Installation on to server using separate ports and docker | Not getting activation link

RodoggA · May 9, 2023, 1:00pm

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hi Everyone,

I’m installing passbolt on a VM using the docker installation steps.

Primary Issue
I’m running into an issue where I add my first admin and I don’t get a URL.

Health Check
From my health check this is what I see.

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.33.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://bolt.domain.com
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in /etc/passbolt/passbolt.php
 [HELP] Check the network settings

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [FAIL] The application is not able to connect to the database.
 [HELP] Double check the host, database name, username and password in /etc/passbolt/passbolt.php.
 [HELP] Make sure the database exists and is accessible for the given database user.
 [FAIL] No table found
 [HELP] Run the install script to install the database tables
 [HELP] sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt install" www-data
 [FAIL] No default content found
 [HELP] Run the install script to set the default content such as roles and permission types
 [HELP] sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt install" www-data
 [FAIL] The database schema is not up to date.
 [HELP] Run the migration scripts:
 [HELP] sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake migrations migrate --no-lock" www-data
 [HELP] See. https://www.passbolt.com/help/tech/update

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [FAIL] The server OpenPGP key is not set
 [HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [FAIL] The server key fingerprint doesn't match the one defined in /etc/passbolt/passbolt.php.
 [HELP] Double check the key fingerprint, example:
 [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
 [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
 [HELP] Import the private server key in the keyring of the webserver user.
 [HELP] you can try:
 [HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
 [FAIL] The server key does not have a valid email id.
 [HELP] Edit or generate another key with a valid email id.

 Application configuration

 [PASS] Using latest passbolt version (3.12.2).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [WARN] The SMTP Settings source is: env variables.
 [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

 [FAIL] 9 error(s) found. Hang in there!

SQL Connection Issues - Derived from Health check
For the unable to connect to the database from the troubleshooting steps
I’m able to connect to the DB Container, Using regular SQL commands, the database has not generated any tables, but I am able to connect to the container using those credentials.

The reason I bring up the MariaDB Connection is because my docker logs are flooded with:


Exception: Connection to Mysql could not be established: SQLSTATE[HY000] [1045] Access denied for user 'passbolt'@'172.22.0.3' (using password: YES)
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Database/Driver.php, line 133]

I was poking around the files inside the container and I don’t have the file /etc/passbolt/passbolt.php. listed in that directory. I have a passbolt.defaults.php, I’m wondering if the required items have not generated correctly.

Current Docker Compose Config

version: '3.9'
services:
  db:
    image: mariadb:10.10
    restart: unless-stopped
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      MYSQL_PASSWORD: ""
    volumes:
      - database_volume:/var/lib/mysql

  passbolt:
    image: passbolt/passbolt:latest-ce
    restart: unless-stopped
    depends_on:
      - db
    environment:
      APP_FULL_BASE_URL: https://bolt.orbitalhosting.io
      DATASOURCES_DEFAULT_HOST: "db"
      DATASOURCES_DEFAULT_USERNAME: "passbolt"
      DATASOURCES_DEFAULT_PASSWORD: ""
      DATASOURCES_DEFAULT_DATABASE: "passbolt"
      EMAIL_DEFAULT_FROM_NAME: "sample"
      EMAIL_DEFAULT_FROM: "sample@domain.com"
      EMAIL_TRANSPORT_DEFAULT_HOST: ""
      EMAIL_TRANSPORT_DEFAULT_PORT: "465"
      EMAIL_TRANSPORT_DEFAULT_USERNAME: ""
      MAIL_TRANSPORT_DEFAULT_PASSWORD: ""
      EMAIL_TRANSPORT_DEFAULT_TLS: "true"
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
      - ./ssl/fullchain.pem:/etc/letsencrypt/live/bolt.domain.com/fullchain.pem ssl/
      - ./ssl/privkey.pem:/etc/letsencrypt/live/bolt.domain.com/privkey.pem ssl/
    command: ["/usr/bin/wait-for.sh", "-t", "0", "db:3306", "--", "/docker-entrypoint.sh"]
    ports:
      #- 80:80
      #- 443:443
    #Alternatively for non-root images:
      - 8081:8081
      - 4433:4433

volumes:
  database_volume:
  gpg_volume:
  jwt_volume:

Troubleshooting Steps

To address the URL issues, I’ve found post on the forums where removing the docker volumes and starting again resolved the issue but that has not worked for me.
Force recreate when bringing up docker-compose
Run Health Check
Tested SQL Credentials by exec into the DB container

Any additional steps and suggestions would be awesome.

Thanks in advance.

garrett · May 10, 2023, 2:20pm

Hi @RodoggA Welcome to the forum and sorry for the delay in any response!

Your post is very thorough, thank you. I believe only the first part of the port binding should change so it should be:

 #Alternatively for non-root images:
      - 8081:8080
      - 4433:4433

I would scrap the containers and start fresh with the above change and try the admin setup again. It should just work.

RodoggA · May 10, 2023, 10:42pm

Hi Garrett,

I’ve made the recommended change but this is where I run into the port already in use error

ERROR: for bolt_passbolt_1  Cannot start service passbolt: driver failed programming external connectivity on endpoint bolt_passbolt_1 (22d2c45bbffa18741067ffcdb19818803ae795faeb26c0ebc60e812130d01933): Error starting userland proxy: listen tcp4 0.0.0.0:8080: bind: address already in use

ERROR: for passbolt  Cannot start service passbolt: driver failed programming external connectivity on endpoint bolt_passbolt_1 (22d2c45bbffa18741067ffcdb19818803ae795faeb26c0ebc60e812130d01933): Error starting userland proxy: listen tcp4 0.0.0.0:8080: bind: address already in use
ERROR: Encountered errors while bringing up the project.

This is why I went down the path of putting it on another port.

I suspect I will need to implement a nginx config to allow request to come into the regular ports and proxied to 8081 and 4433.

This is the nginx config that I generally used for files hosted inside containers, but this did not do the trick. Any additional recommendations?

server {
   server_name bolt.domain.com;
   location / {
        proxy_pass     http://localhost:8081;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Cheers

garrett · May 10, 2023, 11:19pm

You could run sudo netstat -plunt | grep 8080 to see what process is already running on that port on your host system if you think there shouldn’t be anything.

When you do 8081:8080 it’s binding to the host 8081 and will route to 8080 in the passbolt container (which should not conflict because it is the container port and not the host port).

If you are running a reverse proxy in front of the containers in order to route traffic on host ports 80 and 443 to your backend passbolt, then you will want to have something like this:

server {
        listen 80;
        server_name bolt.domain.com;

        location / {
               proxy_pass http://localhost:8081;
               proxy_set_header Host $host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header X-Forwarded-Proto $scheme;
        }
}

server {
        listen 443 ssl http2;
        server_name bolt.domain.com;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;

        ssl_certificate         /path/to/your/cert;
        ssl_certificate_key     /path/to/your/key;
        ssl_session_timeout     1d;
        ssl_session_cache       shared:SSL:50m;
        ssl_session_tickets     off;

        location / {
               proxy_pass https://127.0.0.1:4433;
               proxy_set_header Host $host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header X-Forwarded-Proto $scheme;
        }
}

(not tested)

This will help with any route 80 traffic that might be needed for whatever reason, but will also handle the https traffic that must also come in.

