Problems with SSL certificate (newbie question?)

Hi everybody,

first a short heads-up - I am somewhat of a newbie and cant really wrap my head around how to solve the problem I am receiving. So googling stuff with ssl is like a rabbid hole, I dont know whats important and whats not. It all went smooth for 2 month and then suddenly I could not login anymore. I thought maybe the ssl cert needed to be renewed, but that was not the case. The ssl cert was auto set-up with Lets Encrypt and it said there is no need to renew yet. After that I tried to update my instance and when I want to restart nginx it throws some errors. also the health-check is throwing errors now. I got the feeling this is kind of an easy problem, but as I sad, I am a newbie on the terminal… :frowning:

nginx error log:

022/07/04 08:18:51 [emerg] 693#693: cannot load certificate "/etc/nginx/_NGINX_CERT_FILE_": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/_NGINX_CERT_FILE_','r') error:2006D080:BIO routines:BIO_new_file:no such file)

health-check log:

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell        
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.30.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://mypassbolt.site
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in config/passbolt.php
 [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
 [HELP] cURL Error (7) Failed connect to mypassbolt.site:443; Connection refused

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (3.6.0).
 [FAIL] Passbolt is not configured to force SSL use.
 [HELP] Set passbolt.ssl.force to true in config/passbolt.php.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 4 error(s) found. Hang in there!

I am running a small VLinux with CentOS 7 64bit, 1 vCPU and 2 GB of RAM.

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
[?] I describe the steps on how to reproduce the issue

Hi @SgtFuturess :wave:,

Did you installed pasbolt on your CentOS 7 with our RPM package or with installation scripts ?

If you are using our RPM package, you should be able to reconfigure the nginx part with /usr/local/bin/passbolt-configure script, as described here: Passbolt Help | How to configure HTTPS with RPM package

Reply no to mariadb questions, as there is no need to create the DB as it already exists, but you can reconfigure the nginx part.

Let me know if you have further questions.

Best regards,

Hey @_jc

thanks for replying :slight_smile:
I installed passbolt describes as here: Passbolt Help | Install Passbolt CE on CentOS 7

Setting up again leads to the following output:

===================
Setting up nginx...
===================
Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.

when I run systemctl status… it gives me the following:

â—Ź nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Mo 2022-07-04 13:13:23 UTC; 2min 8s ago
  Process: 9106 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=1/FAILURE)
  Process: 9104 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)

Jul 04 13:13:23 h2974653.stratoserver.net systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jul 04 13:13:23 h2974653.stratoserver.net nginx[9106]: nginx: [emerg] cannot load certificate "/etc/nginx/_NGINX_CERT_FILE_": BIO_new_file() failed ...ch file)
Jul 04 13:13:23 h2974653.stratoserver.net nginx[9106]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jul 04 13:13:23 h2974653.stratoserver.net systemd[1]: nginx.service: control process exited, code=exited status=1
Jul 04 13:13:23 h2974653.stratoserver.net systemd[1]: Failed to start The nginx HTTP and reverse proxy server.
Jul 04 13:13:23 h2974653.stratoserver.net systemd[1]: Unit nginx.service entered failed state.
Jul 04 13:13:23 h2974653.stratoserver.net systemd[1]: nginx.service failed.

and when I run journal:

