There is a new version of this tutorial available for CentOS 8.

How to Install Passbolt Self-Hosted Password Manager on CentOS 7

Passbolt is a free and open source password manager for teams. It allows team members to store and share credentials/password securely. Passbolt is created with PHP and can be run under the LEMP stack or run as docker container.

In this tutorial, we will show you step-by-step install and configure open source password manager 'Passbolt' on CentOS 7 server. Passbolt is a web application developed with PHP, and we will run it under the LEMP (Linux, Nginx, MySQL/MariaDB, and PHP-FPM).

Prerequisites

  • CentOS 7
  • Root privileges

What we will do?

  1. Install Dependencies
  2. Install and Configure MariaDB Database
  3. Install Nginx and PHP-FPM
  4. Generate SSL Letsencrypt
  5. Configure Nginx and PHP-FPM
  6. Download Passbolt and Generate OpenPGP Key
  7. Install Passbolt
  8. Passbolt Post-Installation
  9. Additional Security Server Setup

Step 1 - Install Dependencies

The first thing that we will do for this guide is to install all package dependencies needed for the Passbolt installation, including installing EPEL and Remi PHP repositories, php composer, gcc etc.

Add the EPEL repository.

sudo yum -y install yum-utils epel-release

Add and enable the Remi PHP repository.

sudo yum -y install 'http://rpms.remirepo.net/enterprise/remi-release-7.rpm'
sudo yum-config-manager --enable 'remi-php72'

Now install packages dependencies composer, git gcc etc using the yum command below.

sudo yum -y install unzip wget composer policycoreutils-python git gcc

Wait for all packages installation.

Step 2 - Install and Configure MySQL/MariaDB

In this step, we will install the MariaDB database and then create a new database and user for Passbolt installation.

Install MariaDB server using the yum command below.

sudo yum -y install mariadb-server

After the installation is complete, start the MariaDB service and enable it to launch everytime at system boot time.

sudo systemctl start mariadb
sudo systemctl enable mariadb

Now we need to configure the 'root' password for MariaDB. Run the 'mysql_secure_installation' command below.

mysql_secure_installation

Type your new root password.

Install and Configure MySQL/MariaDB

And the MariaDB root password has been configured.

Next, login to the MySQL shell using the 'root' user.

mysql -u root -p

Create a new database and user named 'passbolt' with password 'hakase-labs', run MySQL queries below.

create database passbolt;
grant all on passbolt.* to 'passbolt'@'localhost' identified by 'hakase-labs';
flush privileges;
quit;

Create database for passbolt

The MariaDB server has been installed on CentOS 7 server, and the database for 'Passbolt' installation has been created.

Step 3 - Install Nginx and PHP-FPM

After installing the MariaDB server, we will install Nginx from the EPEL repository, and PHP-FPM packages using the Remi repository.

Install Nginx web server.

sudo yum -y install nginx

After the installation is complete, start the Nginx service and enable it to launch everytime at system boot.

sudo systemctl start nginx
sudo systemctl enable nginx

Install Nginx and PHP-FPM

Now install PHP-FPM with all extensions needed using the yum command below.

sudo yum -y install php-fpm php-intl php-gd php-mysql php-mcrypt php-pear php-devel php-mbstring php-fpm gpgme-devel

And if the installation is complete, start the PHP-FPM service and enable it launch everytime at system boot.

sudo systemctl start php-fpm
sudo systemctl enable php-fpm

Start php FPM daemon

The Nginx web server and PHP-FPM has been installed.

Step 4 - Generate SSL Letsencrypt

Install the certbot tool on the system.

sudo yum -y install certbot

Now stop the nginx service.

sudo systemctl stop nginx

And generate SSL Letsencrypt for the passbolt domain name 'passbolt.hakase.io'.

Run the certbot command below.

sudo certbot certonly --standalone --agree-tos --no-eff-email --email [email protected] -d passbolt.hakase.io

The certbot tool will run a temporary web server for the verification.

And when it's complete, you will get your certificate on the '/etc/letsencrypt/live/' directory.

Step 5 - Configure Nginx and PHP-FPM

In this step, we will configure the Nginx web server by creating a new virtual host configuration for the Passbolt, and configure the PHP-FPM and install the PHP GnuPG support.

