I have read intro post.
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
OS: Ubuntu Server 22.04.3 LTS
Web & Database Server: Docker Compose V1.29.2
Passbolt Version: 4.3.0
Traefik Version: 2.10.5
This post is an information post for those struggling with setting up Passbolt with SSL using Traefik at a different HTTPS port.
I had the exact same issue and spent many hours tinkering around with different port and port forward configurations and feel having a post like this can save a newbie a heck of a lot of time. I too may learn something from any other contributors!
As a general setup guide, I followed along with NetworkChuck’s YouTube tutorial “stop giving your passwords to hackers”. He covers what is written in the Docker Passbolt Installation guide aswell as setting up Let’s Encrypt with Traefik.
Things You Need to Know
- SSL with Let’s Encrypt requires http port 80 to perform certificate renewals. You have to leave this open (ensure it is port forwarded on your router). You cannot change the http port to anything else other than port 80 in your ‘docker-compose.yaml’ or ‘traefik.yaml’ files. Unfortunately, without port 80, this certificate challenge method (HTTP-01) will not work, you should instead look into using Let’s Encrypt ‘DNS-01’ challenge
> How to Change Your Passbolt Port
Please ensure you have both of your docker-compose and traefik files setup so that we can make our tweaks below.
STEP ONE: Your Docker Compose File
- Open your docker-compose file to edit
- Under ‘environment’, your
APP_FULL_BASE_URL:must begin with ‘https://’ followed by the domain/sub-domain that you wish to use, then the port indicator ‘:’ followed by your desired HTTPS port e.g. 4343. This should look something like this:
- Ensure your default Passbolt Ports are commented out or removed as Traefik will now handle these.
services: ... passbolt: ... command: [ "/usr/bin/wait-for.sh", "-t", "0", "db:3306", "--", "/docker-entrypoint.sh", ] #ports: # - 80:80 # - 443:443
- Just to assure you, where you list your labels, you do not need to specify the port on the domains e.g:
labels: traefik.enable: "true" traefik.http.routers.passbolt-http.entrypoints: "web" traefik.http.routers.passbolt-http.rule: "Host(`passbolt.example.com`)" # keep domain the same without port. traefik.http.routers.passbolt-http.middlewares: "SslHeader@file" traefik.http.routers.passbolt-https.middlewares: "SslHeader@file" traefik.http.routers.passbolt-https.entrypoints: "websecure" traefik.http.routers.passbolt-https.rule: "Host(`passbolt.example.com`)" # keep domain the same without port. traefik.http.routers.passbolt-https.tls: "true" traefik.http.routers.passbolt-https.tls.certresolver: "letsencrypt"
- Under ‘traefik’ set your ports (please read the ‘#’ comments):
traefik: image: traefik:2.10.5 restart: always ports: - 80:80 # Your HTTP port has to stay as port 80 otherwise this will not work with Let's Encrypt. - 4343:4343 # This is your HTTPS port, you can change this to your desired port ensuring it is the same as the port specified in your APP_FULL_BASE_URL. volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./traefik.yaml:/traefik.yaml:ro - ./conf/:/etc/traefik/conf - ./shared/:/shared
- Save and exit your docker-compose file
CTRL + X, Y, ENTER.
STEP TWO: Your Traefik File
- Open your Traefik file
- Looking under ‘entryPoints’ you’ll see the ports that traefik uses with Let’s Encrypt for performing the handshake. by default, this will be
address: ':80'under web and
address: ':443under websecure.
- Ensuring the HTTP port stays as port 80 you can change the websecure port to your desired port, looking something like this:
entryPoints: web: address: ':80' http: redirections: entryPoint: to: websecure scheme: https permanent: true websecure: address: ':4343' # Only change this.
- Save and exit your traefik file
CTRL + X, Y, ENTER.
Finally, ensure that you restart your docker container using:
docker-compose -f docker-compose.yaml -d
Port forwarding Reminder
Don’t forget to open ports 80 and your chosen HTTPS port, directed to your internal IP.
While I am not 100% sure, as long as an application is not constantly using port 80, you can have other web apps infrequently using the port to perform other HTTP certificate renewals. For example, an app on HTTPS port 4343 and another on 4443 can both share port 80 provided they don’t use it at the same time.
Still Have Issues?
- Check your Docker Compose logs on Traefik by doing
docker-compose -f docker-compose.yaml logs -f traefik.
- One other thing I also tried, but cannot confirm if it really did help, is I setup Certbot. You’ll want to use the drop downs at the top of the page to select you system information for the correct guide, I chose ‘My HTTP website it running other on Ubuntu 20’. The setup within the CLI went well for me. Just bare in mind that if you do actually choose to use this method, Certbot creates two standalone files: the certificate and the key, it will give you the location of these for you to manually transfer to your passbolt configuration/folder. Find our more by Googling: ‘passbolt manual https’
I apologise for the lack of URLs, I’m a new user and only get 2!
Happy passbolting and best of luck!