Passbolt on CentOS7 with PHP7, apache and mariaDB

Posted on Sun 18 February 2018 in CentOS

How to install Passbolt on CentOS 7 using apache, mariadb, php7 FPM

This tutorial is a combination of the tutorial for CentOS7 with nginx & mariadb with php-fpm and the one for Debian 8 with apache & mariadb.

We're going to see in this tutorial how to install Passbolt on a CentOS 7 machine with apache, php7-fpm and mariadb.

We will consider that the tutorial starts after the CentOS machine is installed, and we're going to install everything that is necessary for this to work properly.

All the commands that we are going to need in this tutorial are going to require root access, so you can either type "sudo" in front of each of them, or switch to the root user with the command:

$ sudo -i

First of all we're going to install apache, mariadb and enable the scl & epel repository (see here and here for more details).

# yum -y install centos-release-scl httpd mariadb-server wget mod_ssl epel-release git

To confirm the new repo are installed, type

# yum repolist
Loaded plugins: fastestmirror
centos-sclo-rh                          | 2.9 kB  00:00:00
centos-sclo-sclo                        | 2.9 kB  00:00:00
epel/x86_64/metalink                    |  25 kB  00:00:00
epel                                    | 4.7 kB  00:00:00
(1/5): centos-sclo-sclo/x86_64/primary_db               | 196 kB  00:00:00
(2/5): epel/x86_64/group_gz                             | 266 kB  00:00:00
(3/5): epel/x86_64/updateinfo                           | 882 kB  00:00:00
(4/5): epel/x86_64/primary_db                           | 6.2 MB  00:00:01
(5/5): centos-sclo-rh/x86_64/primary_db                 | 3.0 MB  00:00:01

Loading mirror speeds from cached hostfile
 * base: distrib-coffee.ipsl.jussieu.fr
 * epel: fr.mirror.babylon.network
 * extras: distrib-coffee.ipsl.jussieu.fr
 * updates: distrib-coffee.ipsl.jussieu.fr
repo id                     repo name                                               status
base/7/x86_64               CentOS-7 - Base                                         9,591
centos-sclo-rh/x86_64       CentOS-7 - SCLo rh                                      6,640
centos-sclo-sclo/x86_64     CentOS-7 - SCLo sclo                                    500
epel/x86_64                 Extra Packages for Enterprise Linux 7 - x86_64          12,289
extras/7/x86_64             CentOS-7 - Extras                                       388
updates/7/x86_64            CentOS-7 - Updates                                      1,929
repolist: 31,337

We need to install and configure the following elements :

PHP-FPM
MariaDB
Passbolt requirements setup
Deploy passbolt
Apache

1. PHP-FPM

Now we can install and configure php7-fpm which is part of the SCL repository as described in another article

# yum -y install rh-php71.x86_64 rh-php71-php-cli.x86_64 rh-php71-php-common.x86_64 rh-php71-php-fpm.x86_64 rh-php71-php-mysqlnd.x86_64 rh-php71-php-pdo.x86_64 rh-php71-php-gd.x86_64 rh-php71-php-xml.x86_64 rh-php71-php-xmlrpc.x86_64 rh-php71-php-mbstring.x86_64 rh-php71-php-json.x86_64 rh-php71-php-ldap.x86_64 rh-php71-php-pear.noarch gcc rh-php71-php-devel.x86_64 gpgme-devel

Before starting php71-fpm, we're going to install gnupg for passbolt to work properly. To do that, let's open a bash shell with the scl php enabled :

# scl enable rh-php71 bash
# pecl install gnupg

At the end, you can see a line : "You should add "extension=gnupg.so" to php.ini". So let's do it and add the line. The file is in :

/etc/opt/rh/rh-php71/php.ini

Once you've done it, we can enable & start our php-fpm service

# systemctl enable rh-php71-php-fpm.service
Created symlink from /etc/systemd/system/multi-user.target.wants/rh-php71-php-fpm.service to /usr/lib/systemd/system/rh-php71-php-fpm.service.
# systemctl start rh-php71-php-fpm.service
# systemctl status rh-php71-php-fpm.service
● rh-php71-php-fpm.service - The PHP FastCGI Process Manager
   Loaded: loaded (/usr/lib/systemd/system/rh-php71-php-fpm.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2018-01-10 20:01:02 CET; 3s ago
 Main PID: 4343 (php-fpm)
   Status: "Ready to handle connections"
   CGroup: /system.slice/rh-php71-php-fpm.service
           ├─4343 php-fpm: master process (/etc/opt/rh/rh-php71/php-fpm.conf)
           ├─4344 php-fpm: pool www
           ├─4345 php-fpm: pool www
           ├─4346 php-fpm: pool www
           ├─4347 php-fpm: pool www
           └─4348 php-fpm: pool www

Jan 10 20:01:02 centos-kvm systemd[1]: Starting The PHP FastCGI Process Manager...
Jan 10 20:01:02 centos-kvm systemd[1]: Started The PHP FastCGI Process Manager.