RodoggA · May 13, 2023, 6:30am

Hi Garrett,

I’ve managed to make some progress. When trying to create the admin user, I’m now getting


     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
Exception: Connection to Mysql could not be established: SQLSTATE[HY000] [1045] Access denied for user 'passbolt'@'172.25.0.3' (using password: YES)
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Database/Driver.php, line 133]

Running through the troubleshooting steps again, now that I’m getting step further then I was previously:

Health Check

root@55051d4635db:/usr/share/php/passbolt# su -s /bin/bash www-data
www-data@55051d4635db:/usr/share/php/passbolt$ ./bin/cake passbolt healthcheck

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell         
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.33.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://bolt.domain.com
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in /etc/passbolt/passbolt.php
 [HELP] Check the network settings

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [FAIL] The application is not able to connect to the database.
 [HELP] Double check the host, database name, username and password in /etc/passbolt/passbolt.php.
 [HELP] Make sure the database exists and is accessible for the given database user.
 [FAIL] No table found
 [HELP] Run the install script to install the database tables
 [HELP] sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt install" www-data
 [FAIL] No default content found
 [HELP] Run the install script to set the default content such as roles and permission types
 [HELP] sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt install" www-data
 [FAIL] The database schema is not up to date.
 [HELP] Run the migration scripts:
 [HELP] sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake migrations migrate --no-lock" www-data
 [HELP] See. https://www.passbolt.com/help/tech/update

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [FAIL] The server OpenPGP key is not set
 [HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [FAIL] The server key fingerprint doesn't match the one defined in /etc/passbolt/passbolt.php.
 [HELP] Double check the key fingerprint, example: 
 [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
 [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
 [HELP] Import the private server key in the keyring of the webserver user.
 [HELP] you can try:
 [HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
 [FAIL] The server key does not have a valid email id.
 [HELP] Edit or generate another key with a valid email id.

 Application configuration

 [PASS] Using latest passbolt version (3.12.2).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [WARN] The SMTP Settings source is: env variables.
 [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

 [FAIL] 9 error(s) found. Hang in there!

Once again, I’m seeing references to /etc/passbolt/passbolt.php but when I inspect the directory, there is no passbolt.php file within the container files.

Current Implementation

Docker Compose

version: '3.10'
services:
  db:
    image: mariadb:10.10
    restart: always
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      MYSQL_PASSWORD: ""
    volumes:
      - database_volume:/var/lib/mysql

  passbolt:
    image: passbolt/passbolt:latest-ce
    restart: always
    depends_on:
      - db
    environment:
      APP_FULL_BASE_URL: https://bolt.domain.com
      DATASOURCES_DEFAULT_HOST: "db"
      DATASOURCES_DEFAULT_USERNAME: "passbolt"
      DATASOURCES_DEFAULT_PASSWORD: ""
      DATASOURCES_DEFAULT_DATABASE: "passbolt"
      EMAIL_DEFAULT_FROM_NAME: "support"
      EMAIL_DEFAULT_FROM: "support@domain.com"
      EMAIL_TRANSPORT_DEFAULT_HOST: "smtp.sendgrid.net"
      EMAIL_TRANSPORT_DEFAULT_PORT: "465"
      EMAIL_TRANSPORT_DEFAULT_USERNAME: ""
      MAIL_TRANSPORT_DEFAULT_PASSWORD: ""
      EMAIL_TRANSPORT_DEFAULT_TLS: "true"
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
      - ./ssl/fullchain.pem:/etc/letsencrypt/live/bolt.domain.com/fullchain.pem ssl/
      - ./ssl/privkey.pem:/etc/letsencrypt/live/bolt.domain.com/privkey.pem ssl/
    command: ["/usr/bin/wait-for.sh", "-t", "0", "db:3306", "--", "/docker-entrypoint.sh"]
    ports:
      #- 80:8081
      #- 443:4433
    #Alternatively for non-root images:
      - 8081:8080
      - 4433:4433

volumes:
  database_volume:
  gpg_volume:
  jwt_volume:

Nginx Conf

Directory Path: etc/nginx/sites-available/bolt.domain.com

server {
        listen 80;
        server_name bolt.domain.com;

        location / {
               proxy_pass http://localhost:8081;
               proxy_set_header Host $host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header X-Forwarded-Proto $scheme;
        }
}

server {
        listen 443 ssl http2;
        server_name bolt.domain.com;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;

        ssl_certificate         /opt/bolt/ssl/fullchain.pem;
        ssl_certificate_key     /opt/bolt/ssl/privkey.pem;
        ssl_session_timeout     1d;
        ssl_session_cache       shared:SSL:50m;
        ssl_session_tickets     off;

        location / {
               proxy_pass https://127.0.0.1:4433;
               proxy_set_header Host $host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header X-Forwarded-Proto $scheme;
        }
}

