Site not loading post 1.6.10 to 2.0.5 upgrade

This is an in place upgrade, following the instructions on the site. The old version did run, and was online. Post upgrade, the requeted URL’s are no longer found. The SSL Cert is working with Apache, you can see it on the 404 page that is loaded.

The site configuration in apache does have the DocumentRoot as /var/www/passbolt None of that changed from 1.6.10.

Any ideas?


Healthcheck shell

Environment

[PASS] PHP version 7.0.30-1+ubuntu14.04.1+deb.sury.org+1.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://************
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in config/passbolt.php
[HELP] Check the network settings

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate

Database

[PASS] The application is able to connect to the database
[PASS] 19 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The server gpg key is not the default one
[PASS] The environment variable GNUPGHOME is set to /var/www/.gnupg.
[PASS] The directory /var/www/.gnupg containing the keyring is writable by the webserver user.
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The public key can be used to sign a message.
[PASS] The public key can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.

Application configuration

[FAIL] This installation is not up to date. Currently using 2.0.5 and it should be v2.0.7.
[HELP] See. https://www.passbolt.com/help/tech/update
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

What do you see on the screen? Do you have any errors in the logs?

in /var/www/passbolt/logs there is a cli-error.log that doesn’t have any errors listed that are current. I believe they may have been during the install/upgrade. This line is the only one in it, and its from over 40 minutes ago.

2018-05-09 17:42:55 Warning: Warning (512): SplFileInfo::openFile(/var/www/passbolt/tmp/cache/persistent/myapp_cake_core_translations_cake_console_en__u_s): failed to open stream: Permission denied in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 397]

In Apache, there is no relevant error logs. It only has line items for which version of OpenSSL is running, and the restarts of the service.

I have placed a test.html file into /var/www/passbolt and it loads when I go directly to it.

On screen is just the following:

Not Found
The requested URL /auth/login was not found on this server.

Apache/2.4.7 (Ubuntu) Server at passbolt.securitases.com Port 443

FYI the address, is internal access only, its not actually on the internet.

Loading a phpinfo file into the root also does run.

And if you go to yourdomain/healthcheck/status you get a 404?

Correct, 404 for the mydomain/healthcheck/status

Can you clean the content of the folders :

  • /var/www/passbolt/tmp/cache/persistent
  • /var/www/passbolt/tmp/cache/model

Can you show us your apache config ?

Cleared the tmp folders mentioned, same results, 404.

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerAdmin webmaster@localhost
		ServerName passbolt.securitases.com:443
		DocumentRoot /var/www/passbolt

		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
		# error, crit, alert, emerg.
		# It is also possible to configure the loglevel for particular
		# modules, e.g.
		#LogLevel info ssl:warn

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		# For most configuration files from conf-available/, which are
		# enabled or disabled at a global level, it is possible to
		# include a line for only one particular virtual host. For example the
		# following line enables the CGI configuration for this host only
		# after it has been globally disabled with "a2disconf".
		#Include conf-available/serve-cgi-bin.conf

		#   SSL Engine Switch:
		#   Enable/Disable SSL for this virtual host.
		SSLEngine on

		SSLProtocol all -SSLv2 -SSLv3
		SSLHonorCipherOrder on
		SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

		#   A self-signed (snakeoil) certificate can be created by installing
		#   the ssl-cert package. See
		#   /usr/share/doc/apache2/README.Debian.gz for more info.
		#   If both key and certificate are stored in the same file, only the
		#   SSLCertificateFile directive is needed.
		SSLCertificateFile	/etc/apache2/ssl/passbolt.crt
		SSLCertificateKeyFile /etc/apache2/ssl/passbolt-decrypted.key

		#   Server Certificate Chain:
		#   Point SSLCertificateChainFile at a file containing the
		#   concatenation of PEM encoded CA certificates which form the
		#   certificate chain for the server certificate. Alternatively
		#   the referenced file can be the same as SSLCertificateFile
		#   when the CA certificates are directly appended to the server
		#   certificate for convinience.
		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

		#   Certificate Authority (CA):
		#   Set the CA certificate verification path where to find CA
		#   certificates for client authentication or alternatively one
		#   huge file containing all of them (file must be PEM encoded)
		#   Note: Inside SSLCACertificatePath you need hash symlinks
		#		 to point to the certificate files. Use the provided
		#		 Makefile to update the hash symlinks after changes.
		#SSLCACertificatePath /etc/ssl/certs/
		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
		SSLCACertificateFile /etc/apache2/ssl/passbolt-apache-ca.crt



		#   Certificate Revocation Lists (CRL):
		#   Set the CA revocation path where to find CA CRLs for client
		#   authentication or alternatively one huge file containing all
		#   of them (file must be PEM encoded)
		#   Note: Inside SSLCARevocationPath you need hash symlinks
		#		 to point to the certificate files. Use the provided
		#		 Makefile to update the hash symlinks after changes.
		#SSLCARevocationPath /etc/apache2/ssl.crl/
		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

		#   Client Authentication (Type):
		#   Client certificate verification type and depth.  Types are
		#   none, optional, require and optional_no_ca.  Depth is a
		#   number which specifies how deeply to verify the certificate
		#   issuer chain before deciding the certificate is not valid.
		#SSLVerifyClient require
		#SSLVerifyDepth  10

		#   SSL Engine Options:
		#   Set various options for the SSL engine.
		#   o FakeBasicAuth:
		#	 Translate the client X.509 into a Basic Authorisation.  This means that
		#	 the standard Auth/DBMAuth methods can be used for access control.  The
		#	 user name is the `one line' version of the client's X.509 certificate.
		#	 Note that no password is obtained from the user. Every entry in the user
		#	 file needs this password: `xxj31ZMTZzkVA'.
		#   o ExportCertData:
		#	 This exports two additional environment variables: SSL_CLIENT_CERT and
		#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
		#	 server (always existing) and the client (only existing when client
		#	 authentication is used). This can be used to import the certificates
		#	 into CGI scripts.
		#   o StdEnvVars:
		#	 This exports the standard SSL/TLS related `SSL_*' environment variables.
		#	 Per default this exportation is switched off for performance reasons,
		#	 because the extraction step is an expensive operation and is usually
		#	 useless for serving static content. So one usually enables the
		#	 exportation for CGI and SSI requests only.
		#   o OptRenegotiate:
		#	 This enables optimized SSL connection renegotiation handling when SSL
		#	 directives are used in per-directory context.
		#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
		<FilesMatch "\.(php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		

        	<Directory /var/www/passbolt>
            		Options FollowSymLinks
            		AllowOverride All
            		Require all granted
       		</Directory>

		#   SSL Protocol Adjustments:
		#   The safe and default but still SSL/TLS standard compliant shutdown
		#   approach is that mod_ssl sends the close notify alert but doesn't wait for
		#   the close notify alert from client. When you need a different shutdown
		#   approach you can use one of the following variables:
		#   o ssl-unclean-shutdown:
		#	 This forces an unclean shutdown when the connection is closed, i.e. no
		#	 SSL close notify alert is send or allowed to received.  This violates
		#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use
		#	 this when you receive I/O errors because of the standard approach where
		#	 mod_ssl sends the close notify alert.
		#   o ssl-accurate-shutdown:
		#	 This forces an accurate shutdown when the connection is closed, i.e. a
		#	 SSL close notify alert is send and mod_ssl waits for the close notify
		#	 alert of the client. This is 100% SSL/TLS standard compliant, but in
		#	 practice often causes hanging connections with brain-dead browsers. Use
		#	 this only for browsers where you know that their SSL implementation
		#	 works correctly.
		#   Notice: Most problems of broken clients are also related to the HTTP
		#   keep-alive facility, so you usually additionally want to disable
		#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
		#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
		#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
		#   "force-response-1.0" for this.
		BrowserMatch "MSIE [2-6]" \
				nokeepalive ssl-unclean-shutdown \
				downgrade-1.0 force-response-1.0
		# MSIE 7 and newer should be able to use keepalive
		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

	</VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Can you check if you have mod rewrite enabled and the permissions of the php files on the filesystem.

mod_rewrite is enabled:

From phpinfo():

Configuration

apache2handler

Apache Version Apache/2.4.7 (Ubuntu)

Apache API Version 20120211

Server Administrator webmaster@localhost

Hostname:Port passbolt.securitases.com:443

User/Group www-data(33)/33

Max Requests Per Child: 0 - Keep Alive: on - Max Per Connection: 100

Timeouts Connection: 300 - Keep-Alive: 5

Virtual Server Yes

Server Root /etc/apache2
Loaded Modules core mod_so mod_watchdog http_core mod_log_config mod_logio mod_version mod_unixd mod_access_compat mod_alias mod_auth_basic mod_authn_core mod_authn_file mod_authz_core mod_authz_host mod_authz_user mod_autoindex mod_deflate mod_dir mod_env mod_filter mod_headers mod_mime prefork mod_negotiation mod_php7 mod_rewrite mod_setenvif mod_socache_shmcb mod_ssl mod_status

Which PHP files? Its all over the place when installed with apt-get on ubuntu.

Some other general information from PHPINFO(). This is being ran from /var/www/passbolt

PHP Version 7.0.30-1+ubuntu14.04.1+deb.sury.org+1

System Linux lgmulart300 4.4.0-124-generic #148~14.04.1-Ubuntu SMP Thu May 3 07:26:53 UTC 2018 x86_64

