In this tutorial, you will learn how to upgrade Passbolt installed from source on Ubuntu System. There are different ways in which one can install Passbolt password manager on their systems. The method of installation will determine how one can upgrade Passbolt to the latest version as per the releases.
How to Upgrade Passbolt Installed from Source on Ubuntu
As already mentioned, the method to use to upgrade or to update Passbolt is determined by how you installed it initially.
In my environment, Passbolt was installed from source code and thus, this guide will focus mainly on how you can easily upgrade Passbolt installed from sources on Ubuntu systems.
Check Current Version of Passbolt
Before we proceed, let’s confirm the current version of Passbolt we are running by running the command below;
sudo cat /var/www/passbolt/config/version.php
Sample Output confirming the current Passbolt version I am running, which v2.12.2.
<?php return [ 'passbolt' => [ 'version' => '2.12.0', 'name' => 'Call me' ] ];
As of this writing, Passbolt v3.5.0 is the current release version as per the releases page.
Thus, it is time to upgrade Passbolt installed from source.
System Requirements
Among the system requirements for the installation/running of Passbolt, you should at least have the following;
- PHP >= 7.3.0
- MariaDB/Mysql >= 5.5.59
- Composer >= 2
How to Upgrade Passbolt Installed from Source on Ubuntu
The Major system components that enables Passbolt to run is the LAMP/LEMP stack components. We used LAMP Stack in our current setup.
Thus, you need to upgrade these components to match the versions required by the current version of Passbolt.
Stop HTTP Server
To begin with, stop the web server service. As mentioned above, we are using LAMP stack in our setup. hence, Apache is our HTTP server.
sudo systemctl stop apache2
Upgrade PHP and Required Modules
You need to have PHP >= 7.3.0 and required Modules. Current versions of Passbolt requires PHP >= 7.3.0.
The installed version of PHP in my passbolt server is PHP 7.2;
php -v
PHP 7.2.24-0ubuntu0.18.04.10 (cli) (built: Oct 25 2021 17:47:59) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.24-0ubuntu0.18.04.10, Copyright (c) 1999-2018, by Zend Technologies
I am going to install PHP 7.4 and required Passbolt PHP modules;
sudo apt install php7.4 php7.4-gnupg php7.4-intl php7.4-mbstring php7.4-fpm php7.4-mysql php7.4-xml php7.4-curl php7.4-json php7.4-gd php7.4-ldap php7.4-imagick libapache2-mod-php7.4 -y
If your current Ubuntu system default repositories do not have PHP 7.4/7.3, you can install Onderj/PHP PPA repository;
sudo add-apt-repository ppa:ondrej/php --yes
sudo apt update
Then install PHP 7.3 or PHP 7.4 as shown above.
Disable Old Apache PHP Modules and Enable Current Apache PHP Modules
Next, disable old Apache PHP modules. For example, in current setup, we are running PHP 7.2 as shown above. Thus;
sudo a2dismod php7.2
And since I am running PHP 7.4, let’s enable its Apache modules;
sudo a2enmod php7.4
Set the Default PHP Version to use
If at this point you have multiple versions of PHP running, you need to configure, at least PHP 7.4 as the default PHP version to use with Passbolt.
sudo update-alternatives --config php
I will set PHP 7.4 to default, hence option 2 in the prompt below;
There are 3 choices for the alternative php (providing /usr/bin/php). Selection Path Priority Status ------------------------------------------------------------ * 0 /usr/bin/php8.1 81 auto mode 1 /usr/bin/php7.2 72 manual mode 2 /usr/bin/php7.4 74 manual mode 3 /usr/bin/php8.1 81 manual mode Press to keep the current choice[*], or type selection number: 2 update-alternatives: using /usr/bin/php7.4 to provide /usr/bin/php (php) in manual mode
Confirm your default PHP version;
php -v
PHP 7.4.27 (cli) (built: Dec 20 2021 21:27:56) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with Zend OPcache v7.4.27, Copyright (c), by Zend Technologies
Upgrade MySQL/MariaDB Database
I am currently running MariaDB 10.3;
mysql -V
mysql Ver 15.1 Distrib 10.3.31-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
To upgrade MariaDB to 10.6;
Backup the current databases;
mysqldump -u root -p --all-databases > /home/itnixpro/backup/all-dbs.bak.sql
To backup specific database;
mysqldump -u user -p passbolt-db > /home/itnixpro/backup/passbolt-db.sql
Next, Install MariaDB 10.6 APT repos from MariaDB repositories site for your specific system;
sudo apt install software-properties-common dirmngr apt-transport-https
sudo apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
echo 'deb [arch=amd64,arm64,ppc64el] https://mirrors.xtom.jp/mariadb/repo/10.6/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/mariadb.list
sudo apt update
Stop MariaDB;
sudo systemctl stop mariadb
Upgrade MariaDB;
sudo apt install --only-upgrade mariadb-server mariadb-client
Once the installation is done, Start MariaDB;
sudo systemctl daemon-reload
sudo systemctl start mariadb
Next, check tables for MariaDB upgrade;
mysql_upgrade -u root -p
Ensure there is no error;
Phase 1/7: Checking and upgrading mysql database Processing databases mysql mysql.column_stats OK mysql.columns_priv OK mysql.db OK mysql.event OK mysql.func OK mysql.gtid_slave_pos OK mysql.help_category OK mysql.help_keyword OK mysql.help_relation OK mysql.help_topic OK mysql.host OK mysql.index_stats OK mysql.innodb_index_stats OK mysql.innodb_table_stats OK mysql.plugin OK mysql.proc OK mysql.procs_priv OK mysql.proxies_priv OK mysql.roles_mapping OK mysql.servers OK mysql.table_stats OK mysql.tables_priv OK mysql.time_zone OK mysql.time_zone_leap_second OK mysql.time_zone_name OK mysql.time_zone_transition OK mysql.time_zone_transition_type OK mysql.user OK Phase 2/7: Installing used storage engines... Skipped Phase 3/7: Fixing views Phase 4/7: Running 'mysql_fix_privilege_tables' Phase 5/7: Fixing table and database names Phase 6/7: Checking and upgrading tables Processing databases information_schema pass pass.action_logs OK pass.actions OK pass.authentication_tokens OK pass.comments OK pass.email_queue OK pass.entities_history OK pass.favorites OK pass.file_storage OK pass.gpgkeys OK pass.groups OK pass.groups_users OK pass.organization_settings OK pass.permissions OK pass.permissions_history OK pass.phinxlog OK pass.profiles OK pass.resources OK pass.roles OK pass.secret_accesses OK pass.secrets OK pass.secrets_history OK pass.user_agents OK pass.users OK performance_schema sys sys.sys_config OK Phase 7/7: Running 'FLUSH PRIVILEGES' OK
Upgrade PHP Composer
Check the current version of Composer.
composer.phar --version
Composer version 1.10.0 2020-03-10 14:08:05
Passbolt requires composer.phar >= 2. Upgrade it then;
sudo php /usr/bin/composer.phar self-update
Recheck the version again.
composer.phar --version
Composer version 2.2.6 2022-02-04 17:00:38
Update the Passbolt Code
Navigate to Passbolt web root directory and update the files in the working tree to match the current version;
cd /var/www/passbolt
sudo git checkout HEAD .
Download the latest Passbolt code;
sudo git pull origin master
Update the required Passbolt dependencies.
sudo php -d allow_url_fopen=on /usr/bin/composer.phar install --no-dev -n -o
... Package operations: 25 installs, 18 updates, 14 removals - Downloading cakephp/plugin-installer (1.3.1) - Downloading psr/log (1.1.4) - Downloading psr/http-server-handler (1.0.1) - Downloading psr/http-server-middleware (1.0.1) - Downloading psr/http-client (1.0.1) - Downloading psr/container (1.1.1) - Downloading league/container (3.4.1) - Downloading psr/http-factory (1.0.1) - Downloading laminas/laminas-diactoros (2.8.0) - Downloading laminas/laminas-zendframework-bridge (1.4.0) - Downloading laminas/laminas-httphandlerrunner (1.5.0) - Downloading composer/ca-bundle (1.3.1) - Downloading cakephp/chronos (2.3.0) - Downloading cakephp/cakephp (4.2.9) - Downloading bcrowe/cakephp-api-pagination (2.1.1) - Downloading cakephp/authentication (2.7.0) - Downloading symfony/polyfill-php80 (v1.23.1) - Downloading symfony/polyfill-mbstring (v1.23.1) - Downloading symfony/polyfill-intl-normalizer (v1.23.0) - Downloading symfony/polyfill-intl-grapheme (v1.23.1) - Downloading symfony/polyfill-ctype (v1.23.0) - Downloading symfony/string (v5.3.10) - Downloading symfony/service-contracts (v2.4.0) - Downloading symfony/polyfill-php73 (v1.23.0) - Downloading symfony/deprecation-contracts (v2.4.0) - Downloading symfony/console (v5.3.10) - Downloading symfony/polyfill-php81 (v1.23.0) - Downloading symfony/filesystem (v5.3.4) - Downloading symfony/config (v5.3.10) - Downloading robmorgan/phinx (0.12.9) - Downloading cakephp/migrations (3.1.0) - Downloading donatj/phpuseragentparser (v1.5.0) - Downloading firebase/php-jwt (v5.5.1) - Downloading imagine/imagine (1.2.4) - Downloading league/mime-type-detection (1.8.0) - Downloading league/flysystem (2.3.1) - Downloading lorenzo/cakephp-email-queue (4.0.0) - Downloading mobiledetect/mobiledetectlib (2.8.37) - Downloading ramsey/collection (1.2.2) - Downloading brick/math (0.9.3) - Downloading ramsey/uuid (4.2.3) - Downloading phpseclib/phpseclib (2.0.34) - Downloading singpolyma/openpgp-php (0.5.0) - Removing zendframework/zend-diactoros (1.8.7) - Removing thadafinser/user-agent-parser (v2.0.0) - Removing thadafinser/package-info (v1.0.0) - Removing symfony/yaml (v3.4.36) - Removing symfony/debug (v3.4.36) - Removing ralouphie/getallheaders (3.0.3) - Removing paragonie/random_compat (v9.99.99) - Removing knplabs/gaufrette (v0.7.0) - Removing guzzlehttp/psr7 (1.6.1) - Removing guzzlehttp/promises (v1.3.1) - Removing guzzlehttp/guzzle (6.4.1) - Removing burzum/cakephp-imagine-plugin (3.x-dev 3ef5969) - Removing burzum/cakephp-file-storage (2.1) - Removing aura/intl (3.0.0) - Removing cakephp/plugin-installer (1.1.1) - Installing cakephp/plugin-installer (1.3.1): Extracting archive - Upgrading psr/log (1.1.2 => 1.1.4): Extracting archive - Installing psr/http-server-handler (1.0.1): Extracting archive - Installing psr/http-server-middleware (1.0.1): Extracting archive - Installing psr/http-client (1.0.1): Extracting archive - Installing psr/container (1.1.1): Extracting archive - Installing league/container (3.4.1): Extracting archive - Installing psr/http-factory (1.0.1): Extracting archive - Installing laminas/laminas-diactoros (2.8.0): Extracting archive - Installing laminas/laminas-zendframework-bridge (1.4.0): Extracting archive - Installing laminas/laminas-httphandlerrunner (1.5.0): Extracting archive - Installing composer/ca-bundle (1.3.1): Extracting archive - Upgrading cakephp/chronos (1.3.0 => 2.3.0): Extracting