Steps Taken

Turned off firewall in the event it was firewall related
Add below section to docker compose

  db:
    image: mariadb:10.10
    restart: always
    ports:
      - 3306:3306
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      MYSQL_PASSWORD: ""
    volumes:
      - database_volume:/var/lib/mysql

This addition to the docker compose file resulted in the message of the port is already in use. Performing an inspection, returned:

rodogga@vps:/opt/bolt$ sudo netstat -plunt | grep 3306
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      798446/mariadbd

So Maria DB is already listening on that port. OK, So I revereted the change and removed the defined ports from the config file.

I’m able to connect to the DB container using the steps outlined in [troubleshooting steps]
(Passbolt Help | Troubleshoot Docker)

I’m a little stumped at this stage or why I can exec into the container using those credentials outlined in my Environmental variable but the container can’t authenticate.

If I exec into the DB and show Grants for the DB User, This is the output

MariaDB [passbolt]> show grants for passbolt@'%';
+---------------------------------------------------------------------------------------------------------+
| Grants for passbolt@%                                                                                   |
+---------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `passbolt`@`%` IDENTIFIED BY PASSWORD '*HASH' |
| GRANT ALL PRIVILEGES ON `passbolt`.* TO `passbolt`@`%`                                                  |
+---------------------------------------------------------------------------------------------------------+

I then exec’ed into the DB without specifying credentials:

root@vps:/opt/bolt# docker exec -it bolt-db-1 sh    
# mysql -u passbolt -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 110
Server version: 10.10.3-MariaDB-1:10.10.3+maria~ubu2204 mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases
    -> ;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| passbolt           |
+--------------------+
2 rows in set (0.001 sec)

By all accounts, It should be able to login without the access denied message.
This one really has me scratching my head.

garrett · May 13, 2023, 10:39am

@RodoggA This is good!

Regarding passbolt.php not being there - it’s okay, the healthcheck a couple lines later allows for us to use environment variables as well. passbolt.php is always missing in Docker installs.

If you are mounting an old database from a previous installation, this might explain why it’s stuck. It needs a fresh volume maybe, or Docker cache cleared?

You are running the rooted-version of the passbolt container so you will need to provide the db (I’m assuming you are doing so). The random root password is used for the non-root version, so it can be set to false. The install process will want to create the db from scratch along with the user and granted rights.

Can you confirm these things?

EDIT: you will need to provide the db was supposed to be you will need to provide the db password

RodoggA · May 13, 2023, 11:13am

Hi @garrett,

I can confirm that at each stage I’ve been clearing the docker volumes associated with the bolt installation using docker volume prune --all.

For this comment:

You are running the rooted-version of the passbolt container so you will need to provide the db

Are you referring to a separate MySQL installation outside of the MySQL Container generated as part of the compose file? I’m not quite following.

For the default root password, I assume the compose would need to be updated to be

MYSQL_PASSWORD: "false"

Cheers

garrett · May 13, 2023, 5:23pm

Sorry for the confusion, this is for non-root so a random password can be created.