Now that our php is ready to run, we'll go along with the rest of the steps.

2. MariaDB

Now we need the database to be ready to run. Let's enable and start mariadb. If you don't have already a mariadb installed and secured, I strongly suggest you to run the mysql_secure_installation command after starting the mariadb service for the first time, as described here :

# systemctl enable mariadb.service
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
# systemctl start mariadb.service
# mysql_secure_installation
...

Now that our service is running properly, let's create the database and dedicated user. Even if the passbolt installer offers to do this, I think it's better to be using one you can setup yourself :

# mysql -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 5.5.56-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database passbolt_db;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on passbolt_db.* to 'mypassboltdbuser'@'localhost' identified by 'mysupercomplicatedpassword';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> quit

Of course, if your database server and passbolt server are not hosted on the same machine, replace the "localhost" with the hostname of the computer that will host the passbolt server.

3. Passbolt requirements

Before we can start passbolt and apache, we need to setup some stuff for passbolt to run properly.

GPG Key pair

If your machine is a VM, you might not have enough entropy to run gpg commands and generate a key.

To do that, you need to first add a rng device to your VM (requires a shutdown / restart).

Once this is done, you should have enough entropy to generate keys. To confirm, type the following command :

# cat /proc/sys/kernel/random/entropy_avail
1125

Above 1000 should be OK for us (max value is 4096). Now let's generate a gpg key using the following command :

# gpg --gen-key

You should fill in all the info in there, but DO NOT ENTER A PASSPHRASE (passbolt can't handle it yet).

# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Thibaut
Email address: myemail@company.com
Comment: Passbolt key
You selected this USER-ID:
    "Thibaut (Passbolt key) <myemail@company.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

[...]
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/3BBEEE74 2018-02-18
      Key fingerprint = 2600 644A F1AC 07F8 A609  BC05 5EB9 1877 3BBE EE74
uid                  Thibaut (Passbolt key) <myemail@company.com>
sub   2048R/01DEAE4A 2018-02-18

4. Download and setup passbolt

Let's install passbolt in the /var/www/html/passbolt folder :

# git clone https://github.com/passbolt/passbolt_api.git /var/www/html/passbolt

Now we have to export the GPG keys to our passbolt directory :

# gpg --armor --export-secret-keys myemail@company.com > /var/www/html/passbolt/app/Config/gpg/server_private_key.key
# gpg --armor --export myemail@company.com > /var/www/html/passbolt/app/Config/gpg/server_public_key.key

Then, let's change the permissions for httpd to run passbolt properly.

# chown -R apache:apache /var/www/html/passbolt/
# chmod +w -R /var/www/html/passbolt/app/tmp/
# chmod +w /var/www/html/passbolt/app/webroot/img/public/

Changing configuration files

To change the configuration, we're going to copy the default passbolt files and modify them (with a small for loop):

# cd /var/www/html/passbolt/app/Config
# for file in core database app email ; do cp ${file}.php.default ${file}.php ; done

First in the "core.php" file, let's change the lines Security.salt and Security.cipherSeed with different values (you can choose to modify randomly the characters in the chains) :

Configure::write('Security.salt', '_randomize_a_salt_');
Configure::write('Security.cipherSeed', '_randomize_a_seed');

We also need to uncomment and setup the App.fullBaseUrl entry. If you have a hostname prepared for your host in DNS, use it here.

