JWT secrets are not created

[Node815]

With a fresh docker install, I can't log my phone in which returns the following error in the logs:

Request URL: /auth/jwt/rsa.json
Client IP: 192.168.1.161
192.168.1.161 - - [27/Jul/2025:23:04:33 +0000] "GET /auth/jwt/rsa.json HTTP/1.1" 500 273 "-" "okhttp/4.12.0"
192.168.1.161 - - [27/Jul/2025:23:05:21 +0000] "GET /auth/is-authenticated.json?api-version=v2 HTTP/1.1" 200 277 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
192.168.1.161 - - [27/Jul/2025:23:06:21 +0000] "GET /auth/is-authenticated.json?api-version=v2 HTTP/1.1" 200 277 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
192.168.1.161 - - [27/Jul/2025:23:07:21 +0000] "GET /auth/is-authenticated.json?api-version=v2 HTTP/1.1" 200 277 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
192.168.1.161 - - [27/Jul/2025:23:08:21 +0000] "GET /auth/is-authenticated.json?api-version=v2 HTTP/1.1" 200 277 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
192.168.1.161 - - [27/Jul/2025:23:09:04 +0000] "GET / HTTP/1.1" 302 5 "-" "-"
2025-07-27 23:09:04,454 INFO reaped unknown pid 582 (exit status 0)
2025-07-27 23:09:04,454 INFO reaped unknown pid 584 (exit status 0)
192.168.1.161 - - [27/Jul/2025:23:09:21 +0000] "GET /auth/is-authenticated.json?api-version=v2 HTTP/1.1" 200 277 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36"
192.168.1.161 - - [27/Jul/2025:23:09:42 +0000] "GET /auth/verify.json HTTP/1.1" 200 2843 "-" "okhttp/4.12.0"
2025-07-27 23:09:42,420 INFO reaped unknown pid 587 (exit status 0)
2025-07-27 23:09:42,421 INFO reaped unknown pid 589 (exit status 0)
2025-07-27 23:09:42,524 INFO reaped unknown pid 592 (exit status 0)
2025-07-27 23:09:42,524 INFO reaped unknown pid 594 (exit status 0)
2025-07-27 23:09:42 alert: The key pair for JWT Authentication is not complete.
2025-07-27 23:09:42 error: The following file could not be read: /etc/passbolt/jwt/jwt.pem.
2025-07-27 23:09:42 error: [Passbolt\JwtAuthentication\Error\Exception\AccessToken\InvalidJwtKeyPairException] The key pair for JWT Authentication is not complete. in /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Service/AccessToken/JwtAbstractService.php on line 55
Stack Trace:
- ROOT/plugins/PassboltCe/JwtAuthentication/src/Service/AccessToken/JwksGetService.php:80
- ROOT/plugins/PassboltCe/JwtAuthentication/src/Controller/JwksController.php:47
- CORE/src/Controller/Controller.php:505
- CORE/src/Controller/ControllerFactory.php:166
- CORE/src/Controller/ControllerFactory.php:141
- CORE/src/Http/BaseApplication.php:362
- CORE/src/Http/Runner.php:86
- CORE/src/Http/Middleware/SecurityHeadersMiddleware.php:274
- CORE/src/Http/Runner.php:82
- APP/Middleware/HttpProxyMiddleware.php:50
- CORE/src/Http/Runner.php:82
- CORE/src/Http/Middleware/CsrfProtectionMiddleware.php:159
- APP/Middleware/CsrfProtectionMiddleware.php:40
- CORE/src/Http/Runner.php:82
- ROOT/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtCsrfDetectionMiddleware.php:55
- CORE/src/Http/Runner.php:82
- APP/Middleware/GpgAuthHeadersMiddleware.php:40
- CORE/src/Http/Runner.php:82
- ROOT/plugins/PassboltCe/Locale/src/Middleware/LocaleMiddleware.php:47
- CORE/src/Http/Runner.php:82
- ROOT/plugins/PassboltCe/MultiFactorAuthentication/src/Middleware/InjectMfaFormMiddleware.php:67
- CORE/src/Http/Runner.php:82
- ROOT/plugins/PassboltCe/MultiFactorAuthentication/src/Middleware/MfaRequiredCheckMiddleware.php:82
- CORE/src/Http/Runner.php:82
- ROOT/vendor/cakephp/authentication/src/Middleware/AuthenticationMiddleware.php:107
- CORE/src/Http/Runner.php:82
- ROOT/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtDestroySessionMiddleware.php:43
- CORE/src/Http/Runner.php:82
- APP/Middleware/SessionAuthPreventDeletedOrDisabledUsersMiddleware.php:47
- CORE/src/Http/Runner.php:82
- CORE/src/Http/Middleware/BodyParserMiddleware.php:157
- CORE/src/Http/Runner.php:82
- APP/Middleware/SessionPreventExtensionMiddleware.php:66
- CORE/src/Http/Runner.php:82
- APP/Middleware/ApiVersionMiddleware.php:46
- CORE/src/Http/Runner.php:82
- APP/Middleware/UuidParserMiddleware.php:52
- CORE/src/Http/Runner.php:82
- ROOT/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtRouteFilterMiddleware.php:47
- CORE/src/Http/Runner.php:82
- ROOT/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtAuthDetectionMiddleware.php:58
- CORE/src/Http/Runner.php:82
- CORE/src/Routing/Middleware/RoutingMiddleware.php:117
- CORE/src/Http/Runner.php:82
- CORE/src/Routing/Middleware/AssetMiddleware.php:79
- CORE/src/Http/Runner.php:82
- APP/Middleware/SslForceMiddleware.php:52
- CORE/src/Http/Runner.php:82
- APP/Middleware/AssertFullBaseUrlMiddleware.php:47
- CORE/src/Http/Runner.php:82
- CORE/src/Error/Middleware/ErrorHandlerMiddleware.php:115
- CORE/src/Http/Runner.php:82
- APP/Middleware/ContentSecurityPolicyMiddleware.php:39
- CORE/src/Http/Runner.php:82
- APP/Middleware/ValidCookieNameMiddleware.php:46
- CORE/src/Http/Runner.php:82
- APP/Middleware/ContainerInjectorMiddleware.php:54
- CORE/src/Http/Runner.php:82
- CORE/src/Http/Runner.php:60
- CORE/src/Http/Server.php:104
- ROOT/webroot/index.php:40`