RodoggA · May 14, 2023, 1:50am

Hi Garrett,

I decided to take a step back and start with the default config and implement my docker-compose file section by section…

Some good news. I can get the setup link now:

rodogga@orbital-staff-vps:/opt/orbital_bolt$ docker-compose -f docker-compose-ce.yaml exec passbolt su -m -c "/usr/share/php/passbolt/bin/cake \
                                passbolt register_user \
                                -u  \
                                -f Admin\
                                -l Admin \
                                -r admin" -s /bin/sh www-data

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
User saved successfully.
To start registration follow the link provided in your mailbox or here: 
https://bolt.domain.com/setup/install/077a9b72-a2bb-412a-8100-cc4cddde58bb/63b362b2-7c0f-4698-a7ae-4d9f7fce0c15

Complication Number 2:
When I navigate to my URL, I get a response of: Cannot GET /setup/install/077a9b72-a2bb-412a-8100-cc4cddde58bb/63b362b2-7c0f-4698-a7ae-4d9f7fce0c15

Inspecting the page using dev tools, I get a 404 for that file. I suspect this will be related to the nginx config

Navigating to bolt.domain.com returns 200
Navigating to bolt.domain.com/setup returns 404

NGINX Conf

server {
        listen 8080;
        server_name bolt.domain.com;

        location / {
               proxy_pass http://localhost:8081;
               proxy_set_header Host $host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header X-Forwarded-Proto $scheme;
        }
}

server {
        listen 443 ssl http2;
        server_name bolt.domain.com;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;

        ssl_certificate         /opt/bolt/ssl/fullchain.pem;
        ssl_certificate_key     /opt/bolt/ssl/privkey.pem;
        ssl_session_timeout     1d;
        ssl_session_cache       shared:SSL:50m;
        ssl_session_tickets     off;

        location / {
               proxy_pass https://127.0.0.1:4433;
               proxy_set_header Host $host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header X-Forwarded-Proto $scheme;
        }
}

Once I get this issue resolved. Will I be able to update the passwords located into the docker compose file? At this stage, it’s using the default and having something more secure would be ideal. If changing it is to complicated once installed, then I might need to start again and get those secure passwords implemented from the very beginning.

garrett · May 14, 2023, 2:36am

To change the password later, try this: Update DB Password on Docker Installation

Regarding the /setup path, try this NGINX conf (includes an upstream for 443 traffic):

upstream passbolt_container {
        server 127.0.0.1:4433;
}

server {
        listen 80;
        server_name bolt.domain.com;
        
        return 301 https://bolt.domain.com;  
        # Note: add this to /etc/hosts: 127.0.0.1 bolt.domain.com if not done already
}

server {
        listen 443 ssl http2;
        server_name bolt.domain.com;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;

        ssl_certificate         /opt/bolt/ssl/fullchain.pem;
        ssl_certificate_key     /opt/bolt/ssl/privkey.pem;
        ssl_session_timeout     1d;
        ssl_session_cache       shared:SSL:50m;
        ssl_session_tickets     off;

        location / {
               proxy_pass https://passbolt_container;
               proxy_set_header Host $host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header X-Forwarded-Proto $scheme;
        }
}

In the previous config I had it listening on port 8080 - not sure why I think I meant it to be 80. But anyway, I now have what I would normally do to force https at the reverse proxy in front of the container (should be fine since you already have certs in place).

Now everything should route through port 443 from the browser. See if this works for you.

RodoggA · May 14, 2023, 3:10am

garrett:

upstream passbolt_container {
        server 127.0.0.1:4433;
}

server {
        listen 80;
        server_name bolt.domain.com;
        
        return 301 https://bolt.domain.com;  
        # Note: add this to /etc/hosts: 127.0.0.1 bolt.domain.com if not done already
}

server {
        listen 443 ssl http2;
        server_name bolt.domain.com;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;

        ssl_certificate         /opt/bolt/ssl/fullchain.pem;
        ssl_certificate_key     /opt/bolt/ssl/privkey.pem;
        ssl_session_timeout     1d;
        ssl_session_cache       shared:SSL:50m;
        ssl_session_tickets     off;

        location / {
               proxy_pass https://passbolt_container;
               proxy_set_header Host $host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header X-Forwarded-Proto $scheme;
        }
}

Hi Garrett,

I updated the nginx conf and same issue. We do have other services listening on those ports. Hence why we have a reverse proxy, to enable multiple web services on the single host.

