Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

I installed the community version of Passbolt following the documentation available on the platform Passbolt Help | Install Passbolt CE on Red Hat 8.
Tool Successfully Installed and had all the initial configuration done, able to authenticate,

Each HEALTHCHECK I perform It fails with an error and I also ran the Status-report command and it failed as well with a similar error. That is the first problem i noticed, Error says operation not permitted so this may be a permission issue but I am not sure at what level

The second Issue I see is I had the once to have healthcheck display on the browser (once) and it one error that it mentioned there was the PASSBOLT Repo is not able to check for updates even though it is properly configured. while browsing the help center I noticed my install does not have the new update/feature of folders so I will do with some help looking into this as wells

ERROR WHILE RUNNING COMMAND

Command = sudo /usr/share/php/passbolt/bin/status-report

OUTPUT

PHP 8.1.16 (cli) (built: Feb 14 2023 18:59:41) (NTS gcc x86_64)
mysql  Ver 15.1 Distrib 10.3.35-MariaDB, for Linux (x86_64) using readline 5.1
gpg: out of core handler ignored in FIPS mode
gpg (GnuPG) 2.2.20
 ERROR: /usr/share/php/passbolt/bin/utils.sh: line 64: composer: command not found
PHP Warning:  include(/etc/passbolt/passbolt.php): Failed to open stream: Operation not permitted in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Core/Configure/Engine/PhpConfig.php on line 89
PHP Warning:  include(): Failed opening '/etc/passbolt/passbolt.php' for inclusion (include_path='.:/usr/share/pear:/usr/share/php:/usr/share/pear:/usr/share/php') in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Core/Configure/Engine/PhpConfig.php on line 89

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell.......Exception: ltrim(): Argument #1 ($string) must be of type string, null given
In [/usr/share/php/passbolt/src/Utility/Migration.php, line 52]

Command = sudo -H -u nginx bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck”

OUTPUT

PHP Warning:  include(/etc/passbolt/passbolt.php): Failed to open stream: Operation not permitted in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Core/Configure/Engine/PhpConfig.php on line 89
PHP Warning:  include(): Failed opening '/etc/passbolt/passbolt.php' for inclusion (include_path='.:/usr/share/pear:/usr/share/php:/usr/share/pear:/usr/share/php') in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Core/Configure/Engine/PhpConfig.php on line 89

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell.......Exception: ltrim(): Argument #1 ($string) must be of type string, null given
In [/usr/share/php/passbolt/src/Utility/Migration.php, line 52]


********************************************************************************************

LINES ERRORS IS COMPLAINING ABOUT IN THE FILES

PHP Warning:  include(): Failed opening '/etc/passbolt/passbolt.php' for inclusion (include_path='.:/usr/share/pear:/usr/share/php:/usr/share/pear:/usr/share/php') in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Core/Configure/Engine/PhpConfig.php on line 89


  80      * @throws \Cake\Core\Exception\CakeException when files don't exist or they don't contain `$config`.
     81      *  Or when files contain '..' as this could lead to abusive reads.
     82      */
     83     public function read(string $key): array
     84     {
     85         $file = $this->_getFilePath($key, true);
     86
     87         $config = null;
     88
     **89         $return = include $file;**
     90         if (is_array($return)) {
     91             return $return;
     92         }
     93

LINES ERRORS IS COMPLAINING ABOUT IN THE FILES

 Healthcheck shell.......Exception: ltrim(): Argument #1 ($string) must be of type string, null given
In [/usr/share/php/passbolt/src/Utility/Migration.php, line 52]


 50     {
     51         $remoteVersion = ltrim(Migration::getLatestTagName(), 'v');
     **52         $localVersion = ltrim(Configure::read('passbolt.version'), 'v');**
     53
     54         return version_compare($localVersion, $remoteVersion, '>=');
     55     }
     56

Thank you for helping

Hi @Hycinth Welcome to the forum!

The command seems to be giving some trouble.

How about this which uses full bash path: sudo -H -u nginx /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck”

@garrett

Thank you for the warm welcome

OUTPUT
sudo -H -u nginx /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck”
passbolt: “/usr/share/php/passbolt/bin/cake: Permission denied

Permission from the DIR STRUCTURE from the top of the tree is owned by root

drwxr-xr-x. 10 root root 135 Feb 20 12:46 passbolt

passbolt]# ll
total 16
drwxr-xr-x. 2 root root 164 Feb 20 12:46 bin
-rw-r–r–. 1 root root 649 Feb 10 05:14 index.php
drwxr-xr-x. 2 root root 6 Feb 10 05:14 logs
drwxr-xr-x. 3 root root 24 Feb 20 12:46 plugins
drwxr-xr-x. 3 root root 21 Feb 20 12:46 resources
drwxr-xr-x. 16 root root 4096 Feb 20 12:46 src
drwxr-xr-x. 10 root root 117 Feb 20 12:46 templates
drwxr-xr-x. 27 root root 4096 Feb 20 12:46 vendor
drwxr-xr-x. 7 root root 4096 Feb 20 12:46 webroot

How about:
sudo /usr/share/php/passbolt/bin/cake passbolt healthcheck

sudo /usr/share/php/passbolt/bin/cake passbolt healthcheck

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Passbolt commands cannot be executed as root.