So I logged into the container to see if they existed and they do not:

root@2e3bada1b548:/etc/passbolt/jwt# ls -la
total 8
drwxr-x--- 2 root www-data 4096 Jul 17 10:31 .
drwxrwx--- 6 root www-data 4096 Jul 17 10:31 ..
root@2e3bada1b548:/etc/passbolt/jwt#         

I've tried following the guide here:
https://www.passbolt.com/docs/hosting/faq/how-to-generate-jwt-key-pair-manually/

First off - Sudo is not installed in the container so I manually installed it so these commands could run.

root@2e3bada1b548:/etc/passbolt# sudo /usr/share/php/passbolt/bin/cake passbolt create_jwt_keys


     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
A JWT key pair was successfully created.
Public key path: /etc/passbolt/jwt/jwt.pem
Secret key path: /etc/passbolt/jwt/jwt.key
root@2e3bada1b548:/etc/passbolt# sudo chown -R root:www-data /etc/passbolt/jwt
sudo chmod 600 /etc/passbolt/jwt/jwt.key
sudo chmod 640 /etc/passbolt/jwt/jwt.pem
root@2e3bada1b548:/etc/passbolt# sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck --jwt" www-data

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
 If you want to have more information about the different checks, please take a look at the documentation: https://www.passbolt.com/docs/admin/server-maintenance/passbolt-api-status/   
-------------------------------------------------------------------------------

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled.
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [FAIL] A valid JWT key pair is missing.
 [HELP] Run the create JWT keys script to create a valid JWT secret and public key pair:
 [HELP] sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt create_jwt_keys" www-data

