Can't register users "Something went wrong"

I am trying to bring a new installation of PassBolt CE via Docker online within a LAN so that we can test/evaluate the product before considering the business version.

I am able to build/run the container, and it appears to be accessible, when I follow the new user registration link, it looks like it works, I am allowed to enter my e-mail address and create a passphrase. However, after that is done, I’m redirected to a page that says “Something went wrong” “Authentication is required to continue”. At that point, it’s impossible for me to log in or access the registration page, and the system does not recognize the password that I just created.

I am using the 5.4.1-1-ce image, if that matters.

I don’t believe it’s a Docker issue, using the Passbolt Healthcheck routine tells me the following:

su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt healthcheck” www-data

2025-08-26 21:54:43 warning: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_translations_translations.cake_console.en_UK): Failed to open stream: Permission denied in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php on line 384

warning: 512 :: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_translations_translations.cake_console.en_UK): Failed to open stream: Permission denied on line 384 of /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php

2025-08-26 21:54:43 warning: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_translations_translations.cake_console.en_UK): Failed to open stream: Permission denied in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php on line 384

warning: 512 :: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_translations_translations.cake_console.en_UK): Failed to open stream: Permission denied on line 384 of /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php

__ __ __

/ __ \__ __ __/ /_ ___ / / /_

/ /_/ / __ `/ __/ __/ __ \/ __ \/ / __/

/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /

/_/ \__,_/__/__/_.___/\____/_/\__/

Open source password manager for teams

-------------------------------------------------------------------------------

Healthcheck shell

If you want to have more information about the different checks, please take a look at the documentation: 2025-08-26 21:54:44 error: Record not found in table `organization_settings`.

-------------------------------------------------------------------------------

Environment

[INFO] Linux 1fbcf02bee04 5.15.0-134-generic #145-Ubuntu SMP Wed Feb 12 20:08:39 UTC 2025 x86_64 GNU/Linux

[PASS] PHP version 8.2.29.

[PASS] PHP version is 8.2 or above.

[PASS] 64-bit architecture system detected.

[INFO] gpg (GnuPG) 2.2.40 / libgcrypt 1.10.1

[PASS] PCRE compiled with unicode support.

[PASS] Mbstring extension is installed.

[PASS] Intl extension is installed.

[PASS] GD or Imagick extension is installed.

[FAIL] The temporary directory and its content are not writable, or are executable.

[HELP] Ensure the temporary directory and its content are writable by the webserver user.

[HELP] you can try:

[HELP] sudo chown -R www-data:www-data /var/lib/passbolt/tmp/

[HELP] sudo chmod -R 775 $(find /var/lib/passbolt/tmp/ -type d)

[HELP] sudo chmod -R 664 $(find /var/lib/passbolt/tmp/ -type f)

[PASS] The logs directory /var/log/passbolt/ and its content are writable.

[WARN] System clock and NTP service information cannot be found.

[HELP] See `timedatectl | grep -i -A 1 clock`. More information: https://www.passbolt.com/docs/hosting/configure/ntp/

Config files

[PASS] The application config file is present

[WARN] The passbolt config file is missing in /etc/passbolt/

[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php

[HELP] The passbolt config file is not required if passbolt is configured with environment variables

Core config

[PASS] Cache is working.

[PASS] Debug mode is off.

[PASS] Unique value set for security.salt

[PASS] Full base url is set to http:172.16.10.3:3380

[PASS] App.fullBaseUrl validation OK.

[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates.

[PASS] Hostname is matching in SSL certificate.

[PASS] Not using a self-signed certificate.

SMTP settings

[PASS] The SMTP Settings plugin is enabled.

[PASS] SMTP Settings coherent. You may send a test email to validate them.

[WARN] The SMTP Settings source is: env variables.

[HELP] It is recommended to set the SMTP Settings in the database through the administration section.

[WARN] The SMTP Settings plugin endpoints are enabled.

[HELP] It is recommended to disable the plugin endpoints.

[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.

[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

[PASS] No custom SSL configuration for SMTP server.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled.

[PASS] The /etc/passbolt/jwt/ directory is not writable.

[FAIL] A valid JWT key pair is missing.

[HELP] Run the create JWT keys script to create a valid JWT secret and public key pair:

[HELP] sudo su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt create_jwt_keys” www-data

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.

[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.

[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.

[FAIL] The server OpenPGP key is not set.

[HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php

[HELP] See.

[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.

[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.

[FAIL] The server key fingerprint doesn’t match the one defined in /etc/passbolt/passbolt.php.