The command should be executed with the same user as your web server. By instance:
su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake COMMAND” HTTP_USER
where HTTP_USER match your web server user: www-data, nginx, apache, http

aborting

So let’s try:
sudo su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck” nginx

no luck

sudo su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck” nginx
su: user passbolt does not exist

@max Do you have (can you confirm) the current command syntax for Red Hat 8?

This is the syntax that works but throw the errors I reported

sudo -H -u nginx bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck”

PHP Warning:  include(/etc/passbolt/passbolt.php): Failed to open stream: Operation not permitted in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Core/Configure/Engine/PhpConfig.php on line 89
PHP Warning:  include(): Failed opening '/etc/passbolt/passbolt.php' for inclusion (include_path='.:/usr/share/pear:/usr/share/php:/usr/share/pear:/usr/share/php') in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Core/Configure/Engine/PhpConfig.php on line 89

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell.......Exception: ltrim(): Argument #1 ($string) must be of type string, null given
In [/usr/share/php/passbolt/src/Utility/Migration.php, line 52]

#

How about /var/lib/passbolt it should be owned by nginx and there is a tmp directory inside.

And check /etc/passbolt directory - is it owned by root:nginx?

Checks out

ll -d /var/lib/passbolt
drwxr-xr-x. 4 nginx nginx 31 Feb 20 08:13 /var/lib/passbolt

ll -d /var/lib/passbolt/tmp/
drwxr-xr-x. 4 nginx nginx 34 Feb 20 08:32 /var/lib/passbolt/tmp/

ll -d /etc/passbolt/
drwxrwx—. 7 root nginx 4096 Feb 22 12:35 /etc/passbolt/

Maybe SELINUX blocking the include path? https://www.redhat.com/sysadmin/selinux-denial2

Just to confirm the correct commands on redhat are:

sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" nginx
sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/status-report" nginx

@Hycinth can you run rpm -qa | grep passbolt and post the output just to confirm both packages were installed?

Should be something like this(version might be different):

passbolt-server-selinux-0.4-1.el8.noarch
passbolt-ce-server-3.10.0-1.noarch

Since this looks potentially selinux related can you take a look in /var/log/audit/audit.log to see if you have anything listed that looks related?

Good monring Clyaton

rpm -qa | grep passbolt
passbolt-server-selinux-0.4-1.el8.noarch
passbolt-ce-server-3.10.0-1.noarch

In /var/log/message this is what I see appears being logged for SELinux

Feb 20 12:27:47 systemd[1]: Starting Switch Root…
Feb 20 12:27:47 systemd[1]: Switching root.
Feb 20 12:27:47 systemd-journald[350]: Journal stopped
Feb 20 12:27:49 kernel: printk: systemd: 21 output lines suppressed due to ratelimiting
Feb 20 12:27:49 kernel: SELinux: policy capability network_peer_controls=1
Feb 20 12:27:49 kernel: SELinux: policy capability open_perms=1
Feb 20 12:27:49 kernel: SELinux: policy capability extended_socket_class=1
Feb 20 12:27:49 kernel: SELinux: policy capability always_check_network=0
Feb 20 12:27:49 kernel: SELinux: policy capability cgroup_seclabel=1
Feb 20 12:27:49 kernel: SELinux: policy capability nnp_nosuid_transition=1

I do not see anything in Audit log to suggest a denial /var/log/audit/audit.log

Another place to check could be permissions on the keyring, could you post what you have set for those?

Sometimes when it is overly permissive there can be some issues.

Kingring Permissions

gpg]# ll
total 12
-r–r-----. 1 root nginx 2487 Feb 20 13:09 serverkey.asc
-r–r-----. 1 root nginx 5167 Feb 20 13:09 serverkey_private.asc

I looked through everything here again and I have another permission question. What is the permission set and owner on /etc/passbolt/passbolt.php?

ll -d /etc/passbolt/passbolt.php
-r–r-----. 1 root nginx 2354 Feb 22 12:35 /etc/passbolt/passbolt.php