Local domain with blank page for external access

I’m trying PassBolt and set up a local server for it using Oracle Linux 9 with a self-signed certificate.

The installation went smoothly and I’m able to access the service in my local domain with no issues.
I can enter https://passbolt.my.local.domain and I am able to set up everything.

Then, I opened the service to external access by port forwarding it, but it won’t open anything. The page is redirected, even while using HTTPS, and fails to open. It is just blank.

The Browser (Firefox) reports some content errors.

Also, the csrfToken cookies seems to be available.

The PHP configuration file /etc/passbolt/passbolt.php has the following value:
'fullBaseUrl' => 'https://passbolt.my.local.domain'

I could not find any related error reported at /var/log/php-fpm/error.log or /var/log/nginx/error.log.

And /var/log/nginx/access.log only displays the HTTP redirection.

[public_IP] - - [29/Oct/2022:20:58:17 -0300] "GET / HTTP/2.0" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0" "-"
[public_IP] - - [29/Oct/2022:20:58:18 -0300] "GET /auth/login?redirect=%2F HTTP/2.0" 200 2876 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0" "-"

I’m not sure if it is related, but whenever I access PassBolt locally, it reports the following error at /var/log/passbolt/error.log.

2022-10-30 00:05:20 error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /usr/share/php/passbolt/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP: 192.168.7.3

I’ve tried this healthcheck and it returned 2 errors for SSL.

sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" nginx
SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
 [HELP] cURL Error (60) SSL certificate problem: self-signed certificate

Any idea of what’s going on?

Hi @markfree Thanks for providing all that info and welcome to the forum.

One thought is that if you are not forwarding port 443 to your nginx server then you will need to change the url of the site to include the port you are forwarding.

If you are opening up 8080 and forwarding to 443, you need to do https://passbolt.my.local.domain:8080 in your passbolt.php file.

It’s calling for the right files from the browser so that’s good. It’s just not able to get to them. It might be something along these lines.

1 Like

Hi @markfree,

Once you have tried the solution provided by @garrett, if that does not work.

You will receive an “FAIL” in the healthCheck SSL section as you are using a self-signed certificate. You can try to request a lets encrypt certificate. That would clear the SSL “FAIL” part.

Could you post your nginx configuration file as I think this might be a similar issue I had on my Apache server.

The solution for it was updating my .htaccess: Passbolt 3 CE - Apache configuration - #13 by farfade

I think your configuration file might be missing the following: the bellow is an htaccess equivalent for nginx.

location / {
  ...
  if (!-e $request_filename){
    rewrite ^(.*)$ /index.php break;
  }
  ...
}

You might be missing the above, not too sure. Will have to see your configuration file.

Regards,
Bond

1 Like

Actually, the way I’m forwarding it is this:
[my.domain:<ext port>] >> [<passbolt int IP>:443]

So, that passbolt.my.domain is only for internal access.
For external access, I can only use my.domain:port.

I’ve changed passbolt.php to a few names, but had no luck.

https://passbolt.my.domain
https://passbolt.my.domain:<ext port>
https://my.domain
https://my.domain:<ext port>
https://192.168.7.214
https://192.168.7.214:<ext port>

/etc/nginx/conf.d/passbolt_ssl.conf had the following default configuration.

server {
  listen [::]:443 ssl http2;
  listen 443 ssl http2;
  server_name passbolt.my.domain;
  client_body_buffer_size     100K;
  client_header_buffer_size   1k;
  client_max_body_size        5M;

  client_body_timeout   10;
  client_header_timeout 10;
  keepalive_timeout     5 5;
  send_timeout          10;
  ssl_certificate     /etc/ssl/certs/passbolt_certificate.crt;
  ssl_certificate_key /etc/ssl/certs/passbolt_private.key;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;
  ssl_session_tickets off;

  root /usr/share/php/passbolt/webroot;
  index index.php;

  location / {
    try_files $uri $uri/ /index.php?$args;
  }

  location ~ \.php$ {
    try_files                $uri =404;
    include                  fastcgi_params;
    fastcgi_pass             php-fpm;
    fastcgi_index            index.php;
    fastcgi_intercept_errors on;
    fastcgi_split_path_info  ^(.+\.php)(.+)$;
    fastcgi_param            SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param            SERVER_NAME $http_host;
    fastcgi_param PHP_VALUE  "upload_max_filesize=5M \n post_max_size=5M";
  }
}

Only after changing Nginx and Passbolt configuration I was able to access Passbolt externally.
/etc/nginx/conf.d/passbolt_ssl.conf: server_name my.domain; or server_name _;
/etc/passbolt/passbolt.php: https://my.domain:<ext port>

Now, it is finally accessible externally.

I appreciate all your thoughtful comments. They sure led me to the right configuration.

After changing the settings above, I’ve learned that the internal UI access was a bit broken.
When trying to open the UI’s administration tab, it got blank and failed to open some content, pretty much like the initial browser error.
The same would happen when I tried to input a new user e-mail by clicking the “switch to another account” link.

I commented out the App section from passbolt.php and now there’s no more UI errors.

/*
'App' => [
	// A base URL to use for absolute links.
	// The url where the passbolt instance will be reachable to your end users.
	// This information is need to render images in emails for example
	'fullBaseUrl' => 'https://my.domain:<ext port>',
],
*/

I feel this is not the best approach, though.

