Checklist
I have read intro post.
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
System Information
OS: Ubuntu Server 22.04.3 LTS
Web & Database Server: Docker Compose V1.29.2
Passbolt Version: 4.3.0
Traefik Version: 2.10.5
Introduction
This post is an information post for those struggling with setting up Passbolt with SSL using Traefik at a different HTTPS port.
I had the exact same issue and spent many hours tinkering around with different port and port forward configurations and feel having a post like this can save a newbie a heck of a lot of time. I too may learn something from any other contributors!
Guide Prerequisites
As a general setup guide, I followed along with NetworkChuckâs YouTube tutorial âstop giving your passwords to hackersâ. He covers what is written in the Docker Passbolt Installation guide aswell as setting up Letâs Encrypt with Traefik.
Things You Need to Know
- SSL with Letâs Encrypt requires http port 80 to perform certificate renewals. You have to leave this open (ensure it is port forwarded on your router). You cannot change the http port to anything else other than port 80 in your âdocker-compose.yamlâ or âtraefik.yamlâ files. Unfortunately, without port 80, this certificate challenge method (HTTP-01) will not work, you should instead look into using Letâs Encrypt âDNS-01â challenge
> How to Change Your Passbolt Port
Please ensure you have both of your docker-compose and traefik files setup so that we can make our tweaks below.
STEP ONE: Your Docker Compose File
- Open your docker-compose file to edit
nano docker-compose.yaml. - Under âenvironmentâ, your
APP_FULL_BASE_URL:must begin with âhttps://â followed by the domain/sub-domain that you wish to use, then the port indicator â:â followed by your desired HTTPS port e.g. 4343. This should look something like this:APP_FULL_BASE_URL: https://passbolt.example.com:4343. - Ensure your default Passbolt Ports are commented out or removed as Traefik will now handle these.
services:
...
passbolt:
...
command:
[
"/usr/bin/wait-for.sh",
"-t",
"0",
"db:3306",
"--",
"/docker-entrypoint.sh",
]
#ports:
# - 80:80
# - 443:443
- Just to assure you, where you list your labels, you do not need to specify the port on the domains e.g:
labels:
traefik.enable: "true"
traefik.http.routers.passbolt-http.entrypoints: "web"
traefik.http.routers.passbolt-http.rule: "Host(`passbolt.example.com`)" # keep domain the same without port.
traefik.http.routers.passbolt-http.middlewares: "SslHeader@file"
traefik.http.routers.passbolt-https.middlewares: "SslHeader@file"
traefik.http.routers.passbolt-https.entrypoints: "websecure"
traefik.http.routers.passbolt-https.rule: "Host(`passbolt.example.com`)" # keep domain the same without port.
traefik.http.routers.passbolt-https.tls: "true"
traefik.http.routers.passbolt-https.tls.certresolver: "letsencrypt"
- Under âtraefikâ set your ports (please read the â#â comments):
traefik:
image: traefik:2.10.5
restart: always
ports:
- 80:80 # Your HTTP port has to stay as port 80 otherwise this will not work with Let's Encrypt.
- 4343:4343 # This is your HTTPS port, you can change this to your desired port ensuring it is the same as the port specified in your APP_FULL_BASE_URL.
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yaml:/traefik.yaml:ro
- ./conf/:/etc/traefik/conf
- ./shared/:/shared
- Save and exit your docker-compose file
CTRL + X, Y, ENTER.
STEP TWO: Your Traefik File
- Open your Traefik file
nano traefik.yaml. - Looking under âentryPointsâ youâll see the ports that traefik uses with Letâs Encrypt for performing the handshake. by default, this will be
address: ':80'under web andaddress: ':443under websecure. - Ensuring the HTTP port stays as port 80 you can change the websecure port to your desired port, looking something like this:
entryPoints:
web:
address: ':80'
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ':4343' # Only change this.
- Save and exit your traefik file
CTRL + X, Y, ENTER.
Finally, ensure that you restart your docker container using: docker-compose -f docker-compose.yaml -d
Port forwarding Reminder
Donât forget to open ports 80 and your chosen HTTPS port, directed to your internal IP.
While I am not 100% sure, as long as an application is not constantly using port 80, you can have other web apps infrequently using the port to perform other HTTP certificate renewals. For example, an app on HTTPS port 4343 and another on 4443 can both share port 80 provided they donât use it at the same time.
Still Have Issues?
- Check your Docker Compose logs on Traefik by doing
docker-compose -f docker-compose.yaml logs -f traefik. - One other thing I also tried, but cannot confirm if it really did help, is I setup Certbot. Youâll want to use the drop downs at the top of the page to select you system information for the correct guide, I chose âMy HTTP website it running other on Ubuntu 20â. The setup within the CLI went well for me. Just bare in mind that if you do actually choose to use this method, Certbot creates two standalone files: the certificate and the key, it will give you the location of these for you to manually transfer to your passbolt configuration/folder. Find our more by Googling: âpassbolt manual httpsâ
I apologise for the lack of URLs, Iâm a new user and only get 2!
Happy passbolting and best of luck!
