Use my own provided certificate via Passbolt-Docker

Sebastian_SWP · October 20, 2020, 10:52am

Hello,
I want to use the latest Passbolt via Docker. The installation works fine, but if I open the website, the browser shows a self signed certificate.
I read the Docker documentation by Passbolt and it says

NOTE: If you dont provide any GnuPG severkey or SSL certificate passbolt container will create a self signed SSL certificate and a GnuPG server key pair.

https://help.passbolt.com/hosting/install/ce/docker.html
But how do I provide Passbolt this? I have persist the SSL certificate files in /etc/ssl/certs/, but I don’t find an environment variable or some equal to provide Passbolt my certificate.
I only find the DATASOURCES_DEFAULT_SSL_CERT variable, but this is for the database, not for the server.
In an other forum post, a user says:

Indeed the passbolt docker container doesn’t provide any let’s encrypt capabilities.

https://community.passbolt.com/t/lets-encrypt-docker-installation/2159
But is it valid for own certificates, too? If not, how can I set my certificate?
Thank you very much!

diego · October 20, 2020, 11:30am

Hi @Sebastian_SWP

Passbolt expects certificates to be located in /etc/ssl/certs/certificate.crt and /etc/ssl/certs/certificate.key as you mentioned. On the very same doc you linked we also mention that you can leverage on bind mounts to mount this files on your container. There are no env variables for the nginx SSL certificates at the moment:

Persisting data in passbolt container

There are several locations that might be interesting for the users to persist data between container restarts:

Images directory: /var/www/passbolt/webroot/img

Gnupg serverkeys directory: /var/www/passbolt/config/gpg

SSL certificate files: /etc/ssl/certs/certificate.crt /etc/ssl/certs/certificate.key

This files and directories can be persisted in the docker volume using docker volumes or using bind mounts

You can mount your SSL certificates on that location, the container will start, detect those files and won’t generate any SSL certificate.

We provide links on the docs to the docker official bind mounts and docker volumes for you to set them up. You could also set this up easily with docker compose, something like this (snippet of docker-compose.yml file):

volumes:
      - gpg_volume:/var/www/passbolt/config/gpg
      - images_volume:/var/www/passbolt/webroot/img/public
      - PATH_TO_YOUR_SSL_KEY_CERT:/etc/ssl/certs/certificate.key
      - PATH_TO_YOUR_SSL_CERT:/etc/ssl/certs/certificate.crt

We also provide examples on how to do bind mounts directly with docker, however you are right, none of those refer to the SSL certificates but to the images and gpg data directory. You could however take these examples and adapt to mount your SSL certs using docker without docker-compose involved.

$ docker run --name passbolt --net passbolt_network \
             --mount type=bind,\
               source=<host_path_to_gnupg_keys_dir>,\
               target=/var/www/passbolt/config/gpg \
             -p 443:443 \
             -p 80:80 \
             -e DATASOURCES_DEFAULT_HOST=mariadb \
             -e DATASOURCES_DEFAULT_PASSWORD=<mariadb_password> \
             -e DATASOURCES_DEFAULT_USERNAME=<mariadb_user> \
             -e DATASOURCES_DEFAULT_DATABASE=<mariadb_database> \
             -e APP_FULL_BASE_URL=https://mydomain.com \
             passbolt/passbolt:latest

Hope this helps.

Sebastian_SWP · October 20, 2020, 12:31pm

Yes, that’s it! Thank you very much for your detailed answer!

system · October 25, 2020, 12:31pm

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.