archive - Upgrading cakephp/cakephp (3.8.6 => 4.2.9): Extracting archive - Installing bcrowe/cakephp-api-pagination (2.1.1): Extracting archive - Installing cakephp/authentication (2.7.0): Extracting archive - Installing symfony/polyfill-php80 (v1.23.1): Extracting archive - Upgrading symfony/polyfill-mbstring (v1.13.1 => v1.23.1): Extracting archive - Installing symfony/polyfill-intl-normalizer (v1.23.0): Extracting archive - Installing symfony/polyfill-intl-grapheme (v1.23.1): Extracting archive - Upgrading symfony/polyfill-ctype (v1.13.1 => v1.23.0): Extracting archive - Installing symfony/string (v5.3.10): Extracting archive - Installing symfony/service-contracts (v2.4.0): Extracting archive - Installing symfony/polyfill-php73 (v1.23.0): Extracting archive - Installing symfony/deprecation-contracts (v2.4.0): Extracting archive - Upgrading symfony/console (v3.4.36 => v5.3.10): Extracting archive - Installing symfony/polyfill-php81 (v1.23.0): Extracting archive - Upgrading symfony/filesystem (v3.4.36 => v5.3.4): Extracting archive - Upgrading symfony/config (v3.4.36 => v5.3.10): Extracting archive - Upgrading robmorgan/phinx (0.11.1 => 0.12.9): Extracting archive - Upgrading cakephp/migrations (2.4.0 => 3.1.0): Extracting archive - Upgrading donatj/phpuseragentparser (v0.7.0 => v1.5.0): Extracting archive - Installing firebase/php-jwt (v5.5.1): Extracting archive - Upgrading imagine/imagine (v0.6.3 => 1.2.4): Extracting archive - Installing league/mime-type-detection (1.8.0): Extracting archive - Installing league/flysystem (2.3.1): Extracting archive - Upgrading lorenzo/cakephp-email-queue (3.3.1 => 4.0.0): Extracting archive - Upgrading mobiledetect/mobiledetectlib (2.8.34 => 2.8.37): Extracting archive - Installing ramsey/collection (1.2.2): Extracting archive - Installing brick/math (0.9.3): Extracting archive - Upgrading ramsey/uuid (3.9.1 => 4.2.3): Extracting archive - Upgrading phpseclib/phpseclib (2.0.4 => 2.0.34): Extracting archive - Upgrading singpolyma/openpgp-php (0.3.0 => 0.5.0): Extracting archive Package webmozart/path-util is abandoned, you should avoid using it. Use symfony/filesystem instead. Generating optimized autoload files 27 packages you are using are looking for funding. Use the `composer fund` command to find out more! > App\Console\Installer::postInstall Permissions set on /var/www/passbolt/tmp/avatars Permissions set on /var/www/passbolt/tmp/cache Permissions set on /var/www/passbolt/tmp/cache/database Permissions set on /var/www/passbolt/tmp/cache/models Permissions set on /var/www/passbolt/tmp/cache/persistent Permissions set on /var/www/passbolt/tmp/cache/views Permissions set on /var/www/passbolt/tmp/selenium Permissions set on /var/www/passbolt/tmp/sessions Permissions set on /var/www/passbolt/tmp/tests Permissions set on /var/www/passbolt/tmp No Security.salt placeholder to replace.
Run the migration script
Next, run the Passbolt migration script.
sudo -H -u www-data bash -c "./bin/cake passbolt migrate --backup"
The command will create a backup of the current database and place it under /var/www/passbolt/tmp/cache/database/backup_xxxxxxxxxx.sql
. This is so you can easily revert in case things don’t go well.
The migration process may take sometime.
When all is done, you should get such an output;
... All Done. Took 1973.3069s Clearing default Cleared default cache Clearing _cake_core_ Cleared _cake_core_ cache Clearing _cake_model_ Cleared _cake_model_ cache
Passbolt should now be upgraded.
