Hi,
I want to re-open the issue already started at “Installation behind nginx rev. proxy fails” at
https://community.passbolt.com/t/installation-behind-nginx-rev-proxy-fails/2317/14
The issue that
https://passbolt.freifunk-stuttgart.de/var/www/passbolt/auth/login
is not available (404) is still open. healthcheck shows:
Environment
[PASS] PHP version 7.3.13-1+0~20191218.50+debian9~1.gbp23c2da.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[PASS] The passbolt config file is present
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to http://passbolt.freifunk-stuttgart.de
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in config/passbolt.php
[HELP] Check the network settings
SSL Certificate
[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
Database
[PASS] The application is able to connect to the database
[PASS] 23 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/www/.gnupg.
[PASS] The directory /var/www/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server gpg key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
Application configuration
[PASS] Using latest passbolt version (2.12.0).
[PASS] Passbolt is configured to force SSL use.
[FAIL] App.fullBaseUrl is not set to HTTPS.
[HELP] Check App.fullBaseUrl url scheme in config/passbolt.php.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.
4 error(s) found. Hang in there!
if I use https for fullBaseUrl I get one error less, but still I have
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
as the key issue. I see no issue with the certificate or the nginx proxy which receives the requests:
openssl s_client -connect passbolt.freifunk-stuttgart.de:443
locutus:~ # openssl s_client -connect passbolt.freifunk-stuttgart.de:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = passbolt.freifunk-stuttgart.de
verify return:1
---
Certificate chain
0 s:CN = passbolt.freifunk-stuttgart.de
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGdDCCBVygAwIBAgISA/pdBEa6+0Q3yY6H5XpooCnAMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDAxMDQwOTAzNDhaFw0y
MDA0MDMwOTAzNDhaMCkxJzAlBgNVBAMTHnBhc3Nib2x0LmZyZWlmdW5rLXN0dXR0
Z2FydC5kZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMlSshyz8zSI
5NI1XyhypBwoBpyH8oSdHmp5A7JQu5OzAykhQqasX6vXyhwof7uEoeKzRsgY4Xj5
ruE2n25qrRkCIDFAqSqg2yIpngt7HIjFDjO4tS9fbqTjI1RGOo1VzQiengcOdRZy
Z/KDsMv83b7X7/yEr6XVDpbkQWgLbm15Av3FMEa43e+jucVAJz48qJsQdYBeQcKn
5mlTCG5ggZv097HKTpUBpNBy8tzDXPpd/jELjfm54jqMrctE9x/n2l2vkn+6znG6
l6Yu0UUV2VahF5KjsRVmTh2KKIsTrOZ1R3WXQXTYgMudy8dBQw0XUD2FD8b93xRM
7fa7fsdqCUVY810EN9R+5sDjGoli4T6EFPKA75rYN9xWXJOD3Vg9/X0l8Bj2DOQ7
MCgu7lVnTDdkW089KkMqqTE8AzI28JmHXbJX2dIogSyyA1PZspjgfNS2LlhyJaYl
fBsOyC5SKlJfTcYuE7E+Z/T4H6XJf2SaLZKFTbXMRjxzylATyRWTq+qsNC83ttRB
sZfQYbOhl4Dvju3fndAsdQtJl8O9H6q3/MVAJLEVOueIYqdjME3kApwj6Fp0GW3s
