Upgrading from 2.10 to 4.8 / 502 nginx error

Installation Issues
1

Checklist
[✓] I have read intro post: About the Installation Issues category
[✓] I have read the tutorials, help and searched for similar issues
[✓] I provide relevant information about my server (component names and versions, etc.)
[✓] I provide a copy of my logs and healthcheck
[✓] I describe the steps I have taken to trouble shoot the problem
[✓] I describe the steps on how to reproduce the issue

Hi everyone,

I haven’t updated my Docker install of Passbolt in a long time (currently on tag 2.10.0-debian) and want to update to 4.8.0-1-ce.

After I have updated the docker-compose.yml and restarted the container I get an nginx error page (502). I already saw similar posts about an older version here 502 error after upgrade to v3.3.0 and here 502 Bad Gateway Docker ipv4, but the issue seems to be somewhere else, since the nginx and PHP config file were already configured correctly according to those threads. I also tried restarting the entire machine and both the SQL server container (MariaDB 10.4) and the Passbolt container.

I tried looking into the nginx logs (passbolt-error.log and passbolt-access.log), but when trying to open them with nano I get an empty file with the warning that the file cannot be opened because it is a device file.

If you need anything to help diagnose the issue let me know!

This is the healthcheck before the update:

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.2.18.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable.
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /var/www/passbolt/config/
  [HELP] Copy /var/www/passbolt/config/passbolt.php.default to /var/www/passbolt/config/passbolt.php
  [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://192.168.1.99
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
  [HELP] cURL Error (60) SSL certificate problem: self signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
 [PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server gpg key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [FAIL] This installation is not up to date. Currently using 2.10.0 and it should be v4.8.0.
  [HELP] See. https://www.passbolt.com/help/tech/update
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [WARN] Registration is open to everyone.
  [HELP] Make sure this instance is not publicly available on the internet.
  [HELP] Or set passbolt.registration.public to false in config/passbolt.php.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

  3 error(s) found. Hang in there!

This is the healthcheck after the update:

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 8.2.18.
 [PASS] PHP version is 8.1 or above.
 [PASS] PCRE compiled with unicode support.
 [PASS] Mbstring extension is installed.
 [PASS] Intl extension is installed.
 [PASS] GD or Imagick extension is installed.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Cache is working.
 [PASS] Debug mode is off.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://192.168.1.99
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in /etc/passbolt/passbolt.php
 [HELP] Check the network settings

 SSL Certificate

 [WARN] SSL peer certificate does not validate.
 [WARN] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate.
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl

 SMTP settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [WARN] The SMTP Settings source is: env variables.
 [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
 [PASS] No custom SSL configuration for SMTP server.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled.
 [FAIL] The /etc/passbolt/jwt/ directory should not be writable.
 [HELP] You can try:
 [HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
 [HELP] sudo chmod 750 /etc/passbolt/jwt/
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
 [PASS] A valid JWT key pair was found.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one.
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (4.8.0).
 [FAIL] Passbolt is not configured to force SSL use.
 [HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.
 [PASS] The database schema up to date.

 Database

 [PASS] The application is able to connect to the database
 [PASS] 31 tables found.
 [PASS] Some default content is present.

 [FAIL] 3 error(s) found. Hang in there!
2

Hello @mhrm and welcome to the forum!
Have you tried updating your PHP version? If I’m not mistaken, this version of PHP is no longer supported

3

Hi and thanks for the warm welcome! :slight_smile:

Upgrade PHP on the current version? How would I go about doing that? Does a new version of PHP even work with the outdated Passbolt version?

On the new version, i.e. when I update the docker container, it automatically downloads a current version of PHP (8.2.18).

