Hi all, i have some issues…
If i try to login in anon tab:
server. x-gpgauth-authenticated should be set to false during the verify stage
And cant login
If i try lo login on another browser passbolt tell me to check my email, i receive a recovery account email and the page ask me for the recovery kit.
That’s normal?
I see this in the log when passbolt container starts:
wait-for.sh: waiting for db:3306 without a timeout
wait-for.sh: db:3306 is available after 4 seconds
gpg: keybox '/var/lib/passbolt/.gnupg/pubring.kbx' created
gpg: /var/lib/passbolt/.gnupg/trustdb.gpg: trustdb created
gpg: key 8809715682DC6738: public key "Passbolt default user <passbolt@yourdomain.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: key 8809715682DC6738: "Passbolt default user <passbolt@yourdomain.com>" not changed
gpg: key 8809715682DC6738: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
healthcheck
Environment
[INFO] Linux dded31a902ae 6.6.87.2-microsoft-standard-WSL2 #1 SMP PREEMPT_DYNAMIC Thu Jun 5 18:30:46 UTC 2025 x86_64 GNU/Linux
[PASS] PHP version 8.4.16.
[PASS] PHP version is 8.2 or above.
[PASS] 64-bit architecture system detected.
[INFO] gpg (GnuPG) 2.4.7 / libgcrypt 1.11.0
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[FAIL] The temporary directory and its content are not writable, or are executable.
[HELP] Ensure the temporary directory and its content are writable by the webserver user.
[HELP] you can try:
[HELP] sudo chown -R www-data:www-data /var/lib/passbolt/tmp/
[HELP] sudo chmod -R 775 $(find /var/lib/passbolt/tmp/ -type d)
[HELP] sudo chmod -R 664 $(find /var/lib/passbolt/tmp/ -type f)
[PASS] The logs directory /var/log/passbolt/ and its content are writable.
[WARN] System clock and NTP service information cannot be found.
[HELP] See timedatectl | grep -i -A 1 clock. More information: https://www.passbolt.com/docs/hosting/configure/ntp/
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://pwbolt.huginn.ovh
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[PASS] SSL peer certificate validates.
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate.
SMTP settings
[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[WARN] The SMTP Settings source is: env variables.
[HELP] It is recommended to set the SMTP Settings in the database through the administration section.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled.
[FAIL] The /etc/passbolt/jwt/ directory should not be writable.
[HELP] You can try:
[HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
[HELP] sudo chmod 750 /etc/passbolt/jwt/
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
[PASS] A valid JWT key pair was found.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[FAIL] The server OpenPGP key is not set.
[HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[FAIL] The server key fingerprint doesn’t match the one defined in /etc/passbolt/passbolt.php.
[HELP] Double check the key fingerprint, example:
[HELP] sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg” www-data | grep -i -B 2 ‘SERVER_KEY_EMAIL’
[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc” www-data
[FAIL] The server key does not have a valid email id.
[HELP] Edit or generate another key with a valid email id.
[FAIL] The private key cannot be used to decrypt a message
[FAIL] The private key cannot be used to decrypt and verify a message
[FAIL] The public key cannot be used to verify a signature.
Application configuration
[PASS] Using latest passbolt version (5.8.0).
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema is up to date.
Database
[PASS] The application is able to connect to the database
[PASS] 35 tables found.
[PASS] Some default content is present.
Metadata
[PASS] The server is able to decrypt the metadata private key.
[PASS] Active metadata key found or not required.
[PASS] The server has access to the metadata keys or does not require access to it.
[PASS] The server metadata private key is valid.
[FAIL] 10 error(s) found. Hang in there!
Compose:
services:
db:
image: mariadb:10.11
restart: unless-stopped
environment:
MYSQL_RANDOM_ROOT_PASSWORD: “true”
MYSQL_DATABASE: “censored”
MYSQL_USER: “censored”
MYSQL_PASSWORD: “censored”
volumes:
- “D:/Docker/PassBolt/database:/var/lib/mysql”
passbolt:
image: passbolt/passbolt:latest-ce
#Alternatively you can use rootless:
#image: passbolt/passbolt:latest-ce-non-root
restart: unless-stopped
depends_on:
- db
environment:
APP_FULL_BASE_URL: https://censored.ovh
PASSBOLT_SECURITY_PROXIES_ACTIVE: “true”
PASSBOLT_SECURITY_PROXIES_HEADER: “X-Forwarded-For”
PASSBOLT_SECURITY_PROXIES_ALLOW_FROM: “172.17.0.1”
DATASOURCES_DEFAULT_HOST: “db”
DATASOURCES_DEFAULT_USERNAME: “censored”
DATASOURCES_DEFAULT_PASSWORD: “censored”
DATASOURCES_DEFAULT_DATABASE: “censored”
EMAIL_DEFAULT_FROM_NAME: “censored Passbolt”
EMAIL_DEFAULT_FROM: “noreply@censored.ovh”
EMAIL_TRANSPORT_DEFAULT_HOST: “censored”
EMAIL_TRANSPORT_DEFAULT_PORT: “587”
EMAIL_TRANSPORT_DEFAULT_USERNAME: “noreply@censored.ovh”
EMAIL_TRANSPORT_DEFAULT_PASSWORD: “censored”
EMAIL_TRANSPORT_DEFAULT_TLS: “true”
volumes:
- “D:/Docker/PassBolt/gpg:/etc/passbolt/gpg”
- “D:/Docker/PassBolt/jwt:/etc/passbolt/jwt”
- “D:/Docker/PassBolt/tmp:/var/lib/passbolt/tmp”
command:
[
“/usr/bin/wait-for.sh”,
“-t”,
“0”,
“db:3306”,
“–”,
“/docker-entrypoint.sh”,
]
ports:
- “8183:80”
- “8184:443”
Apache proxypass
<VirtualHost *:443>
ServerName censored.ovh
# ================= SSL =================
SSLEngine on
SSLCertificateFile "D:/Programmi/Apache24/conf/ssl/censored.ovh-chain.pem"
SSLCertificateKeyFile "D:/Programmi/Apache24/conf/ssl/censored.ovh-key.pem"
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLCompression off
SSLSessionTickets off
Protocols h2 http/1.1
# ================= Proxy =================
ProxyRequests Off
ProxyPreserveHost On
SSLProxyEngine On
# Backend Passbolt è HTTPS locale → ok self-signed
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
ProxyTimeout 300
ProxyBadHeader Ignore
# ================= Headers (inform backend) =================
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
RequestHeader set X-Forwarded-Host "%{HTTP_HOST}s"
# ================= ProxyPass ROOT -> backend root =================
ProxyPass "/" "https://127.0.0.1:8184/" connectiontimeout=5 timeout=300 keepalive=On
ProxyPassReverse "/" "https://127.0.0.1:8184/"
# ================= WebSocket / Upgrade (root) =================
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) wss://127.0.0.1:8184/$1 [P,L]
# ================= Sicurezza: limitazione IP SOLO su /app/ =================
<Location /app/>
Require ip censored
Require ip censored
Require ip censored
</Location>
# ================= Header di sicurezza =================
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self' wss:; img-src 'self' data:; style-src 'self' 'unsafe-inline';"
ServerSignature Off
Header unset ETag
# ================= Logs =================
ErrorLog "D:/Programmi/Apache24/logs/censored-error.log"
CustomLog "D:/Programmi/Apache24/logs/censored-access.log" combined
</VirtualHost>