How to install Passbolt self-hosted password manager on CentOS 8

How to install Passbolt self-hosted password manager on CentOS 8

Passbolt is an open source password manager that allows you to store and share passwords securely. It is designed for small and medium-sized organizations to store and share login credentials among team members. It is self-hosted and available in both the community version and the subscription-based version.

In this tutorial, we will show you how to install Passbolt password manager on Nginx and let us encrypt SSL on CentOS 8.

prerequisites

  • Server running CentOS 8.
  • A valid domain name pointing to the server IP.
  • A root password is configured on your server.

Install LEMP server

First, install Nginx and MariaDB database server using the following commands:

dnf install nginx mariadb-server -y

Next, you will need to install the latest version of PHP and other required PHP extensions on the server. By default, the latest version of PHP is not available in the CentOS default repository. Therefore, you will need to add EPEL and REMI repos to the system.

You can add two repositories using the following command:

dnf install epel-release -ydnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm -y

Next, disable the default PHP library and enable the REMI library using the following command:

dnf module reset phpdnf module enable php:remi-7.4

Next, install PHP with other required dependencies by running the following command:

dnf install php php-fpm php-intl php-gd php-mysqli php-json php-pear php-devel php-mbstring php-fpm git make unzip -y

After installing all the packages, you will need to edit the PHP-FPM configuration file and change the user and group to Nginx.

nano /etc/php-fpm.d/www.conf

Change the following line:

user = nginx
group = nginx

Save and close the file, then change the ownership of the session directory:

chgrp nginx /var/lib/php/session

Next, start the Nginx, MariaDB and PHP-FPM services and use the following command to make them start when the system restarts:

systemctl start mariadb nginx php-fpmsystemctl enable mariadb nginx php-fpm

Next, you need to install the GNUPG extension to your system. You can install it by running the following command:

dnf config-manager --set-enabled powertoolsdnf install gpgme-develpecl install gnupgecho "extension=gnupg.so" > /etc/php.d/gnupg.ini

Next, restart the PHP-FPM service to apply the changes:

systemctl restart php-fpm

Install composer

Composer is a dependency manager for PHP. You will need to install it in the system.

First, use the following command to download the Composer settings file:

php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"

Next, install Composer using the following command:

php composer-setup.php --install-dir=/usr/local/bin --filename=composer

You should get the following output:

All settings correct for using Composer
Downloading...

Composer (version 2.0.11) successfully installed to: /usr/local/bin/composer
Use it: php /usr/local/bin/composer

Next, use the following command to verify the Composer version:

composer -V

You should get the following output:

Composer version 2.0.11 2021-02-24 14:57:23

Create a database

Next, you will need to create a database and users for Passbolt.

First, connect to MariaDB using the following command:

mysql

After connecting, use the following commands to create the database and user:

MariaDB [(none)]> CREATE DATABASE passbolt DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;MariaDB [(none)]> GRANT ALL ON passbolt.* TO 'passbolt'@'localhost' IDENTIFIED BY 'password';

Next, refresh the privileges and exit from MariaDB using the following command:

MariaDB [(none)]> FLUSH PRIVILEGES;MariaDB [(none)]> EXIT;

Once completed, you can proceed to the next step.

Installation and configuration password

First, change the directory to the Nginx Web root directory and download the latest version of Passbolt using the following command:

cd /var/wwwgit clone https://github.com/passbolt/passbolt_api.git passbolt

After the download is complete, change the directory to passbolt and install all required dependencies using the following command:

cd passboltcomposer install --no-dev

Next, you will need to install Haveged to generate a GPG key. First, install Haveged using the following command:

dnf install haveged

Next, use the following command to start the Haveged service: systemctl start hadged

Next, use the following command to generate the GPG key:

gpg --full-generate-key

Answer all questions carefully. When asked to set a password, please leave the password field blank:

gpg (GnuPG) 2.2.9; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Hitesh
Email address: [email protected]
Comment: Welcome
You selected this USER-ID:
    "Hitesh (Welcome) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 1A0448FECA43E1F9 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/40733A5076D11E86EF2FE5B51A0448FECA43E1F9.rev'
public and secret key created and signed.

pub   rsa2048 2021-03-12 [SC]
      40733A5076D11E86EF2FE5B51A0448FECA43E1F9
uid                      Hitesh (Welcome) <[email protected]>
sub   rsa2048 2021-03-12 [E]

notes: Please remember the key generated above.

Next, use the following command to export the key to the serverkey_private.asc and serverkey.asc files:

gpg --armor --export-secret-keys [email protected] > /var/www/passbolt/config/gpg/serverkey_private.ascgpg --armor --export [email protected] > /var/www/passbolt/config/gpg/serverkey.asc

Next, set the correct ownership to the passbolt directory:

chown -R nginx:nginx /var/www/passbolt

Next, use the following command to initialize the Nginx keyring:

sudo su -s /bin/bash -c "gpg --list-keys" nginx

Output:

gpg: directory '/var/lib/nginx/.gnupg' created
gpg: keybox '/var/lib/nginx/.gnupg/pubring.kbx' created
gpg: /var/lib/nginx/.gnupg/trustdb.gpg: trustdb created

Next, rename the Passbolt default configuration file:

cp config/passbolt.default.php config/passbolt.php

Next, edit the passbolt.php file and define the database settings and base URL:

nano config/passbolt.php

Change the following line:

                                'fullBaseUrl'=>'https://passbolt.linuxbuz.com', //database configuration.  'Data source' => [
        'default' => [
            'host' => 'localhost',
            //'port' => 'non_standard_port_number',
            'username' => 'passbolt',
            'password' => 'password',
            'database' => 'passbolt',
            'serverKey' => [
                // Server private key fingerprint.
                'fingerprint' => '40733A5076D11E86EF2FE5B51A0448FECA43E1F9',
                'public' => CONFIG . 'gpg' . DS . 'serverkey.asc',
                'private' => CONFIG . 'gpg' . DS . 'serverkey_private.asc',

Save and close the file then install the Passbolt with the following command:

cd /var/www/passboltsudo su -s /bin/bash -c "./bin/cake passbolt install --no-admin" nginx

You should get the following output:

All Done. Took 0.9595s

Import the server private key in the keyring
---------------------------------------------------------------
Importing /var/www/passbolt/config/gpg/serverkey_private.asc
Keyring init OK

Passbolt installation success! Enjoy! ?

