Passbolt SSL configuration problem

justinbernard · December 16, 2021, 9:22pm

Hello,

I want to use self-signed SSL certificates and followed the SSL configuration tutoral on this page: https://help.passbolt.com/configure/https/ce/debian/manual.html

For some reason it doesn’t work properly and gives me 3 errors, you can see in the health check below.

I already changed my full base URL in /etc/passbolt/passbolt.php and tried to configure nginx manually by adding the following lines to /etc/nginx/sites-available/nginx-passbolt.conf :

server {
  listen 8080 ssl;
  ssl_certificate /etc/nginx/ssl/nginx.crt;
  ssl_certificate_key /etc/nginx/ssl/nginx.key;
}

Furthermore I updated my openssl to the latest version.

I’d be very grateful if you could help me because I don’t know anymore how to fix the issue.

Regards
Justin

Health check log

 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.31-1~deb10u1.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://192.168.10.34:8080
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in config/passbolt.php
 [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1408F10B:SSL routines:ssl3_get_record:wrong version number
fopen(): Failed to enable crypto
fopen(https://192.168.10.34:8080/healthcheck/status.json): failed to open stream: operation failed

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (3.4.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 3 error(s) found. Hang in there!

My system
System: Raspberry Pi 4
OS: Raspbian 10
Web Server: Nginx 1.14.2
PHP v.: 7.3.31-1~deb10u1
Passbolt v.: 3.4.0

AnatomicJC · December 17, 2021, 8:02am

Hi @justinbernard

I assume you are using passbolt debian package. If yes, in /etc/nginx/sites-enabled/nginx-passbolt.conf, you will find this line:

(...)
  # Managed by Passbolt
  include /etc/nginx/snippets/passbolt-ssl.conf;
(...)

/etc/nginx/snippets/passbolt-ssl.confconfiguration file handle passbolt ssl configuration. So maybe do you have some duplicate config ?

Cheers,

justinbernard · December 17, 2021, 2:29pm

Hello @AnatomicJC,

that was exactly the problem. I changed the port and pointed to my .crt and .key files in the included config and now it works perfectly. Also I changed one line in /etc/nginx/sites-enabled/nginx-passbolt.conf to listen [port] ssl;.

Thank you very much!

Regards
Justin