This guide covers two important aspects:
- Migrating a Passbolt server from an old server to a new one, even if the new server has a more updated operating system.
- Converting a Passbolt Pro installation to a Community (CE) version.
The process described is applicable both for a new installation and for an update on the existing server. In my case, I migrated from CentOS 7 to AlmaLinux 9.4.
First, create a backup of the files and database of your old Passbolt server. To do this, execute:
mysqldump -u [username] -p[password] [database_name] > backup_passbolt.sqlAlternatively, you can use the Passbolt backup script:
sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt mysql_export" nginxThen, create a backup of all your files using tar to compress them:
tar -czvf passbolt_backup.tar.gz /var/www/passbolt /etc/passbolt /var/lib/passboltTransfer these files to the new server and decompress them with the following command:
tar -xzvf passbolt_backup.tar.gz -C /If you are migrating from a Passbolt Pro installation to CE, uninstall the passbolt-pro-server package with the following commands:
sudo yum remove passbolt-pro-server
sudo yum autoremove
sudo yum clean allRemove the old repository:
sudo rm -rf /etc/yum.repos.d/passbolt-pro.repo
sudo yum updateAdd the Passbolt CE repository:
echo "[passbolt-ce]
name=Passbolt CE Repository
baseurl=https://download.passbolt.com/ce/yum/el7
enabled=1
gpgcheck=1
gpgkey=https://download.passbolt.com/ce/yum/RPM-GPG-KEY-passbolt" | sudo tee /etc/yum.repos.d/passbolt-ce.repoIf it is a new server, follow the steps for a new installation. Execute:
curl -LO https://download.passbolt.com/ce/installer/passbolt-repo-setup.ce.sh
curl -LO https://github.com/passbolt/passbolt-dep-scripts/releases/latest/download/passbolt-ce-SHA512SUM.txt
sha512sum -c passbolt-ce-SHA512SUM.txt && sudo bash ./passbolt-repo-setup.ce.sh || echo "Bad checksum. Aborting" && rm -f passbolt-repo-setup.ce.shInstall the package:
sudo dnf install passbolt-ce-serverIf it is a new server, ensure your domain points to the new IP address. If it is an update on the same server, skip this step.
Save the following configuration files in /etc/nginx/conf.d.
passbolt.conf
server {
listen [::]:80;
listen 80;
server_name your.sub.domain.com;
client_body_buffer_size 100K;
client_header_buffer_size 1K;
client_max_body_size 5M;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
root /usr/share/php/passbolt/webroot;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php-fpm;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SERVER_NAME $http_host;
fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M";
}
}passbolt_ssl.conf
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name your.sub.domain.com;
client_body_buffer_size 100K;
client_header_buffer_size 1k;
client_max_body_size 5M;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
ssl_certificate /etc/ssl/certs/passbolt_certificate.crt;
ssl_certificate_key /etc/ssl/certs/passbolt_private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_tickets off;
root /usr/share/php/passbolt/webroot;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php-fpm;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SERVER_NAME $http_host;
fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M";
}
}Import your database into the new server (skip this step if it is the same previous installation):
mysql -u [username] -p[password] [database_name] < backup_passbolt.sqlRun the following script to configure MariaDB, Nginx, and generate your SSL certificate with Let's Encrypt:
sudo /usr/local/bin/passbolt-configureIf the SSL certificate generation fails, you can rerun:
certbot --nginxEnable the services to start automatically on system boot:
systemctl enable php-fpm
systemctl enable nginx
systemctl enable mariadbStart the services:
systemctl start php-fpm
systemctl start nginx
systemctl start mariadbIf MariaDB is not installed, install it:
sudo yum install -y mariadb-server mariadbCreate your new database:
mysql -u root -p
CREATE DATABASE passbolt;
CREATE USER 'passbolt'@'localhost' IDENTIFIED BY 'your_secure_password_here';
GRANT ALL PRIVILEGES ON passbolt.* TO 'passbolt'@'localhost';
FLUSH PRIVILEGES;
EXIT;Import your database into the new server:
mysql -u [username] -p[password] [database_name] < backup_passbolt.sqlIf you are migrating servers, create the directory manually and set the correct permissions:
sudo mkdir -p /var/lib/nginx/.gnupg
sudo chown -R nginx:nginx /var/lib/nginx/.gnupg
sudo chmod 700 /var/lib/nginx/.gnupgImport your key:
sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" nginxSet permissions on the configuration files:
chown -Rf root:nginx /etc/passbolt/jwt/
chmod 750 /etc/passbolt/jwt/
chmod 640 /etc/passbolt/jwt/jwt.key
chmod 640 /etc/passbolt/jwt/jwt.pem
sudo chown nginx:nginx /etc/passbolt/gpg/serverkey_private.asc
sudo chown nginx:nginx /etc/passbolt/gpg/serverkey.asc
sudo chmod 440 /etc/passbolt/gpg/serverkey.asc
sudo chmod 440 /etc/passbolt/gpg/serverkey_private.ascRun the command to migrate Passbolt to the latest version:
sudo -H -u nginx /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt migrate"Perform a health check to ensure everything is working correctly:
sudo -H -u nginx /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck"If you encounter issues, rerun:
sudo /usr/local/bin/passbolt-configureUse the same details you used previously to create your database.
To avoid potential issues, you may need to disable SELinux. Follow these steps to disable SELinux on your server:
First, check the current status of SELinux:
sestatusThis command will display the current state of SELinux (enabled or disabled) and its mode (enforcing, permissive, or disabled).
To permanently disable SELinux, you need to edit the SELinux configuration file. Open the configuration file using a text editor, such as nano or vi:
nano /etc/selinux/configFind the line that says SELINUX=enforcing or SELINUX=permissive and change it to SELINUX=disabled:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targetedSave the file and exit the text editor.
Finally, reboot your system to apply the changes:
sudo rebootThese guides were invaluable for completing this task:
- https://www.passbolt.com/docs/hosting/migrate/server/ce/almalinux/
- https://www.passbolt.com/docs/hosting/backup/from-sources/
I hope this guide helps you migrate your Passbolt server to a new server or switch from Passbolt Pro to CE.
If you have any comments, please let me know here, and I will respond as soon as possible.