[HELP] Double check the key fingerprint, example:

[HELP] sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg” www-data | grep -i -B 2 ‘SERVER_KEY_EMAIL’

[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.

[HELP] See. install#toc_gpg

[FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring

[HELP] Import the private server key in the keyring of the webserver user.

[HELP] you can try:

[HELP] sudo su -s /bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc” www-data

[FAIL] The server key does not have a valid email id.

[HELP] Edit or generate another key with a valid email id.

[FAIL] The private key cannot be used to decrypt a message

[FAIL] The private key cannot be used to decrypt and verify a message

[FAIL] The public key cannot be used to verify a signature.

Application configuration

[PASS] Using latest passbolt version (5.4.1).

[FAIL] Passbolt is not configured to force SSL use.

[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.

[FAIL] App.fullBaseUrl is not set to HTTPS.

[HELP] Check App.fullBaseUrl url scheme in /etc/passbolt/passbolt.php.

[PASS] Selenium API endpoints are disabled.

[PASS] Search engine robots are told not to index content.

[INFO] The Self Registration plugin is enabled.

[INFO] Registration is closed, only administrators can add users.

[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.

[WARN] Host availability checking is disabled.

[HELP] Make sure this instance is not publicly available on the internet.

[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.

[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.

[PASS] Serving the compiled version of the javascript app.

[WARN] Some email notifications are disabled by the administrator.

[PASS] The database schema is up to date.

Database

[PASS] The application is able to connect to the database

[PASS] 34 tables found.

[PASS] Some default content is present.

Metadata

[PASS] The server is able to decrypt the metadata private key.

[PASS] Active metadata key found or not required.

[PASS] The server has access to the metadata keys or does not require access to it.

[PASS] The server metadata private key is valid.

[FAIL] 11 error(s) found. Hang in there!

So, there appears to be a lot of issues with permissions in the Docker image itself, which can be corrected, although unfortunately then they’ll return the next time the container is restarted.

I haven’t gotten to the stage of even trying to mess with implementing HTTPS yet, since this is still a test installation, so I’m not really concerned about them. We’ll worry about SSL/TLS after the platform is working.

[WARN] System clock and NTP service information cannot be found.

I don’t know why the image reports this, nothing in the installation documentation references setting up NTP in the Docker yaml file.

[WARN] The passbolt config file is missing in /etc/passbolt/

There again, it’s a Docker image, nothing in the install documentation refers to setting a config file. Maybe there are additional instructions required for running Passbolt in Docker?

The warnings about SMTP don’t seem to be serious, and the running container is capable of sending e-mails , so that’s probably not a critical issue.

I suspect that these messages about keys/keypairs are the root cause of the site being non-functional:

[FAIL] A valid JWT key pair is missing.

[FAIL] The server OpenPGP key is not set.

[FAIL] The server key fingerprint doesn’t match the one defined in /etc/passbolt/passbolt.php.

[FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring

[FAIL] The server key does not have a valid email id.

[FAIL] The private key cannot be used to decrypt a message

[FAIL] The private key cannot be used to decrypt and verify a message

[FAIL] The public key cannot be used to verify a signature.

I had been following the instructions at this link for how to install and run Passbolt-

https://www.passbolt.com/docs/hosting/install/ce/docker/

I am now realizing, these instructions cover maybe 10% at best of the actual required steps to install Passbolt, is there any more complete documentation available?

Alternatively, is the Docker implementation of Passbolt considered to be viable for production use, or should I stop trying to run it in a container and do a full local install in a virtual machine?

Checklist
I have read intro post: https://community.passbolt.com/t/about-the-installation-issues-category/12
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hello @Penguin8R and welcome to the forum!

Could you provide your Docker Compose or run command and environment variables?
Also, if you haven’t read this guide and the health check was performed without environment variables, you should run source /etc/environment before the healthcheck command to see all the printouts correctly.

https://www.passbolt.com/docs/hosting/troubleshooting/docker/

This is the current content of the docker-compose-ce.yaml file:

services:

db:

image: mariadb:10.11

restart: unless-stopped

environment:

  MYSQL_RANDOM_ROOT_PASSWORD: "true"

  MYSQL_DATABASE: "passbolt"

  MYSQL_USER: "passbolt"

  MYSQL_PASSWORD: "P4ssb0lt"

volumes:

  - database_volume:/var/lib/mysql

passbolt:

image: passbolt/passbolt:5.4.1-1-ce

#Alternatively you can use rootless:

#image: passbolt/passbolt:latest-ce-non-root

restart: unless-stopped

depends_on:

  - db

environment:

  APP_FULL_BASE_URL: http://172.16.10.3:3380

  EMAIL_DEFAULT_FROM_NAME: "Test PassBolt"

  EMAIL_DEFAULT_FROM: "XXXXXXXXXX@gmail.com"

  EMAIL_TRANSPORT_DEFAULT_HOST: "smtp.gmail.com"

  EMAIL_TRANSPORT_DEFAULT_PORT: "587"

  EMAIL_TRANSPORT_DEFAULT_USERNAME: "XXXXXXXXXX@gmail.com"

  EMAIL_TRANSPORT_DEFAULT_PASSWORD: "xxxxxxxxxxxxxxxxxxxx"

EMAIL_TRANSPORT_DEFAULT_TLS: “true”

  DATASOURCES_DEFAULT_HOST: "db"

  DATASOURCES_DEFAULT_USERNAME: "passbolt"

  DATASOURCES_DEFAULT_PASSWORD: "XXXXXXXX"

  DATASOURCES_DEFAULT_DATABASE: "passbolt"

volumes:

  - gpg_volume:/etc/passbolt/gpg

  - jwt_volume:/etc/passbolt/jwt

command:

  \[

    "/usr/bin/wait-for.sh",

    "-t",

    "0",

    "db:3306",

    "--",

    "/docker-entrypoint.sh",

  \]

ports:

- 3380:80

- 33443:443

volumes:

database_volume:

gpg_volume:

jwt_volume:

I am simply using the Docker command provided in the documentation to start the containers:

docker compose -f docker-compose-ce.yaml up -d

When I run the status-report, it gives me more permissions errors, and complains about a missing log file.

 \___\_                  \_\_          \___\_  

/ \_\_ \\\___\_  \____\_ \___\_/ /\_  \___\_  / / /\_ 

/ /_/ / __ `/ __/ __/ __ \/ __ \/ / __/

/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /

/_/ \__,_/__/__/_.___/\____/_/\__/

Open source password manager for teams

-------------------------------------------------------------------------------

Cleanup shell (dry-run)

-------------------------------------------------------------------------------

No issue found, data looks squeaky clean!

2025-08-27 14:49:32 warning: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_translations_translations.cake_console.en_UK): Failed to open stream: Permission denied in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php on line 384

warning: 512 :: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_translations_translations.cake_console.en_UK): Failed to open stream: Permission denied on line 384 of /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php

2025-08-27 14:49:32 warning: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_translations_translations.cake_console.en_UK): Failed to open stream: Permission denied in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php on line 384

warning: 512 :: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_translations_translations.cake_console.en_UK): Failed to open stream: Permission denied on line 384 of /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php

 \___\_                  \_\_          \___\_  

/ \_\_ \\\___\_  \____\_ \___\_/ /\_  \___\_  / / /\_ 

/ /_/ / __ `/ __/ __/ __ \/ __ \/ / __/

/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /

/_/ \__,_/__/__/_.___/\____/_/\__/

Open source password manager for teams

-------------------------------------------------------------------------------

Data check shell

[PASS] Data integrity for AuthenticationTokens.

[PASS] Can validate: 4/4

[PASS] Data integrity for Comments.

[PASS] Can validate: 0/0

[PASS] Data integrity for Favorites.

[PASS] Can validate: 0/0

[PASS] Data integrity for Gpgkeys.

[PASS] Can encrypt: 1/1

[PASS] Pass validation service checks: 1/1

[PASS] Entity data and armored key data matches: 1/1

[PASS] Is not expired: 1/1

[PASS] Is armored key format valid: 1/1

[PASS] Data integrity for Groups.

[PASS] Can validate: 0/0

[PASS] Data integrity for Profiles.

[PASS] Can validate: 2/2

[PASS] Data integrity for Resources.

[PASS] Can validate: 0/0

[PASS] Data integrity for Secrets.

[PASS] Can validate: 0/0

[PASS] Data integrity for Users.

[PASS] Can validate: 2/2

tail: cannot open ‘/var/log/passbolt/error.log’ for reading: No such file or directory

Thank you for the troubleshooting link, I had not seen that and it provides a little more information than the installation documentation that I was trying to follow.

What that seems to be saying, is that the Docker image has a lot of permissions errors and missing content, which the Installation guide doesn’t cover.