Configure PHP-FPM

Go to the '/etc/php-fpm.d' directory and edit the default pool configuration 'www.conf' using vim editor.

cd /etc/php-fpm.d/
sudo vim www.conf

Change the default user and group to the 'nginx' user.

user = nginx
group = nginx

Change the port listen for PHP-FPM to the sock file as below.

listen = /var/run/php-fpm/php-fpm.sock

Uncomment those lines below and change listen.owner and listen.group for the sock file to 'nginx'.

listen.owner = nginx
listen.group = nginx
listen.mode = 0660

Save and exit.

Now we need to change the owner of the PHP session directory and install the PHP GnuPG extension support.

Change the permission of php session directory.

sudo chgrp nginx /var/lib/php/session

Install the PHP GnuPG extension using the pecl command and activate it.

sudo pecl install gnupg
echo "extension=gnupg.so" > /etc/php.d/gnupg.ini

Configure Nginx and PHP-FPM

The PHP GnuPG extension has been installed.

Configure Nginx Virtual Host

Go to the '/etc/nginx/conf.d' directory and create a new virtual host file 'passbolt.conf'.

cd /etc/nginx/conf.d/
sudo vim passbolt.conf

Paste configurations below.

server {
  listen 443;
  server_name passbolt.hakase.io;
  ssl on;
  ssl_certificate     /etc/letsencrypt/live/passbolt.hakase.io/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/passbolt.hakase.io/privkey.pem;
  ssl_protocols TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
  ssl_session_tickets off;
  root /var/www/passbolt;
  
  location / {
    try_files $uri $uri/ /index.php?$args;
    index index.php;
  }
  
  location ~ \.php$ {
    fastcgi_index           index.php;
    fastcgi_pass            unix:/var/run/php-fpm/php-fpm.sock;
    fastcgi_split_path_info ^(.+\.php)(.+)$;
    include                 fastcgi_params;
    fastcgi_param           SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param           SERVER_NAME $http_host;
  }
       
  location ~* \.(jpe?g|woff|woff2|ttf|gif|png|bmp|ico|css|js|json|pdf|zip|htm|html|docx?|xlsx?|pptx?|txt|wav|swf|svg|avi|mp\d)$ {
    access_log off;
    log_not_found off;
    try_files $uri /webroot/$uri /index.php?$args;
  }
}

Save and exit.

Test the nginx configuration and make sure there is no error.

sudo nginx -t

Now restart both Nginx and PHP-FPM services.

sudo systemctl restart nginx
sudo systemctl restart php-fpm

Configure Nginx Virtual Host

Configurations of Nginx web server and PHP-FPM has been completed successfully.

Step 6 - Download Passbolt and Generate OpenPGP Key

In this step, we will download the passbolt web application and generate a new OpenPGP key that will be used for the Passbolt API.

Go to the '/var/www' directory and clone the passbolt web application.

cd /var/www/
git clone https://github.com/passbolt/passbolt_api.git passbolt/

Download Passbolt and Generate OpenPGP Key

Now install the 'haveged' package and start the service.

sudo yum -y install haveged
sudo systemctl start haveged

Generate a new OpenPGP key using the gpg command below.

gpg --gen-key

Type your details such as email, the expiration days etc.

Generate GPG key

Note:

  • The PHP GnuPG extensions don't support the OpenPGP Key passphrase, so let the passphrase stay blank.

After it's complete, check all key available and write down the 'fingerprint' of your key.

gpg --list-keys --fingerprint

List gpg key

Now export the public and private key to the '/var/www/passbolt' directory.

gpg --armor --export-secret-keys [email protected] > /var/www/passbolt/config/gpg/serverkey_private.asc
gpg --armor --export [email protected] > /var/www/passbolt/config/gpg/serverkey.asc

And change all those keys permission and owner of the '/var/www/passbolt' directory.

sudo chmod 640 /var/www/passbolt/config/gpg/serverkey*
sudo chown -R  nginx:nginx /var/www/passbolt

Chown gpg key

The Passbolt web application has been downloaded, and the OpenPGP key has been created.

Step 7 - Install Passbolt

Before installing all dependencies for 'Passbolt', we need to initialize keyring of gpg key for nginx user.

