Checklist
I have read intro post: https://community.passbolt.com/t/about-the-installation-issues-category/12
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
Hi everyone,
I have a stable passbolt working on my LAN and over the Internet using http (I now is not safe). Now I was trying to activate SSL using a my domain (hosted by namecheap) like that “https://mydomain.com:8080” but this is not working.
Doing “sudo dpkg-reconfigure passbolt-ce-server”
I was trying “auto” but there you cannot add the “domain:8080” but only domain name without port and it fails to create the certificate
Creating a self signed certificate “manual” I can create the certificate but it is not opening the site on any webbroser “site is not secure”
I dont know what to do. Help please!
G’day Jesus.
You’ve hit a design constraint in the dpkg-reconfigure passbolt-ce-server wizard, which only supports the standard ports 80 (HTTP) and 443 (HTTPS). That’s why the domain validator rejects mydomain.com:8080 and the manual/auto flows both default to port 443.
Here’s what’s happening with each approach:
Auto (Let’s Encrypt)
The wizard runs certbot with the HTTP-01 challenge method, which needs port 80 accessible to the internet so Let’s Encrypt can validate domain ownership. If you’ve only opened port 8080 on your firewall/router, the challenge fails. If you want to use Let’s Encrypt on port 8080, you’d need to use DNS-01 validation instead (manual certbot command), but that’s outside the wizard.
Manual (self-signed)
The wizard rewrites your nginx config to listen 443 ssl http2;, hardcoded to port 443. So after dpkg-reconfigure, when you visit https://mydomain.com:8080, there’s nothing listening on 8080 (port 443 is what’s active now). That’s probably why your browser shows “site is not secure” or can’t connect.
On top of that, self-signed certificates always trigger a “your connection is not private” warning in every browser until you import the cert into your OS/browser trust store — that’s normal and expected.
To use port 8080, you’ll need to step outside the wizard:
-
Run sudo dpkg-reconfigure passbolt-ce-server but select “none” for the SSL setup (this just lays down the base nginx config).
-
Hand-edit /etc/nginx/sites-enabled/nginx-passbolt.conf:
- Change
listen 80; to listen 8080;
- Add SSL directives (either include
/etc/passbolt/nginx-ssl.conf after you fix its listen 443 to listen 8080, or add cert paths directly)
-
For the certificate:
- If you want Let’s Encrypt:
sudo certbot certonly --manual --preferred-challenges=dns -d mydomain.com, then point nginx to the certs in /etc/letsencrypt/live/mydomain.com/
- If you’re using a self-signed cert: generate it with
CN=mydomain.com in the subject, and remember to accept the browser warning on first visit (or import the cert to your trust store to avoid the warning permanently)
-
Edit /etc/passbolt/passbolt.php and set:
'fullBaseUrl' => 'https://mydomain.com:8080',
(Without this, passbolt’s links and status-report will still think you’re on the default port.)
-
Reload nginx: sudo systemctl reload nginx
My recommendation: if you can, open ports 80 and 443 on your firewall/router instead. That’s what the wizard is optimised for, and it saves you from manual config work. But if port 8080 is a hard requirement (e.g. ISP blocks 443), the steps above will get you there.
Cheers
Gareth
