SSL certificate from QNAP NAS

martin.24 · August 25, 2022, 3:14pm

Hello,

I’m new to Passbolt and I have the following problem.
I use a Passbolt Docker on my QNAP NAS and have already set up a certificate on my NAS.
With Passbolt, however, the www.passbolt.local certificate is still displayed, although I have made a Manual HTTPS configuration on Docker.

My config

version: '3.9'
services:
  db:
    image: mariadb:10.3
    restart: unless-stopped
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      MYSQL_PASSWORD: "P4ssb0lt"
    volumes:
      - database_volume:/var/lib/mysql

  passbolt:
    image: passbolt/passbolt:latest-ce
    #Alternatively you can use rootless:
    #image: passbolt/passbolt:latest-ce-non-root
    restart: unless-stopped
    depends_on:
      - db
    environment:
      APP_FULL_BASE_URL: "https://weinkeller.site:4433"
      PASSBOLT_SSL_FORCE: true
      APP_DEFAULT_LOCALE: "de_DE"
      DATASOURCES_DEFAULT_HOST: "db"
      DATASOURCES_DEFAULT_USERNAME: "passbolt"
      DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
      DATASOURCES_DEFAULT_DATABASE: "passbolt"
      PASSBOLT_META_DESCRIPTION: "Passwort Manager"
      PASSBOLT_AUTH_LOGIN_TOKEN_EXPIRY: "15 minutes"
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
      - /etc/passbolt/certs/certificate.key
      - /etc/passbolt/certs/certificate.crt
    command: ["/usr/bin/wait-for.sh", "-t", "0", "db:3306", "--", "/docker-entrypoint.sh"]
    ports:
      - 8080:80
      - 4433:443
volumes:
  database_volume:
  gpg_volume:
  jwt_volume:

Thanks and have a good day!
Martin

AnatomicJC · August 25, 2022, 4:24pm

Hi @martin.24 and welcome to passbolt community forum

In your volume definition, you missed the path to your local certificates:

    volumes:
      ...
      - ./path/to/cert.pem:/etc/ssl/certs/certificate.crt:ro
      - ./path/to/key.pem:/etc/ssl/certs/certificate.key:ro

As explained on Passbolt Help | Manual HTTPS configuration on Docker

Let us know if it fixes your issue.

Cheers,

martin.24 · August 26, 2022, 7:15am

Thank you for your prompt reply,

now comes this error code and than the conainer stops.

Generating a RSA private key
...............................................................................................................++++
.......................................................................................................++++
writing new private key to '/etc/ssl/certs/certificate.key'
req: Can't open "/etc/ssl/certs/certificate.key" for writing, Is a directory
wait-for.sh: waiting for db:3306 without a timeout
wait-for.sh: db:3306 is available after 6 seconds
gpg: key 1D09B73CC8603C96: "Passbolt default user <passbolt@yourdomain.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg: key 1D09B73CC8603C96: "Passbolt default user <passbolt@yourdomain.com>" not changed
gpg: key 1D09B73CC8603C96: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

Certificate and private key are stored here
Screenshot 2022-08-26 091343

Thanks a lot

AnatomicJC · August 26, 2022, 7:18am

Hi,

cert.pem and key.pem are currently directories on your QNAP NAS, directories created because of the bad docker-compose file configuration.

Can you delete these directories and retry ?

Cheers,

martin.24 · August 26, 2022, 10:07am

Now I have deleted the folders.

Do I now have to put the certificate.key and certificate.crt files in the folder or the key.pem and cert.pem files?

AnatomicJC · August 26, 2022, 11:39am

Hi,

I wrote this:

    volumes:
      ...
      - ./path/to/cert.pem:/etc/ssl/certs/certificate.crt:ro
      - ./path/to/key.pem:/etc/ssl/certs/certificate.key:ro

Assuming you created aside your docker-compose.yml file a certs folder and put your certificates in this folder:

.
├── certs
│   ├── cert.pem
│   └── key.pem
└── docker-compose.yml

Your volumes definition will be:

    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
      - ./certs/cert.pem:/etc/ssl/certs/certificate.crt:ro
      - ./certs/key.pem:/etc/ssl/certs/certificate.key:ro

Best,

martin.24 · August 26, 2022, 1:45pm

Thanks,

now the QNAP error log gives me this error and the docker container is stopped.

Background task error for application_custom passbolt: ERROR: for passbolt_passbolt_1 Cannot start service passbolt: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting “/share/CACHEDEV1_DATA/Container/container-station-data/application/passbolt/certs/key.pem” to rootfs at “/etc/ssl/certs/certificate.key”: mount /share/CACHEDEV1_DATA/Container/container-station-data/application/passbolt/certs/key.pem:/etc/ssl/certs/certificate.key (via /proc/self/fd/6), flags: 0x5001: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type ERROR: for passbolt Cannot start service passbolt: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting “/share/CACHEDEV1_DATA/Container/container-station-data/application/passbolt/certs/key.pem” to rootfs at “/etc/ssl/certs/certificate.key”: mount /share/CACHEDEV1_DATA/Container/container-station-data/application/passbolt/certs/key.pem:/etc/ssl/certs/certificate.key (via /proc/self/fd/6), flags: 0x5001: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type Encountered errors while bringing up the project.

Cheers

AnatomicJC · August 26, 2022, 2:01pm

Hum,

I guess the docker engine provided by QNAP is not able to mount files, but only directories.

Can you keep your certs folder and rename cert.pem to certificate.crt and key.pem to certificate.key ?

If you mount your certs folder inside /etc/ssl/certs/ folder of the container, you will have problems as this path contains other mandatory certificates.

Can you edit next your docker-compose.yml file:

Use the non-root image instead of the root one: passbolt/passbolt:latest-ce => passbolt/passbolt:latest-ce-non-root

Update the volumes definition:

    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
      - ./certs:/etc/passbolt/certs

Finally update the ports:

    ports:
      - 8080:8080
      - 4433:4433

Let me know if it fixes your issue.

Best regards,

martin.24 · August 26, 2022, 2:17pm

That was the solution.

Thank you very much you was really a great help.

AnatomicJC · August 26, 2022, 2:19pm

Perfect, thank you for the feedback, I guess it can help other QNAP users

Enjoy your passbolt instance and don’t hesitate to post here if you have further questions.

Best,