Authentication failed

I’ve installed passbolt on my server. But I cannot log in. I’ve got a below error in application’s log:

Error: [Cake\Http\Exception\ForbiddenException] You need to login to access this location. 
Request URL: /auth/is-authenticated.json

But my password is correct :confused:

My healthchecker report

 Healthcheck shell       


[PASS] PHP version 7.3.26.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate


[PASS] The application is able to connect to the database
[PASS] 23 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to …/.gnupg.
[PASS] The directory …/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server gpg key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.

Application configuration

[PASS] Using latest passbolt version (2.13.5).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

No error found. Nice one sparky!

PHP 7.3, centos 7, MariaDB 10.5
queue works fine
no errors in my apache logs
cookies are created correctly

Hi @marcus Welcome to the forum! And thank you for the details, this is very useful.

You are saying you cannot login - this implies you already registered your admin user? Please clarify from a user standpoint the process/stage where you are experiencing this, thanks.

HI @garrett!

Yes, I created an admin user (Organization administrator) correctly. My account is active.

I try to log in using a form

When I click “login”, a page is refreshed and the error occurs in the log.

@marcus Normally there is an error message in the login form that says the passphrase is incorrect. But to confirm, you are saying the page refreshes there is no error message. Correct?

Almost like it is logging you out right after submitting your passphrase? Maybe something like this:


After I enter a wrong password I’ve received an error message. It means that I’ve been entering the correct password.

The case which you shared with me does not look like my issue. I’ve full access to use cookies with chrome.


Next step could be to turn on debug in config/passbolt.php file by adding:

return [
    'debug' => 'true',

    'App' => [

Website will say “Unsafe Mode” in footer on login page if debug is successfully enabled. You can comment it out when done using.

You’ll also want to make sure there is a “debug.log” file in the logs folder, writable by webserver user (on my Centos7 install it’s nginx).

I’ve just noticed below issue in chrome extension

Access to fetch at ‘’ from origin ‘chrome- extension://didegimhafipceonhjepacocaffmoppf’ has been blocked by CORS policy:
Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

Debug mode hasn’t logged any error.

@marcus I have not seen this before. Are you proxying to a backend with a different domain? You could try reinstalling the extension and recover your user.

I’ve done how you wrote and now it’s working fine :crazy_face:
Prolly it’s something with connection between chrome extension and web site :thinking:
thx for a tip :clap:

1 Like