Using HTTPS my instance on docker is not reachable

Installation Issues
1

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hi all ,

I am running passbolt on my server in a docker container. I followed the documentation, everything is working fine using http.

Now I want to use https in order to connect to my instance using a self signed certificate (generated using openssl req -nodes -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650).

My docker compose file is so composed:

environment:
      - APP_FULL_BASE_URL=https://localhost:8081
      ...
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
      - ./ssl/cert.pem:/etc/ssl/certs/certificate.crt:ro
      - ./ssl/key.pem:/etc/ssl/certs/certificate.key:ro

like indicated in the documentation (Passbolt Help | Manual HTTPS configuration on Docker). But still the instance is accessible only via http. Using https give me this:

immagine
immagine692×430 18.1 KB

What am I doing wrong? I can attach the log during the start-up of the contaienr when needed.

2

Hello @seamoce, welcome to our community :slight_smile:

I have tried to reproduce the issue, I saw that you were mapping the 8081 port for 443.

Can you confirm that the ports section is looking as below:

    ports:
      - 8081:443

Indeed, you need to map the 443 → 8081 and not the contrary.

Best regards

3

Hi Thanks for the answer,

the ports are so configured:

    ports:
      - 8081:80
      - 4433:443

I do not use the usual one because are already occupied by another container. Might be this the problem?

4

I think that the issues is that you have set the APP_FULL_BASE_URL to https://localhost:8081 but you’ve mapped that port to use HTTP.

Can you try to:

  • Shutdown the container
    • docker compose -f docker-compose-ce.yaml down
  • Update the docker-compose file
  • Start the container
    • docker compose -f docker-compose-ce.yaml up -d
5

Hi,

I followed your suggestion. Now the website is reachable but I get a blank page, looks like there is some problem with the certificate itself. I ran the heathcheck here the output:


     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
Passbolt CE 4.4.2
Cakephp 4.4.17
Linux ad63a53dca8a 5.4.0-163-generic
PHP 8.2.7 (cli) (built: Jun  9 2023 19:37:27) (NTS)
 ERROR: /usr/share/php/passbolt/bin/utils.sh: line 64: mysql: command not found
gpg: WARNING: unsafe ownership on homedir '/var/lib/passbolt/.gnupg'
gpg (GnuPG) 2.2.40
 ERROR: /usr/share/php/passbolt/bin/utils.sh: line 64: composer: command not found

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell         
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 8.2.7.
 [PASS] PHP version is 8.1 or above.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://localhost:4433
 [FAIL] App.fullBaseUrl does not validate. https://localhost:4433.
 [HELP] Edit App.fullBaseUrl in /etc/passbolt/passbolt.php
 [HELP] Select a valid domain name as defined by section 2.3.1 of http://www.ietf.org/rfc/rfc1035.txt
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in /etc/passbolt/passbolt.php
 [HELP] Check the network settings

 SSL Certificate

 [WARN] SSL peer certificate does not validate
 [WARN] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
 [HELP] cURL Error (7) Failed to connect to localhost port 4433 after 0 ms: Couldn't connect to server

 Database

 [PASS] The application is able to connect to the database
 [PASS] 31 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [FAIL] The server OpenPGP key is not set
 [HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [FAIL] The server key fingerprint doesn't match the one defined in /etc/passbolt/passbolt.php.
 [HELP] Double check the key fingerprint, example: 
 [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
 [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
 [HELP] Import the private server key in the keyring of the webserver user.
 [HELP] you can try:
 [HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
 [FAIL] The server key does not have a valid email id.
 [HELP] Edit or generate another key with a valid email id.

 Application configuration

 [PASS] Using latest passbolt version (4.4.2).
 [FAIL] Passbolt is not configured to force SSL use.
 [HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [FAIL] SMTP Setting errors: App\Utility\OpenPGP\Backends\Gnupg::setDecryptKeyFromFingerprint(): Argument #1 ($fingerprint) must be of type string, null given, called in /usr/share/php/passbolt/plugins/PassboltCe/SmtpSettings/src/Service/SmtpSettingsGetSettingsInDbService.php on line 109
 [WARN] The SMTP Settings source is: undefined.
 [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

 [FAIL] 8 error(s) found. Hang in there!


     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Cleanup shell (dry-run)
-------------------------------------------------------------------------------
No issue found, data looks squeaky clean!

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
Data check shell
[PASS] Data integrity for AuthenticationTokens.
  [PASS] Can validate: 41/41
[PASS] Data integrity for Comments.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Favorites.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Gpgkeys.
  [PASS] Can encrypt: 4/4
  [PASS] Pass validation service checks: 4/4
  [PASS] Entity data and armored key data matches: 4/4
  [PASS] Is not expired: 4/4
  [PASS] Is armored key format valid: 4/4
[PASS] Data integrity for Groups.
  [PASS] Can validate: 1/1
[PASS] Data integrity for Profiles.
  [PASS] Can validate: 4/4
[PASS] Data integrity for Resources.
  [PASS] Can validate: 45/45
[PASS] Data integrity for Secrets.
  [PASS] Can validate: 83/83
[PASS] Data integrity for Users.
  [PASS] Can validate: 4/4

so the question is now: I am generating the self signed certificate correcly?

6

Just to confirm, are you navigating to the url and mentioning the port as well? e.g. https://localhost:4433 ? Blank page are usually related to the fullBaseUrl not matching the url you are trying to reach.

7

Hi,

yes exactly I try to reach the instance also declaring the port accordingly to the docker compose statement. Infact within the docker when print out the content of the variable seems correct:

root@5860ed96ed77:/usr/share/php/passbolt# echo $APP_FULL_BASE_URL  
https://localhost:4433
root@5860ed96ed77:/usr/share/php/passbolt#

And this is what I get when I type the URL in the browser

immagine
immagine696×634 9.01 KB

8

I see you are trying to reach 192.168.134.163:4433 but you’ve mapped localhost:4433 inside the docker compose file, you’ll need to do:

APP_FULL_BASE_URL = https://192.168.134.163:4433

The fullBaseUrl should match the IP you are trying to reach

9

Oh man! What a noob mistake :nerd_face:

Thank you so much for your help!

EDIT: Is there a way to redicrect the http connection to https directly?

10

No worries, can happen to anybody! Enjoy passbolt :smiley:

1 Like