Trying to configure Passbolt server for SSL

I am logged into my PassBolt Server trying to add a SSL cert. When trying to execute -
sudo dpkg-reconfigure passbolt-pro-server
I receive dkpg-query: package ‘passbolt-pro-server’ is not installed and no information is available. I’m unsure how this could be possible as I have prev installed passbolt and am currently using passbolt.

Hi @twest :wave: and welcome to passbolt community forum :handshake:

I guess you have passbolt installed from sources and not from the package. To verify this, you can check for passbolt installed package:

$ dpkg -l | grep passbolt

Must return:

ii  passbolt-ce-server             3.4.0-2                        all          Passbolt, open source password manager for teams

If passbolt is installed from source, you will find source files in /var/www/passbolt.

To configure HTTPS, you have to edit nginx configuration file manually, you can have a look at the documentation for a working example: Passbolt Help | Install passbolt API from source

Best,

Thank you for clarifying that for @_jc me :smile: I am also wondering, once I edit the nginx config file manually, I will then be able to configure https for ssl? Would it be a similar process to Passbolt Help | Auto configure HTTPS with Let’s Encrypt on Debian and Ubuntu ?

Hi,

Unfortunately you can’t use dpkg-reconfigure method as you didn’t install passbolt from package.

You will find a passbolt nginx configuration example on this page : Passbolt Help | Install passbolt API from source

You can aim the other hand migrate to the Ubuntu package : Passbolt Help | Migrate passbolt CE from install scripts to Ubuntu package

Best,

Thank you for your quick responses @_jc :smile: what I’m wondering is for the nginx config example, if my url for PB is currently a ip would that be used where the place holder is server name? Also I don’t currently have a ssl cert that’s what I was trying to accomplish through the auto config option as I was under the impression it would add it for me through lets encrypt. I understand that I can’t do this option now due to PB being installed via source and not package. I just need some assistance on how to get a ssl cert added to my PB install. Thank you again for your assisance!

The SSL certificate part is handled by nginx.

Is your server reachable other the internet ? If the answer is yes, and if you want to get SSL certificates with Let’s Encrypt, the easiest way to achieve it is to follow this guide Passbolt Help | Migrate passbolt CE from install scripts to Ubuntu package

Once migrated to the package, you will be able to run the dpkg-reconfigure passbolt-ce-server command following this other guide: Passbolt Help | Auto configure HTTPS with Let's Encrypt on Debian and Ubuntu

You can’t get a SSL certificate from Let’s Encrypt with an IP address. If your server is not reachable from the internet to get Let’s Encrypt certificates, if you don’t have any domain name, and if you just have an IP address, you can generate a self signed SSL certificate valid for an IP with this command (replace the X.X.X.X with your IP address):

openssl req -x509 \
    -newkey rsa:4096 \
    -days 120 \
    -subj "/C=LU/ST=Luxembourg/L=Esch-Sur-Alzette/O=Passbolt SA/OU=Passbolt IT Team/CN=X.X.X.X/" \
    -nodes \
    -addext "subjectAltName = IP:X.X.X.X" \
    -keyout key.pem \
    -out cert.pem

This command will generate a cert.pem and key,pem you will be able to use in the nginx configuration file example.

:warning: Warning: :warning: If you are changing your domain from HTTP to HTTPS , you will unlink the browser extension of all the users. Before changing the domain, you must ensure that all the users have a copy of their private key to recover their account .

Let me know what do you want to do, and don’t hesitate to ask if some parts are unclear.

Best,

Hello @_jc just to confirm, if the users do not have a copy of their private key is there anything I can do to ensure they will still have access to their account? Also, if I would like to change from an ip to domain would that be possible once I have the ssl cert?

Hi,

Unfortunately no. You must ensure users have a backup of their private key to be sure they will be able to recover their account.
It is easy for them to download it if they don’t have a backup. They can go to http://your.passbolt.url/app/settings/keys then download it:

Yes, you will just have to generate another certificates.

I just would like to make sure I have the steps down. I first need to generate a self signed SSL cert because I have an IP address. Which process then would I need to change from and IP address to a domain name?

@_jc Just checking in on my question.

@twest To reconfigure settings so a domain is used instead of an ip address, you will need to change the fullBaseUrl value in your config/passbolt.php file. You may also need to add the domain to your /etc/hosts file so the server is able to resolve the domain.

Hi @twest ,

I’m sorry I forgot you :sweat_smile:

You can generate a valid self-signed certificate by following this doc: Passbolt Help | Manual HTTPS configuration on Debian and Ubuntu with user provided certificates

As written in the pro-tip: You can use an IP address instead of a domain name for your self-signed certificate. If you do that, replace DNS with IP in subjectAltName.

It is important to set your passbolt FQDN in both CN and subjectAltName. In this way, you will be able to import the generated certificate in your operating system keychain and make your self-signed domain trusted in your browser.

Cheers,

Hi @_jc is there any way to talk to someone over the phone regarding this or to have a remote session with someone at all?

@twest If you are a Passbolt Pro user you can get help via support@passbolt.com and link to this thread in the email you send. I mention this because in your first post you mention the pro package. You can ask about phone support as well.