/wheIiMbUP5RTEuAcqojQJXgie7DxrjPYSTLcwEwOPlGnfFKRFHOkFDgI8K/tvJm
PA6XVso94/wbQLvQj33+MBKABlFadDN1AgMBAAGjggJzMIICbzAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFHGc9CXlsYMHNZpgMuU6WLjMoVmIMB8GA1UdIwQYMBaAFKhK
amMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYi
aHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYj
aHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wKQYDVR0RBCIwIIIe
cGFzc2JvbHQuZnJlaWZ1bmstc3R1dHRnYXJ0LmRlMEwGA1UdIARFMEMwCAYGZ4EM
AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAb1N2rDHwMRnY
mQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAFvcALIyAAABAMASDBGAiEAjkeyHd/D
NAuP/Ztpn+/jMKhKXcRG4XLCVw8GAp2fRfwCIQCoOa/wlCivAED70pNhkSmxj1dE
NNJBw1Yiz/U6qrPPEwB1AAe3XBvlfWj/8bDGHSMVx7rmV3xXlLdq7rxhOhpp06Ic
AAABb3ACyPMAAAQDAEYwRAIgElFBwQp7SaVqyU4yUF1YqKi4fdbrwe8nfYd0tWFg
G9wCID2HWUAVx8Ivah+YpswqL0UF0uKV1NmeMBgOn6dyMPnoMA0GCSqGSIb3DQEB
CwUAA4IBAQB4WbrA+lECWyhmZzwmGPJNmOsQz1R2S37l1Dl/4IWfvdwRjJvA+c29
jA5vmd0xvUttG6isSc2pZ4MNT9zEcZ935G7IL+5cNrjOAhb3ci8crM78K+rl2pbe
no4VMsIzWBJI6RDZaH+uYHY3iX7tDt4vI47UjUZHBFWA1uLSRg2aCGp2o72IZHqK
MGG/KXCdmwAc6b4DfzOaGifkgHjFg2L8izzzobBr8Ty27iD2oc8qSsoVXAEBhaPx
gVT2sJPGEQjUMruDCxXsFgGsnZOEQpDrx+ODm8dFhAqNFaw06fPAItSh0qzelj6f
MhyakbhHUqYlaG73yBLZLpaBFEppxIrB
-----END CERTIFICATE-----
subject=CN = passbolt.freifunk-stuttgart.de
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3766 bytes and written 425 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: F1A3499C9571DD3F4F5A3AE3384B3EDD769527AFE7D6D7C2FC61B1A3A401D32B
Session-ID-ctx:
Master-Key: 6A1FC518F32C53326F8B1728158E70D40571CC285B7A0E6FE12AB0B5A2E779179850ED45BBEA3007D2BF5D90EE25CA71
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 86 eb 9d a4 42 73 c0 60-d7 0f 85 46 cc 2f 7a be ....Bs.`...F./z.
0010 - a2 84 11 02 e4 cf 06 05-c0 7b 4a 2a fc ce af 84 .........{J*....
0020 - 62 38 bb dc 9c 82 41 02-c2 18 ad ee fa 42 4f 42 b8....A......BOB
0030 - b9 42 1a 17 bc 89 d3 50-d4 ad f5 e6 db a9 e9 41 .B.....P.......A
0040 - a5 00 cd b7 72 5c 26 1e-19 00 f2 97 3b e5 28 3d ....r\&.....;.(=
0050 - 24 88 a0 0b 21 aa 2a 06-3d 05 87 52 ea 4d 4c 53 $...!.*.=..R.MLS
0060 - fc cd 60 8f bf 15 0a 20-54 20 20 8e 31 f1 91 31 ..`.... T .1..1
0070 - 71 42 4f db b1 d6 ba fb-4a 2e ac da 65 69 1e 70 qBO.....J...ei.p
0080 - 1e f1 9a e1 c6 6b ca a3-d1 92 5b d4 05 df 5f b5 .....k....[..._.
0090 - f7 f2 a1 29 62 a6 34 66-a7 70 da b1 b8 40 f2 b9 ...)b.4f.p...@..
00a0 - 22 3b 20 4e 30 32 70 3b-34 d0 c0 d2 4d 53 74 48 "; N02p;4...MStH
00b0 - da 44 84 bb 8d 80 7f cc-e5 1d 6b 9c 76 20 fb 80 .D........k.v ..
00c0 - a1 17 c8 fa f1 b0 15 77-9a 22 3e ab fb fa 86 ae .......w.">.....
Start Time: 1579430393
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
I have two passbolt installations running, one with haproxy, one wit nginx. The problems only appear at at the nginx setup.