After doing ‘source /etc/environment’ and running the healthcheck again, I still get permission errors,

www-data@1fbcf02bee04:/usr/share/php/passbolt$ ./bin/cake passbolt healthcheck

2025-08-27 15:06:51 warning: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_translations_translations.cake_console.en_UK): Failed to open stream: Permission denied in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php on line 384

warning: 512 :: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_translations_translations.cake_console.en_UK): Failed to open stream: Permission denied on line 384 of /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php

2025-08-27 15:06:51 warning: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_translations_translations.cake_console.en_UK): Failed to open stream: Permission denied in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php on line 384

warning: 512 :: SplFileInfo::openFile(/var/lib/passbolt/tmp/cache/persistent/myapp_cake_translations_translations.cake_console.en_UK): Failed to open stream: Permission denied on line 384 of /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php

 \___\_                  \_\_          \___\_  

/ \_\_ \\\___\_  \____\_ \___\_/ /\_  \___\_  / / /\_ 

/ /_/ / __ `/ __/ __/ __ \/ __ \/ / __/

/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /

/_/ \__,_/__/__/_.___/\____/_/\__/

Open source password manager for teams

-------------------------------------------------------------------------------

Healthcheck shell

If you want to have more information about the different checks, please take a look at the documentation: …2025-08-27 15:06:52 error: Record not found in table `organization_settings`.

-------------------------------------------------------------------------------

Environment

[INFO] Linux 1fbcf02bee04 5.15.0-134-generic #145-Ubuntu SMP Wed Feb 12 20:08:39 UTC 2025 x86_64 GNU/Linux

[PASS] PHP version 8.2.29.

[PASS] PHP version is 8.2 or above.

[PASS] 64-bit architecture system detected.

[INFO] gpg (GnuPG) 2.2.40 / libgcrypt 1.10.1

[PASS] PCRE compiled with unicode support.

[PASS] Mbstring extension is installed.

[PASS] Intl extension is installed.

[PASS] GD or Imagick extension is installed.

[FAIL] The temporary directory and its content are not writable, or are executable.

[HELP] Ensure the temporary directory and its content are writable by the webserver user.

[HELP] you can try:

[HELP] sudo chown -R www-data:www-data /var/lib/passbolt/tmp/

[HELP] sudo chmod -R 775 $(find /var/lib/passbolt/tmp/ -type d)

[HELP] sudo chmod -R 664 $(find /var/lib/passbolt/tmp/ -type f)

[PASS] The logs directory /var/log/passbolt/ and its content are writable.

[WARN] System clock and NTP service information cannot be found.

[HELP] See `timedatectl | grep -i -A 1 clock`. More information: https://www.passbolt.com/docs/hosting/configure/ntp/

Config files

[PASS] The application config file is present

[WARN] The passbolt config file is missing in /etc/passbolt/

[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php

[HELP] The passbolt config file is not required if passbolt is configured with environment variables

Core config

[PASS] Cache is working.

[PASS] Debug mode is off.

[PASS] Unique value set for security.salt

[PASS] Full base url is set to http://172.16.10.3:3380

[PASS] App.fullBaseUrl validation OK.

[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates.

[PASS] Hostname is matching in SSL certificate.

[PASS] Not using a self-signed certificate.

SMTP settings

[PASS] The SMTP Settings plugin is enabled.

[PASS] SMTP Settings coherent. You may send a test email to validate them.

[WARN] The SMTP Settings source is: env variables.

[HELP] It is recommended to set the SMTP Settings in the database through the administration section.

[WARN] The SMTP Settings plugin endpoints are enabled.

[HELP] It is recommended to disable the plugin endpoints.

[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.

[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

[PASS] No custom SSL configuration for SMTP server.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled.

[PASS] The /etc/passbolt/jwt/ directory is not writable.

[FAIL] A valid JWT key pair is missing.

[HELP] Run the create JWT keys script to create a valid JWT secret and public key pair:

[HELP] sudo su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt create_jwt_keys” www-data

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.

[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.

[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.

[PASS] The server OpenPGP key is not the default one.

[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.

[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.

[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.

[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.

[PASS] There is a valid email id defined for the server key.

[PASS] The public key can be used to encrypt a message.

[PASS] The private key can be used to sign a message.

[PASS] The public and private keys can be used to encrypt and sign a message.

[PASS] The private key can be used to decrypt a message.

[PASS] The private key can be used to decrypt and verify a message.

[PASS] The public key can be used to verify a signature.

[PASS] The server public key format is Gopengpg compatible.

[PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (5.4.1).

[FAIL] Passbolt is not configured to force SSL use.

[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.

[FAIL] App.fullBaseUrl is not set to HTTPS.