Verify;
cat /var/www/passbolt/config/version.php
<?php return [ 'passbolt' => [ 'version' => '3.5.0', 'name' => 'Wide Open' ] ];
Clear Passbolt App Cache
After the upgrade, clear the application cache;
sudo -H -u www-data bash -c "/var/www/passbolt/bin/cake cache clear_all"
Create Passbolt JWT Key Pairs
To begin with, create set the ownership of the JWT keys directory to Apache’s Web server user;
sudo chown -R www-data: /var/www/passbolt/config/jwt
Next, generate the JWT keys;
sudo -H -u www-data bash -c "/var/www/passbolt/bin/cake passbolt create_jwt_keys"
Sample command output;
____ __ ____ / __ \____ _____ ____/ /_ ____ / / /_ / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ / ____/ /_/ (__ |__ ) /_/ / /_/ / / / /_/ \__,_/____/____/_.___/\____/_/\__/ Open source password manager for teams ------------------------------------------------------------------------------- A JWT key pair was successfully created. Public key path: /var/www/passbolt/config/jwt/jwt.pem Secret key path: /var/www/passbolt/config/jwt/jwt.key
Start Apache Web Server;
You can now start your web server
sudo systemctl start apache2
Run Passbolt Health Check
Execute the command below to run Passbolt health checks;
sudo -H -u www-data bash -c "/var/www/passbolt/bin/cake passbolt healthcheck"
Ensure there is no error from the health check;
____ __ ____ / __ \____ _____ ____/ /_ ____ / / /_ / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ / ____/ /_/ (__ |__ ) /_/ / /_/ / / / /_/ \__,_/____/____/_.___/\____/_/\__/ Open source password manager for teams ------------------------------------------------------------------------------- Healthcheck shell ------------------------------------------------------------------------------- Environment [PASS] PHP version 7.4.27. [PASS] PCRE compiled with unicode support. [PASS] The temporary directory and its content are writable and not executable. [PASS] The logs directory and its content are writable. [PASS] GD or Imagick extension is installed. [PASS] Intl extension is installed. [PASS] Mbstring extension is installed. Config files [PASS] The application config file is present [PASS] The passbolt config file is present Core config [PASS] Debug mode is off. [PASS] Cache is working. [PASS] Unique value set for security.salt [PASS] Full base url is set to https://passman.itnixpro.com [PASS] App.fullBaseUrl validation OK. [PASS] /healthcheck/status is reachable. SSL Certificate [PASS] SSL peer certificate validates [PASS] Hostname is matching in SSL certificate. [PASS] Not using a self-signed certificate Database [PASS] The application is able to connect to the database [PASS] 26 tables found [PASS] Some default content is present [PASS] The database schema up to date. GPG Configuration [PASS] PHP GPG Module is installed and loaded. [PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg. [PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user. [PASS] The server OpenPGP key is not the default one [PASS] The public key file is defined in config/passbolt.php and readable. [PASS] The private key file is defined in config/passbolt.php and readable. [PASS] The server key fingerprint matches the one defined in config/passbolt.php. [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring. [PASS] There is a valid email id defined for the server key. [PASS] The public key can be used to encrypt a message. [PASS] The private key can be used to sign a message. [PASS] The public and private keys can be used to encrypt and sign a message. [PASS] The private key can be used to decrypt a message. [PASS] The private key can be used to decrypt and verify a message. [PASS] The public key can be used to verify a signature. [PASS] The server public key format is Gopengpg compatible. [PASS] The server private key format is Gopengpg compatible. Application configuration [PASS] Using latest passbolt version (3.5.0). [PASS] Passbolt is configured to force SSL use. [PASS] App.fullBaseUrl is set to HTTPS. [PASS] Selenium API endpoints are disabled. [PASS] Search engine robots are told not to index content. [WARN] Registration is open to everyone. [HELP] Make sure this instance is not publicly available on the internet. [HELP] Or set passbolt.registration.public to false in config/passbolt.php. [PASS] Serving the compiled version of the javascript app [PASS] All email notifications will be sent. JWT Authentication [PASS] The JWT Authentication plugin is enabled [PASS] The /var/www/passbolt/config/jwt/ directory is not writable. [PASS] A valid JWT key pair was found [PASS] No error found. Nice one sparky!
Login to Upgraded Passbolt and Verify your Passwords are Intact
You can now login to Passbolt and confirm if all your passwords are in place.
And there you go. All my passwords are in place.
That marks the end of our tutorial on how to upgrade Passbolt installed from source on Ubuntu System.