Checklist
[ ] I have read intro post: About the Installation Issues category
[ ] I have read the tutorials, help and searched for similar issues
[ ] I provide relevant information about my server (component names and versions, etc.)
[ ] I provide a copy of my logs and healthcheck
[ ] I describe the steps I have taken to trouble shoot the problem
[ ] I describe the steps on how to reproduce the issue
Hi community,
I have recently joined the Passbolt Club and setup a Docker installation of the CE version on an Ubuntu VM.
Passbolt Version: CE
Host: Docker
Host System: Ubuntu 24
Image: passbolt/passbolt:4.8.0-1-ce
And everything worked on the first try.
- Admin account added
- Set up Two Factor Authentication
- Added a test user
- Passwords created and Shared
So a fully functional installation.
And after veryfing that I proceeded to follow the Guide to get a Let’s Encrypt Certificate setup via Traefik.
(Docker automatic HTTPS configuration | Passbolt documentation.)
But after doing that I now get a NS_ERROR_REDIRECT_LOOP error when navigating to the subdomain.
I have replaced sensitive info in the following files with "<< something >> "
I have veryfied that i have a valid Certificate by looking at the /shared/acme.json file:
Excerpt from acme.json
"Registration": {
"body": {
"status": "valid",
"contact": [
"mailto:<<my-email>>"
]
},
I have also veryfied that the passbolt container recieves the routed request from Traefik by looking at the passbolt logs:
docker-compose -f docker-compose-ce.yaml logs -f passbolt
And observing activity there when eighter my plugin or my website request tries to access the URL.
Docker Compose File
version: "3.9"
services:
db:
image: mariadb:10.11
restart: unless-stopped
environment:
MYSQL_RANDOM_ROOT_PASSWORD: "true"
MYSQL_DATABASE: "passbolt"
MYSQL_USER: "passbolt"
MYSQL_PASSWORD: "<<db-password>>"
volumes:
- database_volume:/var/lib/mysql
passbolt:
image: passbolt/passbolt:4.8.0-1-ce
#Alternatively you can use rootless:
#image: passbolt/passbolt:latest-ce-non-root
restart: unless-stopped
depends_on:
- db
environment:
APP_FULL_BASE_URL: https://passbolt.<<my-domain>>
DATASOURCES_DEFAULT_HOST: "db"
DATASOURCES_DEFAULT_USERNAME: "passbolt"
DATASOURCES_DEFAULT_PASSWORD: "<<db-password>>"
DATASOURCES_DEFAULT_DATABASE: "passbolt"
EMAIL_DEFAULT_FROM_NAME: "Passbolt"
EMAIL_DEFAULT_FROM: "<<my email>>"
EMAIL_TRANSPORT_DEFAULT_HOST: "smtp.<<my-smtp-server>>"
EMAIL_TRANSPORT_DEFAULT_PORT: "587"
EMAIL_TRANSPORT_DEFAULT_USERNAME: "<<my email>>"
EMAIL_TRANSPORT_DEFAULT_PASSWORD: "<<smtp-password>>"
EMAIL_TRANSPORT_DEFAULT_TLS: "true"
PASSBOLT_SSL_FORCE: "true"
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
command:
[
"/usr/bin/wait-for.sh",
"-t",
"0",
"db:3306",
"--",
"/docker-entrypoint.sh",
]
labels:
traefik.enable: "true"
traefik.http.routers.passbolt-http.entrypoints: "web"
traefik.http.routers.passbolt-http.rule: "Host(`passbolt.<<my-domain>>`)"
traefik.http.routers.passbolt-http.middlewares: "SslHeader@file"
traefik.http.routers.passbolt-https.middlewares: "SslHeader@file"
traefik.http.routers.passbolt-https.entrypoints: "websecure"
traefik.http.routers.passbolt-https.rule: "Host(`passbolt.<<my-domain>>`)"
traefik.http.routers.passbolt-https.tls: "true"
traefik.http.routers.passbolt-https.tls.certresolver: "letsencrypt"
#ports:
# - 80:80
# - 443:443
#Alternatively for non-root images:
# - 80:8080
# - 443:4433
traefik:
image: traefik:2.10.5
restart: always
ports:
- 80:80
- 443:443
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yaml:/traefik.yaml:ro
- ./conf/:/etc/traefik/conf
- ./shared/:/shared
volumes:
database_volume:
gpg_volume:
jwt_volume:
traefik.yaml
global:
sendAnonymousUsage: false
log:
level: INFO
format: common
providers:
docker:
endpoint: 'unix:///var/run/docker.sock'
watch: true
exposedByDefault: true
swarmMode: false
file:
directory: /etc/traefik/conf/
watch: true
api:
dashboard: false
debug: false
insecure: false
entryPoints:
web:
address: ':80'
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ':443'
certificatesResolvers:
letsencrypt:
acme:
email: <<my-email>>
storage: /shared/acme.json
caServer: 'https://acme-v02.api.letsencrypt.org/directory'
