Unsecure and incorrect reset token

Examples and configs:

I am using the docker variant of v5 and besides new users (not clients) being unable to register, I also get a unsecure page before sending the new password after a reset request. On all the other pages the Let’s encrypt certificate is working as should.

The token in the URL also doesn’t match the one in the database.

I followed the setup process over on github /invoiceninja/dockerfiles

I have attached the docker-compose.yml, env en hosts in hopes that someone might spot the mistake or issue that might be causing this.

As for my reverse proxy I use nginx or to be more precise Nginx Proxy Manager with a default conf and a Let’s Encrypt Certificate. Where it routes from the local x.x.x.10:88 to finance.example.com

For my host file and extra hosts I set it to my local IP of the machine that it’s running on. The only variable containing the subdomain is the APP_URL.

The SMTP part works like a charm, sends out the invoices and password resets but with a invalid token.


It’s the first time I’ve heard of this issue.

@david @ben any thoughts?

Does the same error occur when using the provided dockerfile - unmodiified - from the repo?

This sounds like a proxy issue.

@david by dockerfile do you mean the docker-compose.yml or the makefile from the repo?
I will also try not using a external mariadb as database and use the provided in the compose and see if that helps.

@david @hillel Regarding the docker version.

If my local IP is x.x.x.10 and I want to run it through a reverse proxy I can just fill in x.x.x.10 everywhere where it states the default, also within the compose file and for my APP_URL I would need to fill out the actual domain as in finance.example.com correct?


Yes, just replace with your network config. Also if you are running behind a proxy, you’ll need to configured the TRUSTED_PROXIES= environment variable

If I understand correctly I would need to add the TRUSTED_PROXIES in my ENV as


Do I also need to add anything within the compose file or is the env enough?
The in5.test can be kept as is right?

Btw thanks for the quick responding

I’ve now setup it up like this https://imgur.com/a/90QFWKX I will give it a try and come back if the problem remains

I believe the trusted proxy will be the internal local network IP so for you x.x.x.10/0 etc.

So @david I did a fresh install and after setting the trusted proxy to x.x.x.10/0 the setup pages properly opens but now this occurs file(/var/www/app/.env): failed to open stream: No such file or directory.

Only thing I changed is the local IP from 192.x.x.x to mine x.x.x.10 and added trusted proxy, kept default database image and default db credentials, but no luck.

This is what my setup page looks like, after adding a first admin user it reverts empty with the error message in the link above.