.16.1.212 - - [17/Sep/2024:17:14:12 +0000] "GET /passbolt/auth/login?redirect=%2F HTTP/1.1" 200 1120 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"
2024-09-17 13:14:12.222085-04:002024-09-17 17:14:12,221 INFO reaped unknown pid 348 (exit status 0)
2024-09-17 13:14:12.222122-04:002024-09-17 17:14:12,221 INFO reaped unknown pid 350 (exit status 0)
2024-09-17 13:14:12.222163-04:002024/09/17 17:14:12 [info] 100#100: *69 client 172.16.1.212 closed keepalive connection
2024-09-17 13:14:12.303779-04:00172.16.1.212 - - [17/Sep/2024:17:14:12 +0000] "GET /passbolt/auth/login?redirect=%2Fapp%2Fadministration%2Fmfa HTTP/1.1" 200 1120 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)"
2024-09-17 13:14:12.304167-04:002024-09-17 17:14:12,303 INFO reaped unknown pid 353 (exit status 0)
2024-09-17 13:14:12.304212-04:002024-09-17 17:14:12,303 INFO reaped unknown pid 355 (exit status 0)
2024-09-17 13:14:12.626684-04:00172.16.1.212 - - [17/Sep/2024:17:14:12 +0000] "GET /passbolt/js/app/stylesheet.js?v=4.9.1 HTTP/1.1" 404 118765 "https://domain/passbolt/auth/login?redirect=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"
2024-09-17 13:14:12.626712-04:002024/09/17 17:14:12 [info] 100#100: *73 client 172.16.1.212 closed keepalive connection
2024-09-17 13:14:12.684245-04:00172.16.1.212 - - [17/Sep/2024:17:14:12 +0000] "GET /passbolt/js/app/api-vendors.js?v=4.9.1 HTTP/1.1" 404 118414 "https://domain/passbolt/auth/login?redirect=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"
2024-09-17 13:14:12.684456-04:002024-09-17 17:14:12,683 INFO reaped unknown pid 359 (exit status 0)
2024-09-17 13:14:12.684262-04:002024/09/17 17:14:12 [info] 100#100: *75 client 172.16.1.212 closed keepalive connection
2024-09-17 13:14:12.699663-04:00172.16.1.212 - - [17/Sep/2024:17:14:12 +0000] "GET /passbolt/auth/login?redirect=%2Fapp%2Fadministration%2Fmfa HTTP/1.1" 200 2882 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0"
2024-09-17 13:14:12.699755-04:002024-09-17 17:14:12,699 INFO reaped unknown pid 361 (exit status 0)
2024-09-17 13:14:12.720924-04:002024/09/17 17:14:12 [info] 100#100: *77 client 172.16.1.212 closed keepalive connection
2024-09-17 13:14:12.721001-04:00172.16.1.212 - - [17/Sep/2024:17:14:12 +0000] "GET /passbolt/js/app/api-triage.js?v=4.9.1 HTTP/1.1" 404 118612 "https://domain/passbolt/auth/login?redirect=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"
2024-09-17 13:14:13.153489-04:00172.16.1.212 - - [17/Sep/2024:17:14:13 +0000] "GET /passbolt/auth/login HTTP/1.1" 200 1120 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)"
2024-09-17 13:14:13.154338-04:002024-09-17 17:14:13,153 INFO reaped unknown pid 364 (exit status 0)
2024-09-17 13:14:13.154410-04:002024-09-17 17:14:13,153 INFO reaped unknown pid 366 (exit status 0)
2024-09-17 13:14:13.446418-04:00172.16.1.212 - - [17/Sep/2024:17:14:13 +0000] "GET /passbolt/js/app/api-triage.js?v=4.9.1 HTTP/1.1" 404 118549 "https://domain/passbolt/auth/login?redirect=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"
2024-09-17 13:14:13.446468-04:002024/09/17 17:14:13 [info] 100#100: *83 client 172.16.1.212 closed keepalive connection
2024-09-17 13:14:13.657135-04:00172.16.1.212 - - [17/Sep/2024:17:14:13 +0000] "GET /passbolt/auth/login HTTP/1.1" 200 2882 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0"
2024-09-17 13:14:14.566432-04:00172.16.1.212 - - [17/Sep/2024:17:14:14 +0000] "GET /passbolt/favicon.ico HTTP/1.1" 404 119017 "https://domain/passbolt/auth/login?redirect=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"
2024-09-17 13:14:14.566437-04:002024/09/17 17:14:14 [info] 100#100: *87 client 172.16.1.212 closed keepalive connection
2024-09-17 13:14:14.574813-04:00172.16.1.212 - - [17/Sep/2024:17:14:14 +0000] "GET /passbolt/favicon_228.png HTTP/1.1" 404 119205 "https://domain/passbolt/auth/login?redirect=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0"
2024-09-17 13:14:14.574873-04:002024/09/17 17:14:14 [info] 100#100: *89 client 172.16.1.212 closed keepalive connection
Healthcheck for subdomain (worked):
Environment
[PASS] PHP version 8.2.20.
[PASS] PHP version is 8.1 or above.
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[PASS] Cache is working.
[FAIL] Debug mode is on.
[HELP] Set debug to false in /etc/passbolt/passbolt.php
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://domain
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[PASS] SSL peer certificate validates.
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate.
SMTP settings
[PASS] The SMTP Settings plugin is enabled.