keyType: EC256
httpChallenge:
entryPoint: web
tlsChallenge: {}
conf/tls.yaml
tls:
options:
default:
minVersion: VersionTLS12
sniStrict: true
curvePreferences:
- CurveP521
- CurveP384
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
conf/headers.yaml
http:
middlewares:
SslHeader:
headers:
FrameDeny: true
AccessControlAllowMethods: 'GET,OPTIONS,PUT'
AccessControlAllowOriginList:
- origin-list-or-null
AccessControlMaxAge: 100
AddVaryHeader: true
BrowserXssFilter: true
ContentTypeNosniff: true
ForceSTSHeader: true
STSIncludeSubdomains: true
STSPreload: true
ContentSecurityPolicy: default-src 'self' 'unsafe-inline'
CustomFrameOptionsValue: SAMEORIGIN
ReferrerPolicy: same-origin
PermissionsPolicy: vibrate 'self'
STSSeconds: 315360000
To get the healcheck data i opened a shell inside the passbolt container and executed:
su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data
And I got:
Healthcheck Output
warning: 512 :: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_core_translations.cake_console.en_UK): Failed to open stream: Permission denied on line 393 of /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php
warning: 512 :: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_core_translations.cake_console.en_UK): Failed to open stream: Permission denied on line 393 of /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell.....
-------------------------------------------------------------------------------
Environment
[PASS] PHP version 8.2.18.
[PASS] PHP version is 8.1 or above.
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[FAIL] The temporary directory and its content are not writable, or are executable.
[HELP] Ensure the temporary directory and its content are writable by the webserver user.
[HELP] you can try:
[HELP] sudo chown -R www-data:www-data /var/lib/passbolt/tmp/
[HELP] sudo chmod -R 775 $(find /var/lib/passbolt/tmp/ -type d)
[HELP] sudo chmod -R 664 $(find /var/lib/passbolt/tmp/ -type f)
[PASS] The logs directory and its content are writable.
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to <<my-domain>>
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in /etc/passbolt/passbolt.php
[HELP] Check the network settings
SSL Certificate
[WARN] SSL peer certificate does not validate.
[WARN] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate.
[HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
SMTP settings
[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[WARN] The SMTP Settings source is: env variables.
[HELP] It is recommended to set the SMTP Settings in the database through the administration section.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled.
[FAIL] The /etc/passbolt/jwt/ directory should not be writable.
[HELP] You can try:
[HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
[HELP] sudo chmod 750 /etc/passbolt/jwt/
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
[PASS] A valid JWT key pair was found.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[FAIL] The server OpenPGP key is not set.
[HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[FAIL] The server key fingerprint doesn't match the one defined in /etc/passbolt/passbolt.php.
[HELP] Double check the key fingerprint, example:
[HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
[FAIL] The server key does not have a valid email id.
[HELP] Edit or generate another key with a valid email id.
[FAIL] The private key cannot be used to decrypt a message
[FAIL] The private key cannot be used to decrypt and verify a message
[FAIL] The public key cannot be used to verify a signature.
Application configuration
[PASS] Using latest passbolt version (4.8.0).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema up to date.
Database
[PASS] The application is able to connect to the database
[PASS] 31 tables found.
[PASS] Some default content is present.
[FAIL] 10 error(s) found. Hang in there!
And that looks alot like what I got from the healthcheck section on the Website before adding Treafik. But not entirely the same.
Could anyone explain to me how I can debug this behavior? Or did I miss something in the Guides?
Any help would be amazing, thank you for reading all this!