Run the command below.

sudo su -s /bin/bash -c "gpg --list-keys" nginx

Now login to the 'nginx' user and go to the '/var/www/passbolt' directory.

su -s /bin/bash nginx
cd /var/www/passbolt/

Install Passbolt

Install all passbolt dependencies using the composer command below.

composer install --no-dev

Composer install

When it's complete, copy the default config file of the app and edit it with vim.

cp config/passbolt.default.php config/passbolt.php
vim config/passbolt.php

In the 'App' section, change the domain name with your own domain name.

    'App' => [
        // A base URL to use for absolute links.
        // The url where the passbolt instance will be reachable to your end users.
        // This information is need to render images in emails for example
        'fullBaseUrl' => 'https://passbolt.hakase.io',
    ],

In the 'Datasources' configuration, type your details database info.

    // Database configuration.
    'Datasources' => [
        'default' => [
            'host' => 'localhost',
            //'port' => 'non_standard_port_number',
            'username' => 'passbolt',
            'password' => 'hakase-labs',
            'database' => 'passbolt',
        ],
    ],

Under the database configuration, add a new 'ssl' configuration to force all connection to secure https.

    'ssl' => [
        'force' => true,
    ],

For the SMTP mail configuration, change everything with your details.

    // Email configuration.
    'EmailTransport' => [
        'default' => [
            'host' => 'localhost',
            'port' => 25,
            'username' => 'user',
            'password' => 'secret',
            // Is this a secure connection? true if yes, null if no.
            'tls' => null,
            //'timeout' => 30,
            //'client' => null,
            //'url' => null,
        ],
    ],
    'Email' => [
        'default' => [
            // Defines the default name and email of the sender of the emails.
            'from' => ['passbolt@your_organization.com' => 'Passbolt'],
            //'charset' => 'utf-8',
            //'headerCharset' => 'utf-8',
        ],
    ],

And lastly, paste the 'fingerprint' of your OpenPGP key and uncomment those public and private configuraiton lines.

            'serverKey' => [
                // Server private key fingerprint.
                'fingerprint' => '63BA4EBB65126A6BE334075DD210E985E2ED02E5',
                'public' => CONFIG . 'gpg' . DS . 'serverkey.asc',
                'private' => CONFIG . 'gpg' . DS . 'serverkey_private.asc',
            ],

Save and exit.

Passbolt config file

Now install 'Passbolt' using the command below.

./bin/cake passbolt install

You will be asked to create a new admin user and password - type your details.

cake passbolt install

And in the end, you will be given the 'registration' link, write it down on your note.

Step 8 - Passbolt Post-Installation

Open your web browser and install the 'Passbolt' extensions of your web browser.

Following is the link of passbolt extension for Chrome browser. Install the extension.

https://chrome.google.com/webstore/detail/passbolt-extension

Now open a new tab and paste the 'registration' link given to the address bar. Mine was:

https://passbolt.hakase.io/setup/install/b830cc87-1aa5-4f6f-95f4-9be21accdefa/103001a4-39a1-4bb9-866c-822ac0f7c76f

And you will a page similar to the one shown below.

Passbolt plugin check

Check the box on the bottom and click the 'Next' button. Now you will be asked for creating a new key for the user.

Create a new key

Click 'Next' button.

Setup the 'Passphrase', type your strong passphrase.

Set a password

Click 'Next' button. Backup your key by pressing the 'Download' button and click 'Next' again.

Download backup key

For the security token, leave it default and click 'Next'.

Set security token

And you will be redirected to the Passbolt login page.

Passbolt login page

Type your 'Passphrase' and click 'Login'. And you will see the Passbolt user Dashboard as below.

Welcome to Passbolt

Passbolt open source password manager installation on CentOS 7 has been completed successfully.

Step 9 - Additional Security Server Setup

- Setup the Firewalld

Open new HTTP, HTTPS, and SMTP ports on the server.

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --add-service=smtp --permanent

Now reload the firewalld configuration.

sudo firewall-cmd --reload

- Setup Selinux Permission

Permission for the 'Passbolt' webroot directory.

sudo semanage fcontext -a -t httpd_sys_content_t '/var/www(/.*)?'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/passbolt/tmp(/.*)?'
sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/passbolt/logs(/.*)?'
sudo restorecon -Rv /var/www

Permission for the Nginx gnupg keyring directory.

sudo semanage fcontext -a -t httpd_sys_rw_content_t '/var/lib/nginx/.gnupg(/.*)?'
sudo restorecon -Rv /var/lib/nginx/.gnupg

Reference

Share this page:

1 Comment(s)