 [FAIL] 1 error(s) found. Hang in there!

root@2e3bada1b548:/etc/passbolt# 

I confirmed the jwt directory is properly set to 750

 ls -la
total 156
drwxrwx--- 6 root www-data  4096 Jul 17 10:31 .
drwxr-xr-x 1 root root      4096 Jul 27 23:12 ..
drwxr-x--- 2 root www-data 12288 Jul 17 10:31 Migrations
-rw-r----- 1 root www-data 20059 Jul 17 09:09 app.default.php
-rw-r----- 1 root www-data 20115 Jul 17 09:09 app.php
-rw-r----- 1 root www-data  2044 Jul 17 09:09 audit_logs.php
-rw-r----- 1 root www-data  8777 Jul 17 09:09 bootstrap.php
-rw-r----- 1 root www-data  1061 Jul 17 09:09 bootstrap_cli.php
-rw-r----- 1 root www-data    65 Jul 17 09:09 bootstrap_plugins.php
-rw-r----- 1 root www-data 23518 Jul 17 09:09 default.php
drwxrwx--- 2 root www-data  4096 Jul 27 22:29 gpg
drwxr-x--- 2 root www-data  4096 Jul 27 23:13 jwt
-rw-r----- 1 root www-data  6773 Jul 17 09:09 passbolt.default.php
-rw-r----- 1 root www-data  2642 Jul 17 09:09 paths.php
-rw-r----- 1 root www-data  1584 Jul 17 09:09 requirements.php
-rw-r----- 1 root www-data 13490 Jul 17 09:09 routes.php
drwxr-x--- 2 root www-data  4096 Jul 17 10:31 schema
-rw-r----- 1 root www-data   201 Jul 17 09:09 version.php`

And the files now exist in the directory, but since it's not writable, I changed it knowingly this was a RISK!!!! And ran the test again:

root@2e3bada1b548:/etc/passbolt# chmod 777 jwt
root@2e3bada1b548:/etc/passbolt# sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck --jwt" www-data


     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
 If you want to have more information about the different checks, please take a look at the documentation: https://www.passbolt.com/docs/admin/server-maintenance/passbolt-api-status/   
-------------------------------------------------------------------------------

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled.
 [FAIL] The /etc/passbolt/jwt/ directory should not be writable.
 [HELP] You can try: 
 [HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
 [HELP] sudo chmod 750 /etc/passbolt/jwt/
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
 [FAIL] A valid JWT key pair is missing.
 [HELP] Run the create JWT keys script to create a valid JWT secret and public key pair:
 [HELP] sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt create_jwt_keys" www-data

 [FAIL] 2 error(s) found. Hang in there!

root@2e3bada1b548:/etc/passbolt# sudo chown -Rf root:www-data /etc/passbolt/jwt
root@2e3bada1b548:/etc/passbolt# sudo chmod 750 /etc/passbolt/jwt
root@2e3bada1b548:/etc/passbolt# sudo chmod 640 /etc/passbolt/jwt/jwt.key
root@2e3bada1b548:/etc/passbolt# sudo chmod 640 /etc/passbolt/jwt/jwt.pem
root@2e3bada1b548:/etc/passbolt# sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck --jwt" www-data

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
 If you want to have more information about the different checks, please take a look at the documentation: https://www.passbolt.com/docs/admin/server-maintenance/passbolt-api-status/   
-------------------------------------------------------------------------------

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled.
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found.

 [PASS] No error found. Nice one, sparky!

root@2e3bada1b548:/etc/passbolt# 

Since it passed, I am able to move forward, but I think that the Docker image should have created the jwt keys correctly the first time around instead of having to go through this process altogether.

[qntoni]

Hello @Node815,
Thanks for opening this thread. Just to confirm, did you set the environment variable PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED to true? If you did not, this might be expected as there is a dedicated check for this.

However, we are aware of this concerns as we already have a ticket for that (ref. PB-44058) to remove the environment variable check. It should be merged any time soon.

Best regards,

[Node815]

No, your documents did not indicate to use that variable. Good to know though!