Now I’m trying to figure out why it is not sending e-mails to new users. :thinking:

Quick question, how does passbolt react to this ?
What urls are being used ?

You can check that using “view-source”, is it the local.domain or local.domain:port

Regards,
Bond

It is https://passbolt.my.domain while accessing locally.

Local source
<!doctype html>
<html class="passbolt no-js version launching no-passboltplugin" lang="en">
<head>
    <meta charset="utf-8"/>
    <title>Passbolt | Open source password manager for teams</title>
    <meta name="description" content="Open source password manager for teams">
    <meta name="keywords" content="Passbolt, password manager, online password manager, open source password manager">
    <meta name="robots" content="noindex, nofollow">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="shortcut icon" type="image/x-icon" href="https://passbolt.my.domain/favicon.ico" />
    <link rel="icon" href="https://passbolt.my.domain/favicon_32.png" sizes="32x32" />
    <link rel="icon" href="https://passbolt.my.domain/favicon_57.png" sizes="57x57" />
    <link rel="icon" href="https://passbolt.my.domain/favicon_76.png" sizes="76x76" />
    <link rel="icon" href="https://passbolt.my.domain/favicon_96.png" sizes="96x96" />
    <link rel="icon" href="https://passbolt.my.domain/favicon_128.png" sizes="128x128" />
    <link rel="icon" href="https://passbolt.my.domain/favicon_192.png" sizes="192x192" />
    <link rel="icon" href="https://passbolt.my.domain/favicon_228.png" sizes="228x228" />
    <base href="https://passbolt.my.domain/">
        <script src="https://passbolt.my.domain/js/app/stylesheet.js?v=3.7.3" id="stylesheet-manager" data-file="api_authentication.min.css" cache-version="3.7.3"></script></head>
<body spellcheck="false">
<!-- main -->
<div id="container" class="page ">
</div>
<script src="https://passbolt.my.domain/js/app/api-vendors.js?v=3.7.3" cache-version="3.7.3"></script><script src="https://passbolt.my.domain/js/app/api-triage.js?v=3.7.3" cache-version="3.7.3"></script></body>
</html>

And https://my.domain:<ext port> when accessing externaly.

External source
<!doctype html>
<html class="passbolt no-js version launching no-passboltplugin" lang="en">
<head>
    <meta charset="utf-8"/>
    <title>Passbolt | Open source password manager for teams</title>
    <meta name="description" content="Open source password manager for teams">
    <meta name="keywords" content="Passbolt, password manager, online password manager, open source password manager">
    <meta name="robots" content="noindex, nofollow">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="shortcut icon" type="image/x-icon" href="https://my.domain:<ext port>/favicon.ico" />
    <link rel="icon" href="https://my.domain:<ext port>/favicon_32.png" sizes="32x32" />
    <link rel="icon" href="https://my.domain:<ext port>/favicon_57.png" sizes="57x57" />
    <link rel="icon" href="https://my.domain:<ext port>/favicon_76.png" sizes="76x76" />
    <link rel="icon" href="https://my.domain:<ext port>/favicon_96.png" sizes="96x96" />
    <link rel="icon" href="https://my.domain:<ext port>/favicon_128.png" sizes="128x128" />
    <link rel="icon" href="https://my.domain:<ext port>/favicon_192.png" sizes="192x192" />
    <link rel="icon" href="https://my.domain:<ext port>/favicon_228.png" sizes="228x228" />
    <base href="https://my.domain:<ext port>/">
        <script src="https://my.domain:<ext port>/js/app/stylesheet.js?v=3.7.3" id="stylesheet-manager" data-file="api_authentication.min.css" cache-version="3.7.3"></script></head>
<body spellcheck="false">
<!-- main -->
<div id="container" class="page ">
</div>
<script src="https://my.domain:<ext port>/js/app/api-vendors.js?v=3.7.3" cache-version="3.7.3"></script><script src="https://my.domain:<ext port>/js/app/api-triage.js?v=3.7.3" cache-version="3.7.3"></script></body>
</html>

Interesting. :thinking:
I guess you guys know better what implications this could have.

In order to make the experience the same regardless of accessing externally or locally, you could instead port forward the external port (let’s say 8080) back to NGINX port 8080 instead of 443. That way if you use the external port in the URL while accessing the site locally, it should still work because NGINX is listening on that port as well.

listen 8080 instead of listen 443

1 Like

Even though I was able to access PassBolt frontpage outside my network, I was not able to actually access the service.

First, it forces me to use its browser extension.
Second, I had to “recover” my key using my recovery PGP key to login into my account. That’s quite unusual to me.
If I was really outside my network, I would probably not have that key. But, let’s say I would have it at hand. Then, the connection fails. I mean… Another issue?

When I tried to access from Android, I had to install PassBolt certificate.
Really? Does every user do that?

It seems PassBolt app saves the host name from the initial QR Code when connecting the user for the first time.
So, if I were to connect my user locally, I’d be unable to access it remotely.

PassBolt seems great and secure, but it is just too much of a hassle for me to handle.

Yeah, it’s definitely different than other managers.

This may surprise you, but the extension is the major part of the app in terms of the interface. The data and API are on the backend.

Anytime the extension is installed, your private key is used to establish the extension’s ability to handle the encrypt/decrypt actions. Reference: Passbolt Help | Why do I need a browser extension?

It’s nice you took the time to try it. Security for teams is a big deal, and there are other good managers out there that seek to fit a different need. Check back in anytime - you’re always welcome.