Passbolt CE upgrade to 5.7.2

Installation Issues
1

Checklist
Hi,

Need help with the below.

  1. Upgrade from 5.3.2 to 5.7.2 - on ubuntu 24. pasted the command output below. able to update from 5.3.1 to 5.3.2.
  2. Do we need to SSL cert to force https?
  3. How do i access using DNS instead of IP? created a DNS entry, updated the same in fullbaseurl with no luck.

tejoury@passbolt-01:~$ sudo systemctl stop nginx
tejoury@passbolt-01:~$ sudo apt update
sudo apt --only-upgrade install passbolt-ce-server
sudo apt upgrade
Hit:1 http://security.ubuntu.com/ubuntu noble-security InRelease
Hit:2 http://sa.archive.ubuntu.com/ubuntu noble InRelease
Hit:3 http://sa.archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:4 http://sa.archive.ubuntu.com/ubuntu noble-backports InRelease
Get:5 https://download.passbolt.com/ce/ubuntu focal InRelease [35.8 kB]
Err:5 https://download.passbolt.com/ce/ubuntu focal InRelease
The following signatures couldnā€™t be verified because the public key is not available: NO_PUBKEY DE8B853FC155581D
Fetched 35.8 kB in 1s (37.2 kB/s)
Reading package listsā€¦ Done
Building dependency treeā€¦ Done
Reading state informationā€¦ Done
1 package can be upgraded. Run ā€˜apt list --upgradableā€™ to see it.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://download.passbolt.com/ce/ubuntu focal InRelease: The following signatures couldnā€™t be verified because the public key is not available: NO_PUBKEY DE8B853FC155581D
W: Failed to fetch https://download.passbolt.com/ce/ubuntu/dists/focal/InRelease The following signatures couldnā€™t be verified because the public key is not available: NO_PUBKEY DE8B853FC155581D
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package listsā€¦ Done
Building dependency treeā€¦ Done
Reading state informationā€¦ Done
passbolt-ce-server is already the newest version (5.3.2-1).
The following packages were automatically installed and are no longer required:
libgl1-amber-dri libglapi-mesa libllvm19
Use ā€˜sudo apt autoremoveā€™ to remove them.
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
Reading package listsā€¦ Done
Building dependency treeā€¦ Done
Reading state informationā€¦ Done
Calculating upgradeā€¦ Done
The following packages were automatically installed and are no longer required:
libgl1-amber-dri libglapi-mesa libllvm19
Use ā€˜sudo apt autoremoveā€™ to remove them.
Get more security updates through Ubuntu Pro with ā€˜esm-appsā€™ enabled:
libzvbi-common libavcodec60 libzvbi0t64 libavutil58 libswresample4
Learn more about Ubuntu Pro at https://ubuntu.com/pro
The following packages have been kept back:
libgl1-amber-dri
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
tejoury@passbolt-01:~$ sudo systemctl start nginx
tejoury@passbolt-01:~$ sudo systemctl stop nginx
tejoury@passbolt-01:~$ sudo apt update
sudo apt --only-upgrade install passbolt-ce-server
sudo apt upgrade
Hit:1 http://sa.archive.ubuntu.com/ubuntu noble InRelease
Hit:2 http://security.ubuntu.com/ubuntu noble-security InRelease
Hit:3 http://sa.archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:4 http://sa.archive.ubuntu.com/ubuntu noble-backports InRelease
Get:5 https://download.passbolt.com/ce/ubuntu focal InRelease [35.8 kB]
Err:5 https://download.passbolt.com/ce/ubuntu focal InRelease
The following signatures couldnā€™t be verified because the public key is not available: NO_PUBKEY DE8B853FC155581D
Fetched 35.8 kB in 1s (39.2 kB/s)
Reading package listsā€¦ Done
Building dependency treeā€¦ Done
Reading state informationā€¦ Done
1 package can be upgraded. Run ā€˜apt list --upgradableā€™ to see it.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://download.passbolt.com/ce/ubuntu focal InRelease: The following signatures couldnā€™t be verified because the public key is not available: NO_PUBKEY DE8B853FC155581D
W: Failed to fetch https://download.passbolt.com/ce/ubuntu/dists/focal/InRelease The following signatures couldnā€™t be verified because the public key is not available: NO_PUBKEY DE8B853FC155581D
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package listsā€¦ Done
Building dependency treeā€¦ Done
Reading state informationā€¦ Done
passbolt-ce-server is already the newest version (5.3.2-1).
The following packages were automatically installed and are no longer required:
libgl1-amber-dri libglapi-mesa libllvm19
Use ā€˜sudo apt autoremoveā€™ to remove them.
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
Reading package listsā€¦ Done
Building dependency treeā€¦ Done
Reading state informationā€¦ Done
Calculating upgradeā€¦ Done
The following packages were automatically installed and are no longer required:
libgl1-amber-dri libglapi-mesa libllvm19
Use ā€˜sudo apt autoremoveā€™ to remove them.
Get more security updates through Ubuntu Pro with ā€˜esm-appsā€™ enabled:
libzvbi-common libavcodec60 libzvbi0t64 libavutil58 libswresample4
Learn more about Ubuntu Pro at https://ubuntu.com/pro
The following packages have been kept back:
libgl1-amber-dri
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
tejoury@passbolt-01:~$ sudo -H -u www-data bash -c ā€œ/usr/share/php/passbolt/bin/cake cache clear_allā€
Clearing default
Cleared default cache
Clearing cake_translations
Cleared cake_translations cache
Clearing cake_model
Cleared cake_model cache
tejoury@passbolt-01:~$ sudo systemctl start nginx

