No login Yunohost

Version: 4.5.45~ynh1
Error log after password reset link replies with “Access denied”

2021/12/22 11:25:18 [error] 29286#29286: *4612 FastCGI sent in stderr: "Access to the script '/var/www/invoiceninja/public/index.php/password/reset/REDACTED' has been denied (see security.limit_extensions)" while reading response header from upstream, client:, server:, request: "GET /invoiceninja/index.php/password/reset/REDACTED HTTP/2.0", upstream: "fastcgi://unix:/var/run/php/php7.3-fpm-invoiceninja.sock:", host: ""

Checked that /etc/php/7.3/fpm/pool.d/invoiceninja.conf , particularly line 385
is commented out with ; like this

     ;security.limit_extensions = .php .php3 .php4 .php7.3 .php7

Any help on how to recover data from database or reinstall login to recover is more than welcome! Thank you!


You can set a new password from the command line:

  • Run php artisan tinker in the root folder of the project
  • Run bcrypt('new_password');
  • Update the password field in the users table

Thanks for fast reply!
How to I update password in the users table?
Is that the ninja Mariadb ? Sorry for my lack of knowledge of db management and invoiceninja usage … :frowning_face:

I believe you can use this SQL command:

update users set password = 'new password' where id = ...

I may not have explained this: the user I am trying to reset the password is the admin of invoiceninja not just any account user.
The admin reset email was sent but the link just returns ‘Access Denied’

The steps I’ve provided will enable you to reset the admin user’s password.

From the error above it looks like ‘index.php’ is in the URL, that usually means mod_rewrite needs to be enabled.

Thank you and sorry for my slow understanding algorithm!
The admin user is called invoiceninja in mysql.user table?
Your password change command returned a long string: is that what I enter as password? When I tried it it said too long!
Where do I set mod_rewrite to enable?
Apologies for all the questions, but I am not a invoiceninja user but just the admin of the server!

Correct, the output of bcrypt is the new password. Sorry, I’m not sure why it would be too long.

I suggest asking your webhost for advice on how to enable mod_rewrite.

Thank you @hillel
This is how far I can follow your lead
It has been solved by entering the string to the admin user password table
thank you