Hello,
Iβm new to Passbolt and I have the following problem.
I use a Passbolt Docker on my QNAP NAS and have already set up a certificate on my NAS.
With Passbolt, however, the www.passbolt.local certificate is still displayed, although I have made a Manual HTTPS configuration on Docker.
My config
version: '3.9'
services:
db:
image: mariadb:10.3
restart: unless-stopped
environment:
MYSQL_RANDOM_ROOT_PASSWORD: "true"
MYSQL_DATABASE: "passbolt"
MYSQL_USER: "passbolt"
MYSQL_PASSWORD: "P4ssb0lt"
volumes:
- database_volume:/var/lib/mysql
passbolt:
image: passbolt/passbolt:latest-ce
#Alternatively you can use rootless:
#image: passbolt/passbolt:latest-ce-non-root
restart: unless-stopped
depends_on:
- db
environment:
APP_FULL_BASE_URL: "https://weinkeller.site:4433"
PASSBOLT_SSL_FORCE: true
APP_DEFAULT_LOCALE: "de_DE"
DATASOURCES_DEFAULT_HOST: "db"
DATASOURCES_DEFAULT_USERNAME: "passbolt"
DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
DATASOURCES_DEFAULT_DATABASE: "passbolt"
PASSBOLT_META_DESCRIPTION: "Passwort Manager"
PASSBOLT_AUTH_LOGIN_TOKEN_EXPIRY: "15 minutes"
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
- /etc/passbolt/certs/certificate.key
- /etc/passbolt/certs/certificate.crt
command: ["/usr/bin/wait-for.sh", "-t", "0", "db:3306", "--", "/docker-entrypoint.sh"]
ports:
- 8080:80
- 4433:443
volumes:
database_volume:
gpg_volume:
jwt_volume:
Thanks and have a good day!
Martin
Hi @martin.24 
and welcome to passbolt community forum 
In your volume definition, you missed the path to your local certificates:
volumes:
...
- ./path/to/cert.pem:/etc/ssl/certs/certificate.crt:ro
- ./path/to/key.pem:/etc/ssl/certs/certificate.key:ro
As explained on Passbolt Help | Manual HTTPS configuration on Docker
Let us know if it fixes your issue.
Cheers,
Thank you for your prompt reply,
now comes this error code and than the conainer stops.
Generating a RSA private key
...............................................................................................................++++
.......................................................................................................++++
writing new private key to '/etc/ssl/certs/certificate.key'
req: Can't open "/etc/ssl/certs/certificate.key" for writing, Is a directory
wait-for.sh: waiting for db:3306 without a timeout
wait-for.sh: db:3306 is available after 6 seconds
gpg: key 1D09B73CC8603C96: "Passbolt default user <passbolt@yourdomain.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: key 1D09B73CC8603C96: "Passbolt default user <passbolt@yourdomain.com>" not changed
gpg: key 1D09B73CC8603C96: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
Certificate and private key are stored here
Thanks a lot
Hi,
cert.pem and key.pem are currently directories on your QNAP NAS, directories created because of the bad docker-compose file configuration.
Can you delete these directories and retry ?
Cheers,
Now I have deleted the folders.
Do I now have to put the certificate.key and certificate.crt files in the folder or the key.pem and cert.pem files?
Hi,
I wrote this:
volumes:
...
- ./path/to/cert.pem:/etc/ssl/certs/certificate.crt:ro
- ./path/to/key.pem:/etc/ssl/certs/certificate.key:ro
Assuming you created aside your docker-compose.yml file a certs folder and put your certificates in this folder:
.
βββ certs
β βββ cert.pem
β βββ key.pem
βββ docker-compose.yml
Your volumes definition will be:
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
- ./certs/cert.pem:/etc/ssl/certs/certificate.crt:ro
- ./certs/key.pem:/etc/ssl/certs/certificate.key:ro
Best,
Thanks,
now the QNAP error log gives me this error and the docker container is stopped.
Background task error for application_custom passbolt: ERROR: for passbolt_passbolt_1 Cannot start service passbolt: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting β/share/CACHEDEV1_DATA/Container/container-station-data/application/passbolt/certs/key.pemβ to rootfs at β/etc/ssl/certs/certificate.keyβ: mount /share/CACHEDEV1_DATA/Container/container-station-data/application/passbolt/certs/key.pem:/etc/ssl/certs/certificate.key (via /proc/self/fd/6), flags: 0x5001: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type ERROR: for passbolt Cannot start service passbolt: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting β/share/CACHEDEV1_DATA/Container/container-station-data/application/passbolt/certs/key.pemβ to rootfs at β/etc/ssl/certs/certificate.keyβ: mount /share/CACHEDEV1_DATA/Container/container-station-data/application/passbolt/certs/key.pem:/etc/ssl/certs/certificate.key (via /proc/self/fd/6), flags: 0x5001: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type Encountered errors while bringing up the project.
Cheers
Hum,
I guess the docker engine provided by QNAP is not able to mount files, but only directories. 
Can you keep your certs folder and rename cert.pem to certificate.crt and key.pem to certificate.key ?
If you mount your certs folder inside /etc/ssl/certs/ folder of the container, you will have problems as this path contains other mandatory certificates.
Can you edit next your docker-compose.yml file:
Use the non-root image instead of the root one: passbolt/passbolt:latest-ce => passbolt/passbolt:latest-ce-non-root
Update the volumes definition:
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
- ./certs:/etc/passbolt/certs
Finally update the ports:
ports:
- 8080:8080
- 4433:4433
Let me know if it fixes your issue.
Best regards,
That was the solution.
Thank you very much you was really a great help.
1 Like
Perfect, thank you for the feedback, I guess it can help other QNAP users 
Enjoy your passbolt instance and donβt hesitate to post here if you have further questions.
Best,
