[SOLVED] Problem Enabling SSL via Digital Ocean Droplet

Checklist
[X] I have read intro post: About the Installation Issues category
[X] I have read the tutorials, help and searched for similar issues
[X] I provide relevant information about my server (component names and versions, etc.)
[X] I provide a copy of my logs and healthcheck
[X] I describe the steps I have taken to trouble shoot the problem
[X] I describe the steps on how to reproduce the issue

– Server operating system name and version: Ubuntu 20.04.4 LTS
– Web server name and version: nginx 1.18.0
– Database server name and version: MariaDB v15.1 Distrib 10.3.34
– Php version: 7.4.3
– Passbolt version: 3.5.0

Provide a copy of your healthcheck running as the web server user

 Environment

 [PASS] PHP version 7.4.3.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to http://pw.sspl.org
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (3.5.0).
 [FAIL] Passbolt is not configured to force SSL use.
 [HELP] Set passbolt.ssl.force to true in config/passbolt.php.
 [FAIL] App.fullBaseUrl is not set to HTTPS.
 [HELP] Check App.fullBaseUrl url scheme in config/passbolt.php.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 2 error(s) found. Hang in there!

I had to enable allow_url_fopen in the php.ini for the web-version of the healthcheck to not throw errors, though :///healthcheck/status reports a 404.

The Digital Ocean setup steps are fairly straightforward, but the SSL skips a bit in clarity. I had installed the Digital Ocean Passbolt Droplet from the Marketplace, but before accessing the web interface installer/configuration page, I created a DNS entry for a subdomain A record, waited for DNS to propogate where I could ping the subdomain, and then SSH’d into my instance in order to run the dpkg-reconfigure passbolt-ce-server command. Unfortunately at the end of the command, the certificates existed, but the dreaded message appeared (“Unable to install the certificate”):

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/pw.sspl.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/pw.sspl.org/privkey.pem
   Your cert will expire on 2022-06-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
root@1gb-nyc1-01:/etc/php/7.4/cli# cd /usr/share/php/passbolt/root@1gb-nyc1-01:/usr/share/php/passbolt# sudo su -s /bin/bash -c "./bin/cake passbolt healthcheck" www-data

Although I looked at the nginx conf files, they’re commented that Passbolt manages them, so I wasn’t sure if I am even supposed to edit them. The only one(s) created are passbolt specific, even though I did provide my domain (pw.sspl.org) in the dpkg-reconfigure setup. Since the conf files said it was configured by Passbolt and I hadn’t yet run the Passbolt web configuration, I figured I’d go ahead and do that, and then backtrack even though the installation steps said to get SSL working first.

After configuring it and creating the first user (and getting SMTP to work), I could not get SSL to work. I tried editing the /etc/nginx/sites-available/nginx-passbolt.conf file to at least change the listen directive to 443 from the default of 80. I restarted nginx with no luck, then rebooted the droplet, also with no luck. I set the listen directive back to 80 just in case Passbolt is supposed to manage/change that on its own, and came here with some hope for guidance.

Hi @BrendonKoz ,

We have a similar issue on another template image. Can you open /etc/nginx/sites-enabled/nginx-passbolt.conf, you should see this line:

server_name _;

Can you replace the underscore with your passbolt domain name:

server_name passbolt.example.com

Then reload nginx:

sudo systemctl reload nginx.service

Once done, certbot should be able to edit your nginx configuration file, you can restart the sudo dpkg-reconfigure passbolt-ce-server.

Let me know if it fixes your issue.

Best,

Hi @_jc! That definitely worked! I had some issues getting the app to render/load properly after getting the certificate to successfully install (updated passbolt.php and restarted nginx), so decided to simply start fresh with a new droplet, making sure to edit /etc/nginx/sites-enabled/nginx-passbolt.conf as appropriate prior to accessing the Passbolt web interface and running through the configuration this time. Worked like a charm. Thank you!

Great, I’m glad to read you finally be able to fix this issue :+1:

Don’t hesitate if you have further questions :slight_smile: