High Availability Passbolt

Checklist
[ ] I have read intro post: About the Installation Issues category
[ ] I have read the tutorials, help and searched for similar issues
[ ] I provide relevant information about my server (component names and versions, etc.)
[ ] I provide a copy of my logs and healthcheck
[ ] I describe the steps I have taken to trouble shoot the problem
[ ] I describe the steps on how to reproduce the issue

Hello! Our organization has been using Passbolt since 2018 and it has been awesome. We’re now very dependent on it, so we decided to embark on making our Passbolt instance more resilient and provide an extremely high uptime to our users.

I’ve moved the database to three servers in different datacenters managed by Scalegrid.io, this is working awesome and the price was right. They are set up as master+slave+quorum node. Scalegrid manages the DNS entry so if the slave is promoted to master, it auto-updates the DNS entry.

For the application server, we have two ngnix servers running in separate datacenters, with a Cloudflare load balancer running in front of it to monitor health by checking each application server’s /healthcheck/status.json output and looking for the response body to contain:

“message”:“OK”,“url”:"/healthcheck/status.json",“code”:200},“body”:“OK”}

Questions:

  1. Anything else I should consider here? :slight_smile:
  2. Healthcheck in the web UI reports one error:

The temporary directory and its content are not writable, or are executable.

Healthcheck via SSH/cake does not report this error. It does report an SSL Cert error, but that is just because NGINX is using a Cloudflare origin CA cert, I think.

./cake passbolt healthcheck

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/
/ _
,
/
//./_//__/

Open source password manager for teams

Healthcheck shell

Environment

[PASS] PHP version 7.4.3.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.milestonefe.com
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check Passbolt Help | Troubleshoot SSL
[HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate

Database

[PASS] The application is able to connect to the database
[PASS] 27 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (3.5.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found

[FAIL] 2 error(s) found. Hang in there!

Both servers are running Ubuntu 20.04.

Hi @brywhi

Your setup sounds good. Did you ran the healthcheck command (via SSH/cake) on both passbolt servers ?

Maybe you have one server with temporary directory ok (the one where you ran the healthcheck) and the healthcheck displayed in the web UI is the other one where temporary directory is not ok ?

It is just a guess.

Regards,

Sorry for my super delayed response.

Yep, ran the health check on both machines- both in the web UI and SSH, and they return the same results. They are actually identical clones- I just made a snapshot of the first VM and deployed it in the second location. Just different IP address config via DHCP.

@brywhi Are you experiencing a problem with your setup? Or were you just generally double checking everything was how it should be?

The temporary folder error should get fixed in both instances.