Checklist
[x ] I have read intro post: About the Installation Issues category
[x ] I have read the tutorials, help and searched for similar issues
[ x] I provide relevant information about my server (component names and versions, etc.)
[x ] I provide a copy of my logs and healthcheck
[x ] I describe the steps I have taken to trouble shoot the problem
[x ] I describe the steps on how to reproduce the issue
Hello,
I’m searching for help.
My passbolt work nicely but i have a problem. I made a manual installation of ssl certificates by following the tutoriel and i’m still in http and not https.
But when it’s done my nginx work but i’m still in http.
I saw on Google they take the right key.pem and cert.pem when i make the installation but he say me that not a trusted certificates.
And for information i try to make the automatic install with let’sencrypt too with my port 80 open and he still give me a error.
The problem might come from different things actually.
According to your latest screenshort, Nginx can’t reload because there seem to have multiple listen 443 or equivalent in the configuration file.
It is possible for you to investigate on that or to share your configuration to have a look here?
Also, from what I know let's encrypt requires a domain name to sign the certificate. So using the IP address instead won’t help you in any way. For this, the message states that your server is not reachable somehow. It uses the port 80 to request your server IIRC, and this port is opened already according to what you said.
In that regard, I suspect the solution to hide in a network configuration. With the chosen IP in your screenshot, I suspect the server to be located in your local network (like at home or at an office). Do you confirm it’s the case?
If it’s the case, you might try to give a check if you can reach your server from a network outside of your local network (like with a smartphone that is not connected to the local wifi for instance). If you cannot reach it via the domain name, then you have your answer why let's encrypt couldn’t reach your server. Fixing that depends on your configuration actually, and without knowing more, it’s will be hard to help.
Is your domain name (supposedly www.kerpass.com) reserved and configured to point to the right IP address?
Do you have a firewall ?
Is your server located on a local network? If yes, do you have a redirection configured from outside to your server inside configured on your router (usually called NAT/PAT in the UI from what I know)?
I thought about something like that yes. I suppose Passbolt is meant to be used on your local network or via a VPN I suppose.
To make a certificate trusted there is different options:
The certificate is signed with a known Certificate Authority called CA (this is where let's encrypt comes in)
you self-sign it and mark the CA certificate you used to sign as “trusted”. This needs to be done on each machine you want to consider this CA as ‘trusted’ (every computers, servers, laptop, mobile phone etc). It’s doable technically.
There could be a way to make let's encrypt sign your certificate without using your port 80 on the server. However, if your network is totally closed to the outside, it will be hard I think. There is that GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol
And in it, you can find a way to resolve the let's encrypt challenge via DNS (auto or manual). I think though that the DNS record have to be accessible from let's encrypt servers (so from outside your local network). As I don’t know your network configuration I can’t guarantee it will be a solution for you.