Configure Nginx for Passbolt

Next, you will need to create an Nginx configuration file for Passbolt. You can create it with the following command:

nano /etc/nginx/conf.d/passbolt.conf

Add the following lines:

server {
  listen 80;
  server_name passbolt.linuxbuz.com;
  root /var/www/passbolt;
  
  location / {
    try_files $uri $uri/ /index.php?$args;
    index index.php;
  }
  
  location ~ .php$ {
    fastcgi_index           index.php;
    fastcgi_pass            unix:/var/run/php-fpm/www.sock;
    fastcgi_split_path_info ^(.+.php)(.+)$;
    include                 fastcgi_params;
    fastcgi_param           SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param           SERVER_NAME $http_host;
  }
       
  location ~* .(jpe?g|woff|woff2|ttf|gif|png|bmp|ico|css|js|json|pdf|zip|htm|html|docx?|xlsx?|pptx?|txt|wav|swf|svg|avi|mpd)$ {
    access_log off;
    log_not_found off;
    try_files $uri /webroot/$uri /index.php?$args;
  }
}

Save and close the file then verify the Nginx for any syntax error:

nginx -t

Output:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Next, restart the Nginx to apply the changes:

systemctl restart nginx

Secure Passbolt with Let’s Encrypt SSL

Next, you will need to install the Certbot client to install the Let’s Encrypt SSL for Passbolt. You can install it with the following command:

dnf install letsencrypt python3-certbot-nginx

Next, obtain and install an SSL certificate for your lets domain with the following command:

certbot --nginx -d passbolt.linuxbuz.com

You will be asked to provide your email address and accept the term of service:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected]

--------------------------------------Please read https://letsencrypt.org/documents/ LE-SA-v1.2-November-15-2017.pdf. You must agree to register on the ACME server. Do you agree?  -------------------------------------(Y)es /(N)o: Y-- --------------------------------- It was successfully issued in order to cooperate with the Electronic Frontier Foundation, the founding of Let's Encrypt project Do partners and non-profit organizations that develop Certbot share your email address? We would like to send you emails about our encryption of network encryption, EFF news, events, and ways to support digital freedom.  -------------------------------------(Y)es /(N)o: Y account has been registered. Apply for a certificate for passbolt.linuxbuz.com to perform the following challenges: http-01 passbolt.linuxbuz.com challenge waiting for verification...Clean up the challenge and deploy the certificate to VirtualHost /etc/nginx/conf.d/passbolt.conf redirection/etc All traffic from port 80 to ssl in /nginx/conf.d/passbolt.conf------------------------------- ---------- Congratulations! You have successfully enabled https://passbolt.linuxbuz.com------------------------------------- ------------------------------------- ---Subscribe to the EFF mailing list (email: [email protected]). Important note:-Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/passbolt.linuxbuz.com/fullchain.pem. The key file has been saved in: /etc/letsencrypt/live/passbolt.linuxbuz.com/privkey.pem The certificate will expire on 2021-06-09. To get a new or adjusted version of this certificate in the future, just run certbot again with the "certonly" option. To renew all* certificates in a non-interactive way, run "certbot renewal"-if you like Certbot, please consider supporting our work by: Donate to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donate to EFF: https://eff.org/donate-le

Registered user password

Next, you need to register a user for Passbolt. You can use the following commands to do so:

cd /var/www/passboltsudo su -s /bin/bash -c "./bin/cake passbolt register_user -u [email protected] -f howtoforge -l Demo -r admin" nginx

You should get the following output:

     ____                  __          ____  
    / __ ____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ / __ / / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    __,_/____/____/_.___/____/_/__/   

 Open source password manager for teams
---------------------------------------------------------------
User saved successfully.
To start registration follow the link provided in your mailbox or here: 
https://passbolt.linuxbuz.com/setup/install/f81227bc-b0b6-44b5-99a7-6b490a4ba262/5a112de0-6ca4-4e1b-97c8-26453ef3828b

You can access Paabolt using the link above.

Configure firewall

Next, you will need to allow ports 80 and 443 to pass through the firewall. You can use the following commands to do so:

firewall-cmd --permanent --add-port=80/tcpfirewall-cmd --permanent --add-port=443/tcp

Now, reload firewalld to apply the changes:

firewall-cmd --reload

Visit Passbolt Web UI

Now, open your web browser and enter the URL https://passbolt.linuxbuz.com/setup/install/f81227bc-b0b6-44b5-99a7-6b490a4ba262/5a112de0-6ca4-4e1b-97c8-26453ef3828b. You will be redirected to the following page:

Here, you will need to download the Passbolt browser extension and refresh the page after installation. You should see the following page:

set password

Specify a secure password and click Next Button. You should see the following page:

Choose a color

Choose a color, enter the security token, and click Next Button. You will be redirected to the Passbolt dashboard on the following page:

Password Password Manager

in conclusion

Congratulations! You have successfully installed Passbolt password manager on Nginx and let us encrypt SSL on CentOS 8. Now you can implement Passbolt in your organization and start storing and sharing login credentials securely among team members.

Related Posts