Cannot add new entries after patch from 2.1.0 to 2.2.0

After upgrade from 2.1.0 to 2.2.0 it is no longer possible to create new entries to passbolt. The error.log of passbolt shows entries like:

2018-08-15 17:09:23 Error: [Cake\Network\Exception\InvalidCsrfTokenException] CSRF token mismatch.
Request URL: /resources.json?api-version=v2
Referer URL: http://passbolt1./

When go back to 2.1.0 the error is no longer existent. So it seems that the passbolt patch is the reason for this behavior (and not the parallel done OS patch).

It is not relevant to add a “server_name” (some forums discussed this) directive to /etc/nginx/conf.d/default.conf or to comment out “add_header X-XSS-Protection” or set it to “0”. In my opinion the error messages are not generated from nginx but from the passbolt application so that it seems logical that the nginx configuration changes are not working.


  • centos 7.5 latest patch incl. all components shown below

Health check:

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/ _

Open source password manager for teams

Healthcheck shell


[PASS] PHP version 7.0.31.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable.
[PASS] The public image directory and its content are writable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to http://passbolt1.
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate


[PASS] The application is able to connect to the database
[PASS] 19 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The server gpg key is not the default one
[PASS] The environment variable GNUPGHOME is set to /var/cache/nginx/.gnupg.
[PASS] The directory /var/cache/nginx/.gnupg containing the keyring is writable by the webserver user.
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.

Application configuration

[FAIL] This installation is not up to date. Currently using 2.1.0 and it should be v2.2.0.

=> status with 2.1.0 is the same as with 2.2.0

[HELP] See.
[PASS] Passbolt is configured to force SSL use.
[FAIL] App.fullBaseUrl is not set to HTTPS.
[HELP] Check App.fullBaseUrl url scheme in config/passbolt.php.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

2 error(s) found. Hang in there!

Hello @mebersbach,
Can you clean your browser cache and tell me if the error is still occurring with v2.2.0.

Hello @cedric

Bingo - this has solved the problem!

Funny - in a second browser I had re-registered because of the problems, but then got the error there too. I would not have expected that.

But - it works - thank you very much!

Thank you for the report
I added a task to our current sprint to investigate this cache issue.