Configure::write('App.fullBaseUrl', 'http://passbolt.home');

Now in the "database.php" file, let's modify the entry with the database and user / password we defined earlier. The resulting lines will look like this:

       'host' => 'localhost',
       'login' => 'mypassboltdbuser',
       'password' => 'mysupercomplicatedpassword',
       'database' => 'passbolt_db',

Then we're going to modify app.php. Before doing that, let's grab the fingerprint of the gpg key we generated earlier using the following command (the awk removes everything before the = sign and all the spaces):

# gpg --fingerprint myemail@company.com | awk '/fingerprint/ { gsub(/.*= | /,"")  ; print}'
2600644AF1AC07F8A609BC055EB918773BBEEE74

Now to the app.php file. We're going to modify the fingerprint, public and private entries in the serverKey section. The resulting values should look like this:

    // Main server key
        'serverKey' => [
            // Server private key location and fingerprint
            'fingerprint' => '2600644AF1AC07F8A609BC055EB918773BBEEE74',
            'public' => APP . 'Config' . DS . 'gpg' . DS . 'server_public_key.key',
            'private' => APP . 'Config' . DS . 'gpg' . DS . 'server_private_key.key',

            // PHP Gnupg module currently does not support passphrase, please leave blank
            'passphrase' => ''
            ]

In the same file, we will also change the value of the home variable for the GPG section. Modify it to put /usr/share/httpd/.gnupg.

'home' => '/usr/share/httpd/.gnupg',

Setup GPG for apache

We need to setup apache for using the GPG keys we've setup. To do that, we need to create a .gnupg directory in apache's home directory.

# grep apache /etc/passwd
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin

So apache's home is /usr/share/httpd. This folder is owned by root, so let's create the .gnupg folder manually and allow apache to use it.

# mkdir /usr/share/httpd/.gnupg
# chown apache:apache /usr/share/httpd/.gnupg/
# su -c "gpg --list-keys" -s /bin/bash apache
gpg: keyring `/usr/share/httpd/.gnupg/pubring.gpg' created
gpg: /usr/share/httpd/.gnupg/trustdb.gpg: trustdb created

Installing passbolt

Now we can move to the setup of passbolt in command line. Once this is done, we will move to setup httpd to be able to access it. To run installation, just type :

# su -s /bin/bash -c "/var/www/html/passbolt/app/Console/cake install --no-admin" apache

If you see an error message about exec: php: not found, or wrong version, you need to re-enter the scl enabled bash using:

# scl enable rh-php71 bash

Finally, we need to setup our apache installation to access passbolt, preferably over https.

5. Apache

In this section, we will setup the configuration file for our passbolt installation using the default httpd certificate. If you don't know how to setup a signed certificate, this will not be the subject of the current article, and there are plenty of such on the internet :)

To setup apache, we are going to create the following file in

/etc/httpd/conf.d/passbolt.conf

With the following content:

<VirtualHost *:80>
        ServerName passbolt.home
        DocumentRoot /var/www/html/passbolt/
        DirectoryIndex  index.php
        <FilesMatch \.php$>
                SetHandler "proxy:fcgi://127.0.0.1:9000"
        </FilesMatch>
        <Directory /var/www/html/passbolt/>
                Options FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>
        LogLevel info
        CustomLog /var/log/httpd/passbolt.log combined


</VirtualHost>
<VirtualHost *:443>
        ServerName passbolt.home
        DocumentRoot /var/www/html/passbolt/
        DirectoryIndex index.php
        <FilesMatch \.php$>
                SSLOptions +StdEnvVars
                SetHandler "proxy:fcgi://127.0.0.1:9000"
        </FilesMatch>
        <Directory /var/www/html/passbolt/>
                Options FollowSymLinks
                AllowOverride All
                Require all granted
        </Directory>
        LogLevel debug
        CustomLog /var/log/httpd/passbolt_ssl.log combined
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
        SSLCertificateFile /etc/pki/tls/certs/localhost.crt
        SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

</VirtualHost>

Now, we will enable and start apache using the following commands :

# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
# systemctl start httpd
# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2018-02-18 22:41:37 CET; 3s ago
     Docs: man:httpd(8)
           man:apachectl(8)
 Main PID: 2071 (httpd)
   Status: "Processing requests..."
   CGroup: /system.slice/httpd.service
           ├─2071 /usr/sbin/httpd -DFOREGROUND
           ├─2072 /usr/sbin/httpd -DFOREGROUND
           ├─2073 /usr/sbin/httpd -DFOREGROUND
           ├─2074 /usr/sbin/httpd -DFOREGROUND
           ├─2075 /usr/sbin/httpd -DFOREGROUND
           └─2076 /usr/sbin/httpd -DFOREGROUND

Feb 18 22:41:37 centos-kvm systemd[1]: Starting The Apache HTTP Server...
Feb 18 22:41:37 centos-kvm systemd[1]: Started The Apache HTTP Server.

And with such, you should be able to head to your browser and connect to https://passbolt.home (or whichever hostname you configured), and go forward with your setup.

Thanks for following this tutorial, and head towards the support forums if you face any trouble or need any help using the product.