Thanks,

Sridhar

2

Gā€™day Sridhar.

Looks like you need the Passbolt public key.

You can get the Public passbolt key without needing to run the dependency script after. Just make sure your repository is using signed-by= in the repository sources.
https://community.passbolt.com/t/no-pubkey-de8b853fc1555-problem-with-installing-passbolt-on-ubuntu-24-04-1-lts/12194/5?u=gyaresu

Let me know if you have any problems.

Cheers
Gareth

3

thx Gareth, your solution has worked and i am able to upgrade to 5.8 successfully.

1 Like
4

can u advise how to replace self signed cert with public one. i have created a self signed cert for POC. also i will be using a DNS name instead of server hostname to access passbolt. hope this is fine.

5

Gā€™day Sridhar.

Debian auto TLS with LetsEncrypt docs:
https://www.passbolt.com/docs/hosting/configure/https/ce/debian-auto/

I also wrote a little introduction page on TLS:
https://www.passbolt.com/docs/hosting/configure/tls/

And my demo repo handles TLS for HTTPS, SMTP, LDAP, and Database authentication though you wonā€™t find that useful unless you want to use enterprise/self-signed certificates:
https://github.com/gyaresu/gareth-passbolt

Let me know if you have any questions.

Cheers
Gareth

6

Hi Gyaresu,

I want to replace the self signed cert with public cert (DigiCert). what is the process?

7

Hello @chvgms, if you are using DigiCert I believe that you should have a .key and a .crt file, you can follow this documentation to proceed. If you have any issues donā€™t hesitate to share the steps taken so we can help :slight_smile:

8

thq, i have key.pem, can i use this to generate public cert?

9

Hey Sridhar.

I would recommend the free Letā€™s Encrypt certificate thatā€™s generated as part of our automatic TLS configuration ^ links above.

However, your question was about generating a public cert from a key.pem file. You can always extract the public key using the openssl tool but you canā€™t generate a ā€˜signedā€™ certificate from the pem file. A signed certificate is created by DigiCert (or other public Certificate Authorities) when they sign your CSR (Certificate Signing Request). The signed file is whatā€™s required to be installed in your web server.

So any derived public cert will only be useful for a self-signed installation.

If youā€™re following some documentation, youā€™re welcome to post the steps youā€™ve taken and which part youā€™re stuck on.
i.e. https://knowledge.digicert.com/tutorials/create-pem-file-for-tls-ssl-certificate-installations

Cheers
Gareth

10

i used the below for self signed cert. changed parameters as per my requirement. this has generated key.pem and cert.pem which i used for https. can i use the same command for CSR also for public cert or can i use the already generated cert.pem?also my team says, we got a public cert with *.company.com wildcard. How do i use this for https?

openssl req -x509 \
-newkey rsa:4096 \
-days 120 \
-subj ā€œ/C=LU/ST=Luxembourg/L=Esch-Sur-Alzette/O=Passbolt SA/OU=Passbolt IT Team/CN=passbolt.domain.tld/ā€ \
-nodes \
-addext ā€œsubjectAltName = DNS:passbolt.domain.tldā€ \
-keyout key.pem \
-out cert.pem

11

Happy new year Sridhar.

Your questions show that youā€™re not familiar with how the certificate signing requests work. If you have specific technical questions I will try and help but you will need to do some reading and research as your questions are a little broad right now which leads to an answer of ā€œit dependsā€.

As long as you are using a *.company.com domain to host passbolt then that certificate should work. You can use the link Anto shared for reconfiguring Nginx and point to your new self-signed cert.

Or maybe you donā€™t want to use your company domain wildcard cert and want to create your own?
https://knowledge.digicert.com/tutorials/how-to-create-a-csr-using-openssl-and-install-your-ssl-certificate-on-a-nginx-server

Or maybe you want to use a completely different public domain, then Iā€™d suggest Letā€™s Encrypt.

So yeah, ā€œit dependsā€.

Chat soon
Gareth