[FAIL] SMTP Setting errors: App\Utility\OpenPGP\Backends\Gnupg::setDecryptKeyFromFingerprint(): Argument #1 ($fingerprint) must be of type string, null given, called in /usr/share/php/passbolt/plugins/PassboltCe/SmtpSettings/src/Service/SmtpSettingsGetSettingsInDbService.php on line 109
[WARN] The SMTP Settings source is: undefined.
[HELP] It is recommended to set the SMTP Settings in the database through the administration section.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled.
[FAIL] The /etc/passbolt/jwt/ directory should not be writable.
[HELP] You can try:
[HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
[HELP] sudo chmod 750 /etc/passbolt/jwt/
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
[PASS] A valid JWT key pair was found.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[FAIL] The server OpenPGP key is not set.
[HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[FAIL] The server key fingerprint doesn't match the one defined in /etc/passbolt/passbolt.php.
[HELP] Double check the key fingerprint, example:
[HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
[FAIL] The server key does not have a valid email id.
[HELP] Edit or generate another key with a valid email id.
[FAIL] The private key cannot be used to decrypt a message
[FAIL] The private key cannot be used to decrypt and verify a message
[FAIL] The public key cannot be used to verify a signature.
Application configuration
[PASS] Using latest passbolt version (4.9.1).
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema is up to date.
Database
[PASS] The application is able to connect to the database
[PASS] 31 tables found.
[PASS] Some default content is present.
[FAIL] 11 error(s) found. Hang in there!
Healthcheck (subfolder, not working)
Environment
[PASS] PHP version 8.2.20.
[PASS] PHP version is 8.1 or above.
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[PASS] Cache is working.
[FAIL] Debug mode is on.
[HELP] Set debug to false in /etc/passbolt/passbolt.php
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://domain
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[PASS] SSL peer certificate validates.
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate.
SMTP settings
[PASS] The SMTP Settings plugin is enabled.
[FAIL] SMTP Setting errors: App\Utility\OpenPGP\Backends\Gnupg::setDecryptKeyFromFingerprint(): Argument #1 ($fingerprint) must be of type string, null given, called in /usr/share/php/passbolt/plugins/PassboltCe/SmtpSettings/src/Service/SmtpSettingsGetSettingsInDbService.php on line 109
[WARN] The SMTP Settings source is: undefined.
[HELP] It is recommended to set the SMTP Settings in the database through the administration section.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled.
[FAIL] The /etc/passbolt/jwt/ directory should not be writable.
[HELP] You can try:
[HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
[HELP] sudo chmod 750 /etc/passbolt/jwt/
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
[PASS] A valid JWT key pair was found.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[FAIL] The server OpenPGP key is not set.
[HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[FAIL] The server key fingerprint doesn't match the one defined in /etc/passbolt/passbolt.php.
[HELP] Double check the key fingerprint, example:
[HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
[FAIL] The server key does not have a valid email id.
[HELP] Edit or generate another key with a valid email id.
[FAIL] The private key cannot be used to decrypt a message
[FAIL] The private key cannot be used to decrypt and verify a message
[FAIL] The public key cannot be used to verify a signature.
Application configuration
[PASS] Using latest passbolt version (4.9.1).
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema is up to date.
Database
[PASS] The application is able to connect to the database
[PASS] 31 tables found.
[PASS] Some default content is present.
[FAIL] 11 error(s) found. Hang in there!
Nginx proxy conf (generated by NPM; formatted a bit for easier parsing)
server {
set $forward_scheme http;
set $server "internal IP";
set $port port;
listen 80;
listen 443 ssl;
server_name domain;
# Let's Encrypt SSL
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /etc/letsencrypt/live/npm-14/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/npm-14/privkey.pem;
# Block Exploits
include conf.d/include/block-exploits.conf;
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
add_header Strict-Transport-Security $hsts_header always;
# Force SSL
include conf.d/include/force-ssl.conf;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
access_log /data/logs/proxy-host-20_access.log proxy;
error_log /data/logs/proxy-host-20_error.log warn;
location /passbolt/ {
location ~* \.(jpe?g|woff|woff2|ttf|gif|png|bmp|ico|css|js|ejs|json|pdf|zip|htm|html|docx?|xlsx?|pptx?|txt|wav|swf|svg|woff2|avi|mp\d)$ {
access_log on;
log_not_found on;
rewrite ^/([^/]+)/([img|css|js|fonts|locales]+)/(.*)$ /$2/$3 break;
rewrite ^/([^/]+)/favicon.ico$ /favicon.ico break;
try_files $uri $uri/ /index.php?$args;
}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://internal_ip:port;
# Block Exploits
include conf.d/include/block-exploits.conf;
# Force SSL
include conf.d/include/force-ssl.conf;
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
add_header Strict-Transport-Security $hsts_header always;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
}
location / {
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
add_header Strict-Transport-Security $hsts_header always;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;
# Proxy!
include conf.d/include/proxy.conf;
}
}
I describe the steps I have taken to trouble shoot the problem
- I am able to launch passbolt and proxy it to a subdomain.
- I set “APP_BASE” to “/passbolt” and APP_FULL_BASE_URL" to “https:domain” (I learnt to remove the APP_BASE from the full URL)
- I kept tweaking nginx settings to no success. The app loads when I visit “https:domain” but not when I visit “https:domain/passbolt”
I describe the steps on how to reproduce the issue
- Installed TrueNAS app
- set the APP_BASE in additional environment variables, and other setup
- launch and visit domain