Migrate passbolt CE from install scripts to Debian package

A Debian package has been created to increase the ease of installing and upgrading passbolt.

Pre-requisites

For this tutorial, you will need:

• A minimal Debian 11 server.
• Passbolt installed with the Debian install script.

1. Take down your site

It is generally a good idea to stop running the site prior to the upgrade. This is to avoid having side effects such as active users corrupting the data in the middle of an upgrade.

sudo systemctl stop nginx

2. Backup your instance

First things first, as this is a sensitive operation a backup of the instance must be performed to prevent any data loss. You can follow our backup process.

3. Upgrade your system

Passbolt requires PHP 7.3 and supports PHP 7.4.

A full system upgrade to Debian 11 is necessary before installing the passbolt Debian package.

Here is the official Debian guide to upgrade your system with a step by step tutorial.

4. Install the package

Package repository setup

For easier installation and update tasks Passbolt provides a package repository that you need to setup before you download Passbolt CE and install it.

Step 1. Download our dependencies installation script:

wget https://raw.githubusercontent.com/passbolt/passbolt-dep-scripts/main/passbolt-repo-setup.ce.sh

Step 2. Ensure that the script is valid and execute it:

[ "$(sha256sum passbolt-repo-setup.ce.sh | awk '{print $1}')" = "ce96ab921e2fa448d48da018e3be0e9646791629dffb13707bbc49b55c739490" ] && sudo bash ./passbolt-repo-setup.ce.sh || echo "Bad checksum. Aborting" && rm -f passbolt-repo-setup.ce.sh

Install passbolt official linux package

sudo apt install passbolt-ce-server

It is recommended at this point to select:

• No for mariadb configuration as it is already configured
• No to nginx configuration as we will do it at the end

5. Copy existing configuration to the new location

5.1. Copy the server keys

Copy the GPG server keys as following:

sudo cp -a /var/www/passbolt/config/gpg/serverkey.asc /etc/passbolt/gpg/
sudo cp -a /var/www/passbolt/config/gpg/serverkey_private.asc /etc/passbolt/gpg/
sudo chown -R root:www-data /etc/passbolt/gpg
sudo chmod g-w /etc/passbolt/gpg

5.2. Copy the passbolt configuration

Copy passbolt configuration as following:

sudo cp /var/www/passbolt/config/passbolt.php /etc/passbolt/passbolt.php
sudo chown root:www-data /etc/passbolt/passbolt.php
sudo chmod g-w /etc/passbolt/passbolt.php

If you are running mysql 8, please change the quoteIdentifiers setting of the passbolt.php as follow:

'quoteIdentifiers' => true

5.3. Copy the avatars

If coming from Passbolt version prior to 3.2, copy passbolt avatars as following:

sudo cp -R /var/www/passbolt/webroot/img/public/avatar /usr/share/php/passbolt/webroot/img/public/

6. PHP-FPM

Edit /etc/php/7.4/fpm/pool.d/www.conf and look for the line that looks like this:

listen = 127.0.0.1:9000

Change it to look like this:

listen = /run/php/php7.4-fpm.sock

Due to a bug on the install scripts some installations might need to do an additional substitution on /etc/php/7.4/fpm/pool.d/www.conf:

Look for the line containing:

listen.group = _WWW_GROUP_

And change it to look like:

listen.group = www-data

7. Nginx

Now you can remove all the old nginx configuration files from /etc/nginx/conf.d/

sudo rm /etc/nginx/conf.d/passbolt.conf
sudo rm /etc/nginx/conf.d/passbolt_ssl.conf

Then you can reconfigure the Debian package using:

sudo dpkg-reconfigure passbolt-ce-server

Answer the following way:

• No to mariadb configuration
• Yes to nginx configuration

You can then select the SSL method that suits best your needs.

8. Run the database migrations

Now it is time to run the migrations to upgrade the database schemas:

sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake passbolt migrate"

9. Cleanup

After you have checked you can access your new setup with the Debian package make a backup of /var/www/passbolt and then you can delete it:

sudo rm -rf /var/www/passbolt

You may also want to check for the old CRON job that may need to be removed:

sudo crontab -u www-data -e

10. Take your site back up

Finally take passbolt back up:

sudo systemctl start nginx
sudo systemctl restart php7.4-fpm