Jul 04 13:16:24 h2974653.stratoserver.net sshd[9211]: pam_unix(sshd:auth): check pass; user unknown
Jul 04 13:16:24 h2974653.stratoserver.net sshd[9211]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.128.253.135
Jul 04 13:16:26 h2974653.stratoserver.net sshd[9211]: Failed password for invalid user abhishek from 43.128.253.135 port 59602 ssh2
Jul 04 13:16:26 h2974653.stratoserver.net sshd[9213]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.154.231.198  u
Jul 04 13:16:26 h2974653.stratoserver.net sshd[9211]: Received disconnect from 43.128.253.135 port 59602:11: Bye Bye [preauth]
Jul 04 13:16:26 h2974653.stratoserver.net sshd[9211]: Disconnected from 43.128.253.135 port 59602 [preauth]
Jul 04 13:16:28 h2974653.stratoserver.net sshd[9213]: Failed password for root from 43.154.231.198 port 33522 ssh2
Jul 04 13:16:28 h2974653.stratoserver.net sshd[9213]: Received disconnect from 43.154.231.198 port 33522:11: Bye Bye [preauth]
Jul 04 13:16:28 h2974653.stratoserver.net sshd[9213]: Disconnected from 43.154.231.198 port 33522 [preauth]
Jul 04 13:16:47 h2974653.stratoserver.net sshd[9215]: Invalid user siva from 131.0.247.10 port 60852
Jul 04 13:16:47 h2974653.stratoserver.net sshd[9215]: input_userauth_request: invalid user siva [preauth]
Jul 04 13:16:47 h2974653.stratoserver.net sshd[9215]: pam_unix(sshd:auth): check pass; user unknown
Jul 04 13:16:47 h2974653.stratoserver.net sshd[9215]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=131.0.247.10.core
Jul 04 13:16:49 h2974653.stratoserver.net sshd[9215]: Failed password for invalid user siva from 131.0.247.10 port 60852 ssh2
Jul 04 13:16:49 h2974653.stratoserver.net sshd[9215]: Received disconnect from 131.0.247.10 port 60852:11: Bye Bye [preauth]
Jul 04 13:16:49 h2974653.stratoserver.net sshd[9215]: Disconnected from 131.0.247.10 port 60852 [preauth]
Jul 04 13:17:01 h2974653.stratoserver.net systemd[1]: Started Session 1050528 of user root.
-- Subject: Unit session-1050528.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit session-1050528.scope has finished starting up.
-- 
-- The start-up result is done.
Jul 04 13:17:01 h2974653.stratoserver.net CROND[9218]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron)
Jul 04 13:17:01 h2974653.stratoserver.net su[9218]: (to nginx) root on none
Jul 04 13:17:01 h2974653.stratoserver.net su[9218]: pam_unix(su:session): session opened for user nginx by (uid=0)
Jul 04 13:17:01 h2974653.stratoserver.net su[9218]: pam_unix(su:session): session closed for user nginx
Jul 04 13:17:08 h2974653.stratoserver.net sshd[9238]: reverse mapping checking getaddrinfo for 131-17-17-134-cloud.mts.by [134.17.17.131] failed - POSSIBLE BRE
Jul 04 13:17:08 h2974653.stratoserver.net sshd[9238]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=134.17.17.131  us
lines 1518-1547/1547 (END)
Jul 04 13:16:24 h2974653.stratoserver.net sshd[9211]: pam_unix(sshd:auth): check pass; user unknown
Jul 04 13:16:24 h2974653.stratoserver.net sshd[9211]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.128.253.135
Jul 04 13:16:26 h2974653.stratoserver.net sshd[9211]: Failed password for invalid user abhishek from 43.128.253.135 port 59602 ssh2
Jul 04 13:16:26 h2974653.stratoserver.net sshd[9213]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.154.231.198  user=root
Jul 04 13:16:26 h2974653.stratoserver.net sshd[9211]: Received disconnect from 43.128.253.135 port 59602:11: Bye Bye [preauth]
Jul 04 13:16:26 h2974653.stratoserver.net sshd[9211]: Disconnected from 43.128.253.135 port 59602 [preauth]
Jul 04 13:16:28 h2974653.stratoserver.net sshd[9213]: Failed password for root from 43.154.231.198 port 33522 ssh2
Jul 04 13:16:28 h2974653.stratoserver.net sshd[9213]: Received disconnect from 43.154.231.198 port 33522:11: Bye Bye [preauth]
Jul 04 13:16:28 h2974653.stratoserver.net sshd[9213]: Disconnected from 43.154.231.198 port 33522 [preauth]
Jul 04 13:16:47 h2974653.stratoserver.net sshd[9215]: Invalid user siva from 131.0.247.10 port 60852
Jul 04 13:16:47 h2974653.stratoserver.net sshd[9215]: input_userauth_request: invalid user siva [preauth]
Jul 04 13:16:47 h2974653.stratoserver.net sshd[9215]: pam_unix(sshd:auth): check pass; user unknown
Jul 04 13:16:47 h2974653.stratoserver.net sshd[9215]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=131.0.247.10.core3.com.br
Jul 04 13:16:49 h2974653.stratoserver.net sshd[9215]: Failed password for invalid user siva from 131.0.247.10 port 60852 ssh2
Jul 04 13:16:49 h2974653.stratoserver.net sshd[9215]: Received disconnect from 131.0.247.10 port 60852:11: Bye Bye [preauth]
Jul 04 13:16:49 h2974653.stratoserver.net sshd[9215]: Disconnected from 131.0.247.10 port 60852 [preauth]
Jul 04 13:17:01 h2974653.stratoserver.net systemd[1]: Started Session 1050528 of user root.
-- Subject: Unit session-1050528.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit session-1050528.scope has finished starting up.
-- 
-- The start-up result is done.
Jul 04 13:17:01 h2974653.stratoserver.net CROND[9218]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron)
Jul 04 13:17:01 h2974653.stratoserver.net su[9218]: (to nginx) root on none
Jul 04 13:17:01 h2974653.stratoserver.net su[9218]: pam_unix(su:session): session opened for user nginx by (uid=0)
Jul 04 13:17:01 h2974653.stratoserver.net su[9218]: pam_unix(su:session): session closed for user nginx
Jul 04 13:17:08 h2974653.stratoserver.net sshd[9238]: reverse mapping checking getaddrinfo for 131-17-17-134-cloud.mts.by [134.17.17.131] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 04 13:17:08 h2974653.stratoserver.net sshd[9238]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=134.17.17.131  user=root
~