4

can you share your docker compose file without any password, there are some adjustement required with that jump from v2 to v4

5

Sure!

version: '3.4'
services:
  db:
    image: mariadb:10.4
    env_file:
      - env/mysql.env
    volumes:
      - database_volume:/var/lib/mysql
    ports:
      - "127.0.0.1:3306:3306"

  passbolt:
    image: passbolt/passbolt:2.10.0-debian
    tty: false
    depends_on:
      - db
    env_file:
      - env/passbolt.env
    volumes:
      - gpg_volume:/var/www/passbolt/config/gpg
      - images_volume:/var/www/passbolt/webroot/img/public
    tmpfs:
      - /run
    command: ["/usr/bin/wait-for.sh", "db:3306", "--", "/docker-entrypoint.sh"]
    ports:
      - 80:80
      - 443:443

volumes:
  database_volume:
  gpg_volume:
  images_volume:

Since they’re part of the docker-compose file, here are the two .env files (without passwords and sensitive data).

mysql.env:

MYSQL_ROOT_PASSWORD=[PasswordRoot]
MYSQL_DATABASE=passbolt
MYSQL_USER=passbolt
MYSQL_PASSWORD=[PasswordDBUser]

and passbolt.env:

# URL
APP_FULL_BASE_URL=https://192.168.178.1

# Database settings
DATASOURCES_DEFAULT_HOST=db
DATASOURCES_DEFAULT_USERNAME=passbolt
DATASOURCES_DEFAULT_PASSWORD=[PasswordDBUser]
DATASOURCES_DEFAULT_DATABASE=passbolt
DATASOURCES_DEFAULT_PORT=3306

# Registration
PASSBOLT_REGISTRATION_PUBLIC=true

# Email settings
EMAIL_TRANSPORT_DEFAULT_CLASS_NAME=Smtp
EMAIL_DEFAULT_FROM=[From@Domain.com]
EMAIL_DEFAULT_TRANSPORT=default
EMAIL_TRANSPORT_DEFAULT_HOST=[Server.com]
EMAIL_TRANSPORT_DEFAULT_PORT=25
EMAIL_TRANSPORT_DEFAULT_TIMEOUT=30

I wouldn’t be surprised if something needs changing here. It’s ancient and I barely remember how I set it up. :sweat_smile:

6

Are you also blocking the update of browser extension?
Because I am even surprise that this still work :sweat_smile:

version: '3.9'
services:
  db:
    image: mariadb:10.4
    restart: unless-stopped
    env_file:
      - env/mysql.env
    volumes:
      - database_volume:/var/lib/mysql
    ports:
      - 3306:3306 # Not necessary here

  passbolt:
    image: passbolt/passbolt:latest-ce
    restart: unless-stopped
    depends_on:
      - db
    env_file:
      - env/passbolt.env
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
    command: ["/usr/bin/wait-for.sh", "db:3306", "--", "/docker-entrypoint.sh"]
    ports:
      - 80:80
      - 443:443

volumes:
  database_volume:
  gpg_volume:
  images_volume:

Take a backup of the database

docker compose pull
docker compose down
docker compose up -d 
pray

Let us know!

7

I changed the compose-file as provided, however I get this error:

service “passbolt” refers to undefined volume jwt_volume: invalid compose project

I’m assuming I have to change the “images_volume” at the bottom to “jwt_volume” as well? Just making sure.

Oh and yeah I basically had to use an outdated browser besides my main browser in order for anything to work at all. I finally decided to update now though. :sweat_smile:

8

I’m sorry, I checked the old healthcheck twice instead of old and new, so as I saw an older version of PHP I suggested updating.
You are right, docker instance has everything you need including a newer version of PHP.

Yes, you have to change images_volume to jwt_volume (or add it in case you are using images_volume). With that docker-compose you should be running a Passbolt instance without problems

10

Okay - I briefly tested it and it looks good so far (I get to the login screen). I have yet to test if my other PC is still logged in or if I need my recovery kit (which I dont have :sweat_smile:).

On the old install I couldn’t download the recovery kit because of the old version (nothing happened when I clicked the button). So here is hoping it works. I can test it on monday and will get back to you if it worked. Do you have any idea if a version jump like this would prompt another login/restore with the recovery kit? Or should I be fine with just the password?

11

Hi!

Thanks - your solution worked perfectly :smiley:

Had to change the last line from

  images_volume:

to

  jwt_volume:

But other than that worked like a charm.