Faild to activate Passbolt CE with AlmaLinux

after I installed the passbolt on almalinux and i followed the steps on the installation guide
but after the installation finished i open the webpage it asking to add the email to activate my account after added the same email that i used during installation i can’t receive any email
any suggestion for troubleshooting this issue.

Hello @amr.salem , welcome to our community :slightly_smiling_face:

after the installation finished i open the webpage

I’d like to know which page are you referencing here? Have you been redirected after the installation to proceed to the account configuration? Or have you manually navigated to your fullBaseUrl after the install was complete?
To summurize, have you already configured the account and being able to log in already or not?

After finishing the configuration of database it’s take long time to GPG key so i reload the page it’s open on webpage asking to add my email i added and showing sent email to activate my account but i can’t recive any email even junk no thing
I manually install the extension but showing connecting but not connect

Alright, it looks like a recent similar issues. Could you take a look at this post ? You should be able to setup your administrator account following this.

I saw this post but how i will run this command on Almalinux
SELECT email, subject, template_vars FROM email_queue ORDER BY id ASC LIMIT 3;

So, through the passbolt-ce-server package installer, you created mysql credentials.

We need these credentials to connect to the database, from the server, you’ll have to run:


You will be prompted to enter your password, then run the query.

I got this result

Empty set (0.000 sec)

You confirm that you’ve navigated to the fullBaseUrl as shown in the screenshot from the other post, entered your email and receiving a message that confirm the server sent something?
If yes and you still have empty rows, please share the output of these queries:

SELECT * FROM users;
SELECT * FROM email_queue;

I’m using ip address of server to access and it’s open the email page as showed in screenshoot
MariaDB [wfs]> SELECT * FROM users;
| id | role_id | username | active | deleted | created | modified |
| 41cedebc-7d64-4063-8975-eb3bf3365999 | b9888223-5771-40b5-b9c8-b47bdc55dede | | 0 | 0 | 2023-07-27 06:37:04 | 2023-07-27 06:37:04 |

MariaDB [wfs]> SELECT * FROM email_queue;
Empty set (0.000 sec)

I run this query as it is without changing email or other syntax

SELECT email, subject, template_vars FROM email_queue ORDER BY id ASC LIMIT 3;

this is the full URL im using
I didn’t install any ssl Cert during installation i select none

While following the installation guide, have you installed Haveged to speed up the entropy generation?

Since you are using AlmaLinux, it could also be a SELinux issues, please run these commands:

setsebool -P httpd_use_gpg=on
setsebool -P gpg_web_anon_write=on
semanage permissive -a gpg_web_t

In the meantime, you could create an user with the CLI, meaning you’ll get a generated setup link for a new user.

sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt register_user -i" nginx

Hi Antony
Thank you so much for your support now the system i sup and running i can login to system
but i have one more issue related to ssl cert during installation i chose none ssl
is there any way to install certificate after finishing installation without effect the system ?
I’m using local FQDN for server


You can re-execute the passbolt-configure script. Say no to database and reply to nginx and ssl questions.


I followed the document but when i chose to add ssl manual and added the path on the document.
it’s asking to add valid path.

i tried with auto but it’s failed also as it’s required public domain name.

I run health check and the output as below

[PASS] PHP version 8.1.21.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to http://srv-passbolt.wasata.local
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in /etc/passbolt/passbolt.php
[HELP] Check the network settings

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check Passbolt Help | Troubleshoot SSL
[HELP] cURL Error (6) Could not resolve host: srv-passbolt.wasata.local


[PASS] The application is able to connect to the database
[PASS] 32 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (4.1.2).
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[FAIL] App.fullBaseUrl is not set to HTTPS.
[HELP] Check App.fullBaseUrl url scheme in /etc/passbolt/passbolt.php.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found

SMTP Settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Or set to true in /etc/passbolt/passbolt.php.

[FAIL] 5 error(s) found. Hang in there!

It is written in the document:

you will be prompted for the full path of your certificates

As you are using srv-passbolt.wasata.local as domain name, you have to generate your own certificates for this domain and upload them on your server.

In the documentation, /path/to/certs/cert.pem is an example and must be replaced with the real path of the certificates.


it’s clear but as I’m not expert in Linux can you give me more explanation.
how to generate self-sign certificate and how to know the full path of generated certificate.

Sure, on your server, you can execute this command:

openssl req -x509 \
    -newkey rsa:4096 \
    -days 3650 \
    -subj "/C=LU/ST=Luxembourg/L=Esch-Sur-Alzette/O=Passbolt SA/OU=Passbolt IT Team/CN=srv-passbolt.wasata.local/" \
    -nodes \
    -addext "subjectAltName = DNS:srv-passbolt.wasata.local" \
    -keyout /tmp/key.pem \
    -out /tmp/cert.pem

It will generate a key and a cert :

  • /tmp/key.pem
  • /tmp/cert.pem

You can use these paths.


I’m really apricated your variable support.
I did the same as mentioned and I generated certificate I can now access via https
But still showing in the health check this error

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.

and I got warning when I’m access the website.