SSL Installation issues

[x ] I have read intro post: About the Installation Issues category
[x ] I have read the tutorials, help and searched for similar issues
[ x] I provide relevant information about my server (component names and versions, etc.)
[x ] I provide a copy of my logs and healthcheck
[x ] I describe the steps I have taken to trouble shoot the problem
[x ] I describe the steps on how to reproduce the issue


I’m searching for help.
My passbolt work nicely but i have a problem. I made a manual installation of ssl certificates by following the tutoriel and i’m still in http and not https.

I create my key.pem and cert.pem like he say on the tutoriel Passbolt Help | Manual HTTPS configuration on Debian and Ubuntu with user provided certificates

But when it’s done my nginx work but i’m still in http.
I saw on Google they take the right key.pem and cert.pem when i make the installation but he say me that not a trusted certificates.

And for information i try to make the automatic install with let’sencrypt too with my port 80 open and he still give me a error.

Here some pictures :


In auto install :

Or if i put Domain name :

In manual install :

My key and cert is take by the setup

but when i make a nginx reload that happened :

So for now i have a passbolt working without https and i can’t reload the nginx :cold_sweat:

And for the information i put force_ssl = false to use it at this time

Someone can help me ? if you need some informations i can give you

Hello @UnsterKylink !

The problem might come from different things actually.
According to your latest screenshort, Nginx can’t reload because there seem to have multiple listen 443 or equivalent in the configuration file.

It is possible for you to investigate on that or to share your configuration to have a look here?

Also, from what I know let's encrypt requires a domain name to sign the certificate. So using the IP address instead won’t help you in any way. For this, the message states that your server is not reachable somehow. It uses the port 80 to request your server IIRC, and this port is opened already according to what you said.
In that regard, I suspect the solution to hide in a network configuration. With the chosen IP in your screenshot, I suspect the server to be located in your local network (like at home or at an office). Do you confirm it’s the case?

If it’s the case, you might try to give a check if you can reach your server from a network outside of your local network (like with a smartphone that is not connected to the local wifi for instance). If you cannot reach it via the domain name, then you have your answer why let's encrypt couldn’t reach your server. Fixing that depends on your configuration actually, and without knowing more, it’s will be hard to help.

  • Is your domain name (supposedly reserved and configured to point to the right IP address?
  • Do you have a firewall ?
  • Is your server located on a local network? If yes, do you have a redirection configured from outside to your server inside configured on your router (usually called NAT/PAT in the UI from what I know)?

Thanks you for your response,

So for the Nginx, i’m gonna investigate to see why he listen multiple 443.

For the let’s encrypt, i saw with my admin and i don’t want to make a redirection from the outside because the server is in a local network.

So i gonna make the manual install. But like i say in the topic. Is very strange, like the install done correctly but when i go to my ip adress. i saw that my certificates is not trust but i follow all tutoriel to have good certificates. (Passbolt Help | Manual HTTPS configuration on Debian and Ubuntu with user provided certificates).

How can my key.pem and cert.pem became trusted ?

I thought about something like that yes. I suppose Passbolt is meant to be used on your local network or via a VPN I suppose.

To make a certificate trusted there is different options:

  • The certificate is signed with a known Certificate Authority called CA (this is where let's encrypt comes in)
  • you self-sign it and mark the CA certificate you used to sign as “trusted”. This needs to be done on each machine you want to consider this CA as ‘trusted’ (every computers, servers, laptop, mobile phone etc). It’s doable technically.

There could be a way to make let's encrypt sign your certificate without using your port 80 on the server. However, if your network is totally closed to the outside, it will be hard I think. There is that GitHub - acmesh-official/ A pure Unix shell script implementing ACME client protocol
And in it, you can find a way to resolve the let's encrypt challenge via DNS (auto or manual). I think though that the DNS record have to be accessible from let's encrypt servers (so from outside your local network). As I don’t know your network configuration I can’t guarantee it will be a solution for you.