Error configuring MFA [fixed in 3.11.1]

Hello, good morning, I have a problem, I wanted to know if you can help me, I installed the new version of Passbolt CE in order to use double authentication,
Entranando some errors are occurring, that I am not able to understand what is happening.
Just to explain where we are right now.
I did an installation from scratch, enabled both the “Time-based One Time Password” and “Duo” authentication, but the following errors occur:

|error_description|Invalid redirect URI ‘’.|

I don’t know what it could be, I already released all the rules on the firewall for the server’s IP, I validated that both the server and the client have the same date and time.


If you username on duo is not the same email that you have set on passbolt you will have an issue. A fix is done and will be shipped on monday.

Also just to confirm did you setup HTTPS? HTTPS is mandatory for MFA as written on the help site.


Good afternoon, thanks for the reply,
Yes the emails are different D: , I’ll wait for that fix if it’s already coming.
Regarding SSL, yes it is enabled.

Passbolt API Status


PHP version 8.1.2-1ubuntu2.11.

PCRE compiled with unicode support.

The temporary directory and its content are writable and not executable.

The logs directory and its content are writable.

GD or Imagick extension is installed.

Intl extension is installed.

Mbstring extension is installed.

SSL access is enabled.

Config files

The application config file is present

The passbolt config file is present

Core config

Debug mode is off.

Cache is working.

Unique value set for security.salt

Full base url is set to

App.fullBaseUrl validation OK.

/healthcheck/status is reachable.


The application is able to connect to the database

26 tables found

Some default content is present

The database schema up to date.

GPG Configuration

PHP GPG Module is installed and loaded.

The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.

The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.

The server OpenPGP key is not the default one

The public key file is defined in /etc/passbolt/passbolt.php and readable.

The private key file is defined in /etc/passbolt/passbolt.php and readable.

The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.

The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.

There is a valid email id defined for the server key.

The public key can be used to encrypt a message.

The private key can be used to sign a message.

The public and private keys can be used to encrypt and sign a message.

The private key can be used to decrypt a message.

The private key can be used to decrypt and verify a message.

The public key can be used to verify a signature.

The server public key format is Gopengpg compatible.

The server private key format is Gopengpg compatible.

Application configuration

Using latest passbolt version (3.11.0).

Passbolt is configured to force SSL use.

App.fullBaseUrl is set to HTTPS.

Selenium API endpoints are disabled.

Search engine robots are told not to index content.

The Self Registration plugin is enabled.

Registration is closed, only administrators can add users.

The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.

Host availability checking is disabled.

Serving the compiled version of the javascript app.

Some email notifications are disabled by the administrator.