Red Hat/RPM based manual HTTPS configuration
If you are changing your domain from HTTP to HTTPS, you will unlink all users' browser extensions. Before making this change, you must ensure that all users have a copy of their private key to recover their account.
Pro tip: To download their recovery kit, users can follow this dedicated guide
TLS (SSL) configuration
passbolt RPM packages currently support the configuration of nginx. It comes with a default configuration that supports:
- Serve passbolt on port 80 (http)
- Serve passbolt on port 443 (https)
In this context ‘manually’ means that you will provide the TLS (SSL) certificates, this is the main difference with the ‘auto’ method where Let’s Encrypt will issue the TLS (SSL) certificates for you.
This manual method is typically used in private network installations with a private CA, where the system administrator issues a new private TLS (SSL) certificate and uploads it to the Passbolt server. It's also commonly used with self-signed TLS (SSL) certificates for test environments.
In this example, we will assume the user is generating a self-signed certificate on the passbolt server.
Generate the TLS (SSL) certificates
While connected to your passbolt instance, you can manually generate TLS (SSL) certificates:
openssl req -x509 \
-newkey rsa:4096 \
-days 120 \
-subj "/C=LU/ST=Luxembourg/L=Esch-Sur-Alzette/O=Passbolt SA/OU=Passbolt IT Team/CN=passbolt.domain.tld/" \
-nodes \
-addext "subjectAltName = DNS:passbolt.domain.tld" \
-keyout key.pem \
-out cert.pem
This command will output two files: key.pem and cert.pem. Identify the absolute path where these files are located as you will need them in next steps.
Of course, replace -subj values with your own. It is important to set your passbolt FQDN in both CN and subjectAltName. In this way, you will be able to import the generated certificate in your operating system keychain and make your self-signed domain trusted in your browser.
You can use an IP address instead of a domain name for your self-signed certificate. If you do that, replace IP with DNS in subjectAltName.
Install or reconfigure passbolt
If you are reconfiguring passbolt you most likely want to say ‘NO’ to the mariadb or haveged setup questions and go for the nginx setup
The passbolt PRO RPM package includes a configuration helper tool to set up MariaDB, Nginx, and TLS (SSL) settings.
You must prepare your TLS (SSL) certificate and its corresponding private key before launching the tool. Be sure to write down the full path to your certificate and key, as they will be needed in the nginx configuration process.
Please note that for security reasons, we highly recommend setting up TLS (SSL) to serve passbolt.
Launch the passbolt-configure tool and answer the questions:
sudo /usr/local/bin/passbolt-configure
If you are reconfiguring passbolt you most likely want to say ‘NO’ to the mariadb or haveged setup questions and go for the nginx setup
==============================================================
Do you want to install a local mariadb server on this machine?
==============================================================
1) yes
2) no
#?
Please enter the domain name under which passbolt will run.
This hostname will be used as server_name for nginx and as the domain name to register a TLS (SSL) certificate with Let’s Encrypt if you don’t have your own TLS (SSL) certificates.
=========
Hostname: passbolt.domain.tld
=========
You will then be able to choose the manual setup.
==================
Setting up TLS (SSL)...
==================
1) manual
2) auto
3) none
#?
If you choose 1, you will be prompted for the full path of your certificates:
The certificate's private key should not be passphrase-protected so that the web server can read it.
Enter the path to the TLS (SSL) public certificate: /path/to/certs/cert.pem
Enter the path to the TLS (SSL) private key: /path/to/certs/key.pem
Nginx and MariaDB are now on the way to be configured. You will be notified at the end of the process to connect to the passbolt web interface to finish the configuration.
===============================================================
Installation is almost complete. Please point your browser to
https://passbolt.domain.tld to complete the process
===============================================================
Reload nginx once reconfiguration is complete to apply the TLS (SSL) configuration.
sudo systemctl reload nginx
Finally, ensure fullBaseUrl value in /etc/passbolt/passbolt.php starts with https://.
And that’s it you should be able to reach your server on the domain you specified.