[HELP] Check App.fullBaseUrl url scheme in /etc/passbolt/passbolt.php.

[PASS] Selenium API endpoints are disabled.

[PASS] Search engine robots are told not to index content.

[INFO] The Self Registration plugin is enabled.

[INFO] Registration is closed, only administrators can add users.

[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.

[WARN] Host availability checking is disabled.

[HELP] Make sure this instance is not publicly available on the internet.

[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.

[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.

[PASS] Serving the compiled version of the javascript app.

[WARN] Some email notifications are disabled by the administrator.

[PASS] The database schema is up to date.

Database

[PASS] The application is able to connect to the database

[PASS] 34 tables found.

[PASS] Some default content is present.

Metadata

[PASS] The server is able to decrypt the metadata private key.

[PASS] Active metadata key found or not required.

[PASS] The server has access to the metadata keys or does not require access to it.

[PASS] The server metadata private key is valid.

[FAIL] 4 error(s) found. Hang in there!

Am I correct to assume that the Docker implementation is likely going to be problematic, and I’d be better off setting up the software in a dedicated virtual machine rather than chasing errors in the Docker image?
Or maybe it’s just the latest version 5.4.1, should I try reverting to using 5.4.0 ?

It seems like the worst issues with this installation are related to the missing pieces in Docker relating to the GPG & JWT keys, and needing to perform quite few more installation steps before attempting to register the first admin user. It also looks like it’ll be easier to resolve those by working with a normal installation environment instead of trying to troubleshoot and rebuild containers over and over again. Every time PassBolt fails to initialize the first admin user as the instructions say to do, that forces you to delete all the Docker images and volumes and start from scratch, which is extremely time consuming. It seems like filling in the missing pieces of the installation process and re-running various setup steps would be much easier without the extra layers and overhead of Docker in the way?

I feel like setting this up shouldn’t be nearly this difficult, if I could just find a document that covered all the required elements. It looks like there’s about 50 things that need to be done in between Step 4 & Step 5 of the Docker install instructions, and if I could find out what all those are then I could make it work. The output from the the health check gives some ideas where to start, but I’m sure there’s more to it?

I started trying to troubleshoot the installation using the output from the health check.

The health check recommends running

sudo su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt create_jwt_keys” www-data

Unfortunately “sudo” is not a part of the Passbolt 5.4.1 Docker image, so that command fails.

Running it without “sudo” also fails:

# su -s /bin/bash -c “/usr/share/php/passbolt/bin/cake passbolt create_jwt_keys” www-data

 \___\_                  \_\_          \___\_  

/ \_\_ \\\___\_  \____\_ \___\_/ /\_  \___\_  / / /\_ 

/ /_/ / __ `/ __/ __/ __ \/ __ \/ / __/

/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /

/_/ \__,_/__/__/_.___/\____/_/\__/

Open source password manager for teams

-------------------------------------------------------------------------------

The JWT private key could not be written.

The warnings about system clock and NTP issues don’t seem to have any resolution either, since there’s no NTP client or chrony option in the Docker image. This is rather interesting, since the Install documentation states clearly that NTP is required.

The permissions issue with the temporary directory cannot be resolved, even after applying the fixes suggested by the health check output.

This seems to reinforce the theory that the 5.4.1 Docker image is not viable for use?

Would I be better off to revert to 5.4.0, or to just abandon the Docker implementation and deploy Passbolt on a dedicated VM ?

I’m using Passbolt with Docker and haven’t seen these errors.

I prefer it to a VM because it’s easier to deploy. Perhaps you have a bad or corrupted image?

I would hope not, as I’ve ended up deleting and downloading a fresh copy of the image a couple of times now in the course of troubleshooting. I had thought the same, easier & quicker to deploy, easier to make it fault tolerant, keep backups, etc if running in Docker. Maybe it’s a 5.4.1 problem? I will revert it to use the 5.4.0 release and see if it works any better.

G’day Penguin8R.

The healthcheck on docker does complain about some irrelevent things. For example if you’re behind traefix proxy that handles TLS it will tell you you’re insecure etc. The NTP error is similar.

For a proper healthcheck you do need to source the environment file first:

source /etc/environement

https://www.passbolt.com/docs/hosting/troubleshooting/docker/

The Docker image does run without any issues with our default scripts so I’m happy to help review any changes to your docker-compose.yaml and if you could tell me anything more about the errors you’re seeing when trying to access the first run page.

Cheers

Gareth

hello @gyaresu
there might be something worth checking, see my comment here