Build Date May 2 2018 12:52:13

Server API Apache 2.0 Handler

Virtual Directory Support disabled

Configuration File (php.ini) Path /etc/php/7.0/apache2

Loaded Configuration File /etc/php/7.0/apache2/php.ini

Scan this dir for additional .ini files /etc/php/7.0/apache2/conf.d

Additional .ini files parsed
/etc/php/7.0/apache2/conf.d/10-mysqlnd.ini, /etc/php/7.0/apache2/conf.d/10-opcache.ini, /etc/php/7.0/apache2/conf.d/10-pdo.ini, /etc/php/7.0/apache2/conf.d/15-xml.ini, /etc/php/7.0/apache2/conf.d/20-calendar.ini, /etc/php/7.0/apache2/conf.d/20-ctype.ini, /etc/php/7.0/apache2/conf.d/20-curl.ini, /etc/php/7.0/apache2/conf.d/20-dom.ini, /etc/php/7.0/apache2/conf.d/20-exif.ini, /etc/php/7.0/apache2/conf.d/20-fileinfo.ini, /etc/php/7.0/apache2/conf.d/20-ftp.ini, /etc/php/7.0/apache2/conf.d/20-gd.ini, /etc/php/7.0/apache2/conf.d/20-gettext.ini, /etc/php/7.0/apache2/conf.d/20-gnupg.ini, /etc/php/7.0/apache2/conf.d/20-iconv.ini, /etc/php/7.0/apache2/conf.d/20-igbinary.ini, /etc/php/7.0/apache2/conf.d/20-intl.ini, /etc/php/7.0/apache2/conf.d/20-json.ini, /etc/php/7.0/apache2/conf.d/20-mbstring.ini, /etc/php/7.0/apache2/conf.d/20-mcrypt.ini, /etc/php/7.0/apache2/conf.d/20-msgpack.ini, /etc/php/7.0/apache2/conf.d/20-mysqli.ini, /etc/php/7.0/apache2/conf.d/20-pdo_mysql.ini, /etc/php/7.0/apache2/conf.d/20-phar.ini, /etc/php/7.0/apache2/conf.d/20-posix.ini, /etc/php/7.0/apache2/conf.d/20-readline.ini, /etc/php/7.0/apache2/conf.d/20-shmop.ini, /etc/php/7.0/apache2/conf.d/20-simplexml.ini, /etc/php/7.0/apache2/conf.d/20-sockets.ini, /etc/php/7.0/apache2/conf.d/20-sysvmsg.ini, /etc/php/7.0/apache2/conf.d/20-sysvsem.ini, /etc/php/7.0/apache2/conf.d/20-sysvshm.ini, /etc/php/7.0/apache2/conf.d/20-tokenizer.ini, /etc/php/7.0/apache2/conf.d/20-wddx.ini, /etc/php/7.0/apache2/conf.d/20-xmlreader.ini, /etc/php/7.0/apache2/conf.d/20-xmlwriter.ini, /etc/php/7.0/apache2/conf.d/20-xsl.ini, /etc/php/7.0/apache2/conf.d/25-memcached.ini

PHP API 20151012

PHP Extension 20151012

Zend Extension 320151012

Zend Extension Build API320151012,NTS

PHP Extension Build API20151012,NTS

Debug Build no

Thread Safety disabled

Zend Signal Handling disabled

Zend Memory Manager enabled

Zend Multibyte Support provided by mbstring

IPv6 Support enabled

DTrace Support available, disabled

Registered PHP Streams https, ftps, compress.zlib, php, file, glob, data, http, ftp, phar

Registered Stream Socket Transports tcp, udp, unix, udg, ssl, sslv2, tls, tlsv1.0, tlsv1.1, tlsv1.2

Registered Stream Filters zlib., string.rot13, string.toupper, string.tolower, string.strip_tags, convert., consumed, dechunk, convert.iconv., mcrypt., mdecrypt.*

Have to run for the day, will be checking back in on this in the AM ET.

Hi!

I have been able to setup an apache2 install with latest passbolt using the following configuration file based on yours. It’s essentially the same just tuned the paths and removed the CA cert as it wasn’t necessary for my test setup:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        ServerName passbolt.dev
        DocumentRoot /var/www/passbolt
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLProtocol all -SSLv2 -SSLv3
        SSLHonorCipherOrder on
        SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
        SSLCertificateFile      /etc/apache2/ssl/passbolt.crt
        SSLCertificateKeyFile /etc/apache2/ssl/passbolt.key
        <Directory /var/www/passbolt>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>
    
        <FilesMatch "\.(php)$">
            SSLOptions +StdEnvVars
        </FilesMatch>
        BrowserMatch "MSIE [2-6]" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    </VirtualHost>
</IfModule>

apache2 modules (apache2ctl -M):

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php7_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)

It think it could come from an incorrect or non present /var/www/passbolt/.htaccess file. I can reproduce your issue if I comment out the whole .htaccess file or remove it.

Keep in mind that this file (.htaccess) has changed from passbolt v1 to passbolt v2
From this on v1:

To this on passbolt v2:

Hope this helps.

That did it. I did not extract it directly to the /var/www/passbolt dir. I moved it, and in doing so, missed the root level hidden files. All the sub dirs have their .htaccess files, just the root didn’t.

The site now loads, and I can login, but the healthcheck/status page states:

home
login
Page not found.
The requested address was not found on this server. Please double check the url. Maybe the page was deleted or moved.

Terms
Credits
Versions

Any ideas on why just healthcheck is not working?

Possibly related question moved: V2 Update issues. Server Key not loading. Healthcheck says keys are fine, but other things broken

Sorry the URLs I provided previously were incorrect:

@cinderblock you have a different issue, can you remove your comment and paste in a new issue so that we can keep a overview of the resolution status for each? thanks,

Both .json work, but neither the healthcheck without /status or with /status do. Same page as stated before with page not found.