seems there is something wrong with the config file? But I dont know what to change there, to make it work…

Hi,

Your error is here:

You have first to fix your nginx configuration otherwise passbolt-configure script won’t work. You can try first to delete /etc/nginx/conf.d/passbolt-ssl.conf then restart nginx.
Nginx should run without error, you will be then able to run passbolt-configure script again and retry to configure the SSL part with Let’s Encrypt.

On my side, I will spin a CentOS 7 VM and do the same, to check if there is any error.

I will keep you posted.

Best,

Deleted the passbolt-ssl.conf file and tried to restart nginx. Still giving me the errors mentioned above :frowning:

I just created a CentOS VM and configured passbolt with Let’s encrypt.

Can you give me the output of these commands ?

sudo nginx -t
sudo ls -alh /etc/nginx/conf.d
sudo grep -rn _NGINX_CERT_FILE_ /etc/nginx/
sudo ls -alh /etc/ssl/certs/passbolt_*

Thanks,

sudo nginx -t gives

nginx: [emerg] cannot load certificate "/etc/pki/nginx/server.crt": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/pki/nginx/server.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

sudo ls -alh /etc/nginx/conf.d gives

insgesamt 24K
drwxr-xr-x 2 root root 4,0K  4. Jul 13:33 .
drwxr-xr-x 4 root root 4,0K  4. Jul 08:11 ..
-rw-r--r-- 1 root root 4,2K  4. Jul 13:33 install.log
-rw-r--r-- 1 root root  893  4. Jul 13:33 passbolt.conf
-rw-r--r-- 1 root root  136 26. Mai 20:06 php-fpm.conf

sudo grep -rn _NGINX_CERT_FILE_ /etc/nginx/

gives nothing

and sudo ls -alh /etc/ssl/certs/passbolt_* gives

lrwxrwxrwx 1 root root 46 29. Mai 14:02 /etc/ssl/certs/passbolt_certificate.crt -> /etc/letsencrypt/live/mypassbolt.site/cert.pem
lrwxrwxrwx 1 root root 49 29. Mai 14:02 /etc/ssl/certs/passbolt_private.key -> /etc/letsencrypt/live/mypassbolt.site/privkey.pem

Hi,

the error message has changed:

nginx search for this certificate: /etc/pki/nginx/server.crt so you should search now where it is defined: sudo grep -rn "/etc/pki/nginx/server.crt" /etc/nginx/

Cheers,

I found some swap files with the same name and deleted these ones.

sudo grep -rn "/etc/pki/nginx/server.crt" /etc/nginx/

gives me then

/etc/nginx/nginx.conf:64:        ssl_certificate "/etc/pki/nginx/server.crt";

so I would assume this command gives me the path where the file is? But when I tried to cd to there, there is no nginx in pki. Nginx is right after /etc for me. But here is no server.crt. Sry, but now I am confused :frowning:

Hi,

This command search for /etc/pki/nginx/server.crt pattern in /etc/nginx folder.

You got this output:

It seems you (or any other admin on this machine) defined a ssl_certificate directive on /etc/nginx/nginx.conf file on line 64.

