Firefox extension inexplicably unable to connect. JWT authentication error

Installation Issues
1

Checklist
I have read intro post: https://community.passbolt.com/t/about-the-installation-issues-category/12
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Running passbolt 5.11.0-1-ce-non-root with mariadb 12.2.2 with docker on Truenas Scale 25.04.

I access the server remotely using a private Tailscale mesh. The Tailscale node on the server is on another Docker container configured to mount the host network directly.

Following installation steps provided in the app install section for Truenas, I generated a certificate for passbolt and set it up via the browser extension for Firefox. Afterwards, I had a little trouble getting the phone app to connect but I eventually figured out that I needed to establish trust on my phone and laptop for the CA that Truenas had used to sign the SSL certs it had generated. The transition from my previous password manager went smoothly without any further issues and Passbolt has been working well for several weeks. Just yesterday, I attempted to use the Firefox extension to fill a password. I entered my passphrase, only for it to error with the message “The route /auth/login is not permitted with JWT authentication.” The phone app still works without any issues.

Provided below is the healthcheck output.

I have performed several google searches and searched on this forum and found very little directly relating to this problem. I’m not sure what could have occurred to cause this and any insights or suggestions would be greatly appreciated.

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
 If you want to have more information about the different checks, please take a look at the documentation: https://www.passbolt.com/docs/admin/server-maintenance/passbolt-api-status/......                                                               
-------------------------------------------------------------------------------

 Environment

 [INFO] Linux e16d89bd6ba2 6.12.15-production+truenas #1 SMP PREEMPT_DYNAMIC Wed Oct 29 14:40:06 UTC 2025 x86_64 GNU/Linux
 [PASS] PHP version 8.4.16.
 [PASS] PHP version is 8.2 or above.
 [PASS] 64-bit architecture system detected.
 [INFO] gpg (GnuPG) 2.4.7 / libgcrypt 1.11.0
 [PASS] PCRE compiled with unicode support.
 [PASS] Mbstring extension is installed.
 [PASS] Intl extension is installed.
 [PASS] GD or Imagick extension is installed.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory /var/log/passbolt/ and its content are writable.
 [WARN] System clock and NTP service information cannot be found.
 [HELP] See `timedatectl | grep -i -A 1 clock`. More information: https://www.passbolt.com/docs/hosting/configure/ntp/

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Cache is working.
 [PASS] Debug mode is off.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://crisp-drain:30097
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [WARN] SSL peer certificate does not validate.
 [HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate
 [WARN] Hostname does not match when validating certificates.
 [HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate
 [WARN] Using a self-signed certificate.
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
 [HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate

 SMTP settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [WARN] The SMTP Settings source is: env variables.
 [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
 [PASS] No custom SSL configuration for SMTP server.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled.
 [FAIL] The /etc/passbolt/jwt/ directory should not be writable.
 [HELP] You can try: 
 [HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
 [HELP] sudo chmod 750 /etc/passbolt/jwt/
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
 [PASS] A valid JWT key pair was found.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [FAIL] The server OpenPGP key is not set.
 [HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [FAIL] The server key fingerprint doesn't match the one defined in /etc/passbolt/passbolt.php.
 [HELP] Double check the key fingerprint, example: 
 [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
 [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
 [HELP] Import the private server key in the keyring of the webserver user.
 [HELP] you can try:
 [HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
 [FAIL] The server key does not have a valid email id.
 [HELP] Edit or generate another key with a valid email id.
 [FAIL] The private key cannot be used to decrypt a message
 [FAIL] The private key cannot be used to decrypt and verify a message
 [FAIL] The public key cannot be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (5.11.0).
 [FAIL] Passbolt is not configured to force SSL use.
 [HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.
 [PASS] The database schema is up to date.

 Database

 [PASS] The application is able to connect to the database
 [PASS] 35 tables found.
 [PASS] Some default content is present.
 [PASS] The database version is supported.

 Metadata

 [FAIL] Unable to decrypt the metadata private key data. The config for the server private key fingerprint is not available or incomplete.
 [PASS] Active metadata key found or not required.
 [PASS] The server has access to the metadata keys or does not require access to it.
 [FAIL] The server metadata private key is not valid. Unable to decrypt the metadata private key (id: 64e15f3f-f187-433a-a728-a07937957cd8) data. The config for the server private key fingerprint is not available or incomplete.

 [FAIL] 11 error(s) found. Hang in there!
2

G’day Garrick,

The nine GPG and metadata failures all cascade from one thing: PASSBOLT_GPG_SERVER_KEY_FINGERPRINT is not set on your container. When it’s null, passbolt skips the GPG checks and they all fall back to failed.

Your phone app still works because mobile uses the JWT keypair (jwt.key / jwt.pem), which is independent of the GPG key, and the JWT pair is fine in your healthcheck. The browser extension uses GPG auth, so it’s directly affected.

Step 1: Find your server key fingerprint

Read the fingerprint from the key file inside the container. The entrypoint imports this file into the keyring on every start, so it’s the source of truth:

docker exec -it <container-name> gpg --show-keys /etc/passbolt/gpg/serverkey.asc

The fingerprint is the 40-character hex string in the output (spaces removed), e.g. 43F978AFF88B53F5ABBD12C87D5E40A4C43926ED.

Step 2: Set the fingerprint env var via the TrueNAS app config

I don’t run TrueNAS myself so I can’t click through this for you, but reading the catalog metadata at https://apps.truenas.com/catalog/passbolt/ the standard form doesn’t have a labelled field for this variable. It does have an “Additional Environment Variables” list under “Passbolt Configuration” that takes arbitrary name/value pairs. Going off the schema, the path should be roughly:

  1. Apps > Installed > passbolt > Edit
  2. Expand the “Passbolt Configuration” section
  3. Find “Additional Environment Variables”, click Add
  4. Name: PASSBOLT_GPG_SERVER_KEY_FINGERPRINT
  5. Value: the 40-character fingerprint from Step 1
  6. Save (TrueNAS will recreate the container)

If the labels look slightly different in your TrueNAS version, that’s the section to look for.

The entrypoint does try to auto-detect the fingerprint when this variable is unset, but only by looking up a key with the email passbolt@yourdomain.com (or PASSBOLT_KEY_EMAIL if you set it). Setting the value explicitly avoids relying on that match.

After restarting, run a status-report from inside the container to confirm:

docker exec <container-name> ./bin/status-report

Most of the GPG and metadata failures should clear up.

Step 3: Clear the stale browser cookie

That error fires when a request to /auth/login arrives carrying something that flags it as JWT, usually a stale refresh_token cookie. The extension itself doesn’t set one, but Firefox attaches any cookies it has for that origin to the extension’s requests, so a leftover cookie from an earlier interaction is the most likely cause. Clearing it should clear the error.

In Firefox, open developer tools on your passbolt tab (F12), Storage tab, expand Cookies, find refresh_token, delete it. Or clear all cookies for crisp-drain via Settings > Privacy and Security > Manage Data.

After both steps, try logging in from the extension again.

If clearing cookies doesn’t help, the trigger may be an Authorization header coming from your Tailscale or another proxy. Open dev tools, Network tab, attempt the login again, then look at the failed /auth/login request and check what’s in its Cookie and Authorization headers. Let me know what you find.

Related thread on a similar GPG fingerprint issue on TrueNAS: https://community.passbolt.com/t/could-not-verify-the-server-key-the-authentication-failed-after-attempting-to-login-on-mobile-browser/14171

Let us know how you go.

Cheers
Gareth