Programster's Blog

Tutorials focusing on Linux, programming, and open-source

Debian 9 - Deploy Passbolt

Passbolt is an open source password manager for teams. It allows you to share/manage passwords with different groups of people. This is especially useful for organizations, rather than individuals.

Installation Steps

Set up database

sudo apt-get install mariadb-server -y
sudo systemctl start mariadb

By default the database is not set up with a root password. Lets fix thiBY creating a random password for the root user.

ROOT_PASSWORD=`openssl rand -base64 14`
sudo mysql --user="root" --execute="GRANT ALL ON *.* to 'root'@'localhost' identified by '$ROOT_PASSWORD';"
echo "Your database's root password is: $ROOT_PASSWORD"

Feel free to run this additional step to perform some security operations such as delete the test database etc.

sudo mysql_secure_installation

Then execute the following snippet that will create a passbolt database for a passbolt user and give you the password.

PASSBOLT_PASSWORD=`openssl rand -base64 14`
mysql --user="root" --password="$ROOT_PASSWORD" --execute="CREATE DATABASE passbolt;"
mysql --user="root" --password="$ROOT_PASSWORD" --execute="GRANT ALL ON *.* TO 'passbolt'@'localhost' IDENTIFIED BY '$PASSBOLT_PASSWORD'"
echo "Your passbolt user's password is $PASSBOLT_PASSWORD"

Make a note of the passbolt user's password, you will need this later.

Install Packages

sudo apt update && sudo apt-get install -y \
  apache2 make git-core composer unzip g++ linux-headers-amd64 \
  php7.0 php7.0-cli php7.0-common libapache2-mod-php7.0 \
  php7.0-json php7.0-readline php7.0-mysqlnd libonig4 \
  libqdbm14 php7.0-gd php7.0-intl php7.0-simplexml php7.0-curl \
  php7.0-dom php7.0-mbstring libgpgme11-dev php7.0-gnupg composer

Configure Apache

Copy and paste the following into /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName passbolt.dev

    DocumentRoot /var/www/passbolt

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/passbolt>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

Enable url rewriting in apache and restart it.

sudo a2enmod rewrite && sudo systemctl restart apache2

Download Passbolt

sudo chown -R $USER:www-data /var/www
cd /var/www
sudo git clone https://github.com/passbolt/passbolt_api.git ./passbolt
sudo chown $USER:www-data -R /var/www/passbolt
cd /var/www/passbolt
git checkout v2.4

For the next section, we need to set ownership of /var/www to www-data.

sudo chown www-data:www-data -R /var/www

Initialize the Webserver GPG Keyring

In order for passbolt authentication to work your server key needs to be in the keyring used by the web server.

In Debian 9, the home directory of the web server user www-data is /var/www and we need to give ownership of this folder to www-data, since it is not owned by default.

Unfortunately, generating GPG keys as the www-data is not as straightforward as you may hope. We need to make it so that we can SSH into the server as the www-data user.

SEARCH="www-data:/var/www:/usr/sbin/nologin"
REPLACE="www-data:/var/www:/bin/bash"
FILEPATH="/etc/passwd"
sudo sed -i "s;$SEARCH;$REPLACE;" $FILEPATH

Then we need to set a password for the www-data user:

sudo passwd www-data

After doing all that, logout of the server and then SSH in again with the www-data user.

ssh www-data@passbolt.mydomain.com

Generate your GPG key. Make sure not to set a passphrase.

gpg --full-gen-key

For the sake of the rest of the commands, put in the email you specified for the key in the previous step.

EMAIL="my.name@gmail.com"

Output the fingerprint of the key. We will need this later during the installation steps so make a note of it.

gpg --list-keys --fingerprint

It should be something like:

54C6 4738 18D7 DB06 A133  E453 6531 F684 FED9 15E3

However, when you copy it into the config later, you need to take out the spaces so it would look like:

54C6473818D7DB06A133E4536531F684FED915E3

Execute the following commands in order to have the keys put where passbolt is expecting them.

gpg --armor --export-secret-keys $EMAIL > /var/www/passbolt/config/gpg/serverkey_private.asc
gpg --armor --export $EMAIL > /var/www/passbolt/config/gpg/serverkey.asc
chmod 640 /var/www/passbolt/config/gpg/serverkey*

Composer Install

Install dependencies through composer.

cd /var/www/passbolt && composer install --no-dev

Now we need to configure passbolt...

cp config/passbolt.default.php config/passbolt.php
editor config/passbolt.php

Set the following:

  • Application full base url (using http:// instead of https:// for now)
  • Database configuration
  • Server OpenPGP key fingerprint (you noted it down before)

Until you set up SSL, disable the forcing of ssl by adding the ssl section shown below just above the demo configuration.

...
    'ssl' => [
        'force' => false,
    ],
/**
* DEMO CONFIGURATION EXAMPLE
*
...

Email

In that configuration file, you will see a section for the email configuration. By default it looks like this:

// Email configuration.
'EmailTransport' => [
    'default' => [
        'host' => 'localhost',
        'port' => 25,
        'username' => 'user',
        'password' => 'secret',
        // Is this a secure connection? true if yes, null if no.
        'tls' => null,
        //'timeout' => 30,
        //'client' => null,
        //'url' => null,
    ],
],
'Email' => [
    'default' => [
        // Defines the default name and email of the sender of the emails.
        'from' => ['passbolt@mydomain.com' => 'Passbolt'],
        //'charset' => 'utf-8',
        //'headerCharset' => 'utf-8',
    ],
],

I recommend that you set up SMTP with either Google or AWS.

For google this would be:

// Email configuration.
'EmailTransport' => [
    'default' => [
        'transport' => 'Smtp',
        'host' => 'smtp.gmail.com',
        'port' => 587,
        'username' => 'username@gmail.com',
        'password' => 'xxxxxxxxx',
        // Is this a secure connection? true if yes, null if no.
        'tls' => true,
        'timeout' => 30,
        //'client' => null,
        //'url' => null,
    ],
],
'Email' => [
    'default' => [
        // Defines the default name and email of the sender of the emails.
        'from' => ['passbolt@mydomain.com' => 'Passbolt'],
        //'charset' => 'utf-8',
        //'headerCharset' => 'utf-8',
    ],
],

For AWS SES (europe) this would be:

// Email configuration.
'EmailTransport' => [
    'default' => [
        'transport' => 'Smtp',
        'host' => 'email-smtp.eu-west-1.amazonaws.com',
        'port' => 587,
        'username' => 'xxxxxxxxxxxxxxxxxxxx',
        'password' => 'xxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
        // Is this a secure connection? true if yes, null if no.
        'tls' => true,
        'timeout' => 30,
        //'client' => null,
        //'url' => null,
    ],
],
'Email' => [
    'default' => [
        // Defines the default name and email of the sender of the emails.
        'from' => ['passbolt@mydomain.com' => 'Passbolt'],
        //'charset' => 'utf-8',
        //'headerCharset' => 'utf-8',
    ],
],

At this point it would be a good idea to test your configuration with:

./bin/cake passbolt send_test_email --recipient=my.email@my.domain.com

Then check your email. If you didn't get an email, re-check your configuration.

Email Cron

Unfortunately, Passbolt does not immediately fire off emails, instead they get queued up and you have to set up a cron to fire them off. As the www-data user run:

crontab -e

Add the following line

 * * * * * /var/www/passbolt/bin/cake EmailQueue.sender >> /var/log/passbolt.log

Migrations

Execute the following command to run migrations etc.

cd /var/www/passbolt
./bin/cake passbolt install

Finally, run a healthcheck to check that everything is fine:

./bin/cake passbolt healthcheck

You should get 1 error for not having set up https, we will sort that out another time.

Now navigate to your web browser to your server's domain.

Click the link to download the plugin.

Once you have installed the plugin, when you go back to your webserver's url, you need to click "recover your existing account".

HTTPS

Copy your certificates over to:

  • /etc/ssl/certs/passbolt.crt
  • /etc/ssl/certs/ca.crt
  • /etc/ssl/certs/passbolt.key

Run the following commands as a non www-data user to set permissions on those certificate files.

sudo chown $USER:www-data /etc/ssl/certs/passbolt.crt
sudo chown $USER:www-data /etc/ssl/certs/ca.crt
sudo chown $USER:www-data /etc/ssl/certs/passbolt.key
chmod 640 /etc/ssl/certs/passbolt.crt
chmod 640 /etc/ssl/certs/ca.crt
chmod 640 /etc/ssl/certs/passbolt.key

Enable SSL in apache

sudo a2enmod ssl
sudo a2enmod headers
sudo a2ensite default-ssl

Now lets edit our apache SSL site configuration.

sudo vim /etc/apache2/sites-enabled/default-ssl.conf

Paste the following into it.

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        ServerName passbolt.dev

        DocumentRoot /var/www/passbolt

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/passbolt.crt
        SSLCertificateChainFile /etc/ssl/certs/ca.crt
        SSLCertificateKeyFile /etc/ssl/certs/passbolt.key

        <Directory /var/www/passbolt>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        <FilesMatch “\.(php)$”>
            SSLOptions +StdEnvVars
        </FilesMatch>

        BrowserMatch “MSIE [2–6]” \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
        BrowserMatch “MSIE [17–9]” ssl-unclean-shutdown

    </VirtualHost>
</IfModule>

Restart apache for the changes to take effect:

sudo systemctl reload apache2

Now let's configure passbolt to force https...

sudo vim /var/www/passbolt/config/passbolt.php

Find the ssl section we added and change it from false to true.

'ssl' => [
    'force' => true,
],

Upgrading

  • Please refer here.

References