Maybe it is an old config of a not-used-anymore service ? You can try to comment this line (you may have a ssl_certificate_key directive too) and re-run the sudo nginx -t command to check if there is no more error.

If no error, you can restart nginx.

Let us know how it goes.

Best,

Solved the ssl error with nginx. Thank you :smiley:
but now it seems I am off to where I started after restarting nginx and doing the configuration step. The healthchek shell outputs as follow:

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell        
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.30.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://mypassbolt.site
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in config/passbolt.php
 [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
 [HELP] cURL Error (7) Failed connect to mypassbolt.site:443; Connection refused

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (3.6.0).
 [FAIL] Passbolt is not configured to force SSL use.
 [HELP] Set passbolt.ssl.force to true in config/passbolt.php.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 4 error(s) found. Hang in there!

and status nginx.service outputs:

nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) (Result: exit-code) since Mo 2022-07-04 15:12:49 UTC; 10min ago
  Process: 14512 ExecReload=/usr/sbin/nginx -s reload (code=exited, status=1/FAILURE)
  Process: 14054 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 14053 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
  Process: 14051 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 14056 (nginx)
   CGroup: /system.slice/nginx.service
           ├─14056 nginx: master process /usr/sbin/nginx
           └─14059 nginx: worker process

Jul 04 15:12:46 h2974653.stratoserver.net systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jul 04 15:12:49 h2974653.stratoserver.net nginx[14053]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jul 04 15:12:49 h2974653.stratoserver.net nginx[14053]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jul 04 15:12:49 h2974653.stratoserver.net systemd[1]: Started The nginx HTTP and reverse proxy server.
Jul 04 15:23:05 h2974653.stratoserver.net systemd[1]: Reloading The nginx HTTP and reverse proxy server.
Jul 04 15:23:08 h2974653.stratoserver.net systemd[1]: nginx.service: control process exited, code=exited status=1
Jul 04 15:23:11 h2974653.stratoserver.net nginx[14512]: nginx: [emerg] cannot load certificate "/etc/nginx/_NGINX_CERT_FILE_": BIO_new_file() ...h file)
Jul 04 15:23:08 h2974653.stratoserver.net systemd[1]: Reload failed for The nginx HTTP and reverse proxy server.

at least it is running now. But it still doesnt cant to load the certificate?

Did you run the passbolt-configure script to reconfigure the nginx part with let’s encrypt ?

Cheers,

yes I did and after running

sudo systemctl reload nginx

it outputs

Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.

and when running systemctl status nginx.service it outputs the error messages mentioned in my last post :frowning:

Hi,

The same error message ? You still have this output:

Or this one ?

Cheers,

Hi again,

I was able to reproduce your issue:

$ sudo nginx -t
nginx: [emerg] cannot load certificate "/etc/nginx/_NGINX_CERT_FILE_": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/_NGINX_CERT_FILE_','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

I will investigate and let you know.

Best,

Hi,

My virtual machine was not reachable from the internet, it is mandatory to get a Let’s Encrypt certificate, that’s why the /etc/nginx/conf.d/passbolt_ssl.conf got /etc/nginx/_NGINX_CERT_FILE_.

After some tests, I deleted these files:

  • /etc/nginx/conf.d/passbolt_ssl.conf as it is recreated by passbolt-configure script
  • /etc/letsencrypt folder as it recreated during the Let’s Encrypt process
  • /etc/ssl/certs/passbolt_certificate.crt as it is a symbolic link to Let’s Encrypt certificate and will be regenerated during the Let’s Encrypt process
  • /etc/ssl/certs/passbolt_private.key as it is a symbolic link to Let’s Encrypt key and will be regenerated during the Let’s Encrypt process

After the file deletion and a restart of nginx, I was able to successfully regenerate Let’s Encrypt certificates with passbolt-configure script.

passbolt-configure script creates an install.log file in the path were you running it. If you still have errors, can you post this file here ?

Best,

Hey @_jc

Wow, it worked thank you so much :smiley:
Never thought deleting everything and redoing would be the answer. But to be honest without you I would not even know what I needed to delete. So really thank you again.

1 Like

You’re welcome :hugs:

Don’t hesitate to come back if you have other questions or to give feedback :slight_smile:

Best,

1 Like