garrett · May 14, 2023, 4:03am

From the host command line test getting a response with:

curl https://bolt.domain.com/setup/install/077a9b72-a2bb-412a-8100-cc4cddde58bb/63b362b2-7c0f-4698-a7ae-4d9f7fce0c15

and also try

curl http://127.0.0.1:8081/setup/install/077a9b72-a2bb-412a-8100-cc4cddde58bb/63b362b2-7c0f-4698-a7ae-4d9f7fce0c15

RodoggA · May 14, 2023, 4:29am

This is the response I get:

rodogga@vps:/opt/bolt$ curl https://bolt.domain.com/setup/install/077a9b72-a2bb-412a-8100-cc4cddde58bb/63b362b2-7c0f-4698-a7ae-4d9f7fce0c15
curl: (60) SSL: no alternative certificate subject name matches target host name 'bolt.domain.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
rodogga@vps:/opt/orbital_bolt$ curl http://127.0.0.1:8081/setup/install/077a9b72-a2bb-412a-8100-cc4cddde58bb/63b362b2-7c0f-4698-a7ae-4d9f7fce0c15
curl: (52) Empty reply from server

With that output, I went to double check my ssl certs location matched what is specified in my docker compose file. Everything looks ok.

To be safe, I re-generated the let’s encrypt cert.
Recreated the volumes and Containers.

Run the curl commands again and got the same results.

I also updated the nginx conf file to reference the certs in the /etc/letencrypt directory but this did not yield any results.

Interesting this is, I’ve not run into this issue with SSL certs before.

garrett · May 14, 2023, 11:14am

The empty reply from server is expected because the container is changing to https.

For the https curl command it is possible to add a flag to skip checking the domain: curl -k

If you still can’t get a response from the command line using the flag, can you run the Healthcheck again to see what it says?

RodoggA · May 14, 2023, 11:53am

Hi Garrett,

Dropping the domain validation returns

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /setup/install/0e31b5dc-38fa-4b00-824d-0288f76e4b13/b709608b-628e-4507-89ed-c897997b98e5</pre>
</body>
</html>

garrett · May 14, 2023, 5:33pm

This makes me think something other than the passbolt container is receiving this request.

What are the results of: sudo nginx -t
This tests the configuration.

This lists all domains that are listening: sudo nginx -T | grep server_name

Maybe there is a duplicate or something. Also, you are restarting the NGINX service after config changes right?

RodoggA · May 14, 2023, 10:15pm

Hi Garrett,

Running that command returned all our services running on that host except bolt.domain.com

NGINX Test

nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/conf.d/bolt.domain.com.conf:12
nginx: configuration file /etc/nginx/nginx.conf test failed

To resolve this, I commented out ssl_session_cache shared:SSL:50m;

After this I regenerated the containers and volumes.
When I tried to add the admin account again, I received

    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
Exception: Connection to Mysql could not be established: SQLSTATE[HY000] [2002] Connection refused
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Database/Driver.php, line 133]

After adding the below firewall rule, I was able to retrieve the activation link

sudo ufw allow in br-5ddf9538a929 to 192.168.80.1 port 3306 proto tcp

CURL Results


<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>

At least I am now hitting the nginx proxy.

garrett · May 15, 2023, 1:46pm

I’m confused because the containers should be in the same network already and therefore should be able to talk to each other without any firewall modification.

Why do you suppose the change in the firewall was needed? Which firewall was it?

RodoggA · May 15, 2023, 2:16pm

That’s a really good question since the bridge is on the 192.168.0.0/16 address range. So by all accounts, It should have been able to communicate with the containers.

The only think I can think of is the the docker0 adapter is a 172.x.0.0/24 address block, and since the bridge for the passbolt container is a 192.168.0.0/16, It’s not able to passthrough the docker0 adapter since they are separate “Subnets”

I still need to get the reverse proxy working but that’s a tomorrow issue.
I might need to manually define the network in the docker compose file so it doesn’t create a new bridge and subnet each time it comes back up.