Can't Create New Site. Cryptic Error message

I created a new Ghost installation on Debian 9 and MySQL. After running ghost install, I navigate to my site, attempt to create an account and keep getting

Authorization failed Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication. 
  • What version of Ghost are you using?
  • CLI: 1.11.0
  • Ghost: 2.32.0
  • What configuration?
{
  "url": "https://example.com",
  "server": {
    "port": 2368,
    "host": "127.0.0.1"
  },
  "database": {
    "client": "mysql",
    "connection": {
      "host": "localhost",
      "user": "ghost_user",
      "password": "pass",
      "database": "ghost_db"
    }
  },
  "mail": {
    "transport": "Direct"
  },
  "logging": {
    "transports": [
      "file",
      "stdout"
    ]
  },
  "process": "systemd",
  "paths": {
    "contentPath": "/var/www/example.com/html/content"
  },
  "bootstrap-socket": {
    "port": 8000,
    "host": "localhost"
  }
}
  • What errors or information do you see in the console?

When attempting to create an account I see:

Authorization failed Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication. 

I’m also having this issue which may or may not be related:

Here’s some output from ghost log

[2019-10-07 21:20:06] INFO "GET /ghost/assets/img/favicon.ico" 200 6ms
[2019-10-07 21:20:06] INFO "GET /ghost/api/canary/admin/site/" 200 21ms
[2019-10-07 21:20:06] INFO "GET /ghost/api/canary/admin/authentication/setup/" 200 29ms
[2019-10-07 21:20:06] INFO "GET /ghost/assets/img/install-welcome-ff3912d18bf8949df89c83b1c3b8bb66.png" 200 2ms
[2019-10-07 21:20:07] INFO "GET /ghost/assets/img/user-image-0d67f7ca80917835524605cf4d106aef.png" 200 2ms
[2019-10-07 21:20:13] INFO "POST /ghost/api/canary/admin/authentication/setup/" 201 234ms
[2019-10-07 21:20:14] INFO "POST /ghost/api/canary/admin/session" 201 185ms
[2019-10-07 21:20:14] ERROR "GET /ghost/api/canary/admin/settings/?type=blog%2Ctheme%2Cprivate%2Cmembers" 403 3ms

NAME: NoPermissionError
MESSAGE: Authorization failed

level: normal

"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."
NoPermissionError: Authorization failed
    at new NoPermissionError (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/ghost-ignition/lib/errors/index.js:114:23)
    at authorizeAdminApi (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/authorize.js:76:25)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at authenticate (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/session/middleware.js:103:16)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at authenticate (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/api-key/admin.js:43:16)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:281:22
    at Function.process_params (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:335:12)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:275:10)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/cors/lib/index.js:228:13
    at handleCORS (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/web/shared/middlewares/api/cors.js:73:16)
    at corsMiddleware (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/cors/lib/index.js:204:7)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:317:13)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:335:12)

[2019-10-07 21:20:14] ERROR "GET /ghost/api/canary/admin/config/" 403 6ms

NAME: NoPermissionError
MESSAGE: Authorization failed

level: normal

"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."
NoPermissionError: Authorization failed
    at new NoPermissionError (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/ghost-ignition/lib/errors/index.js:114:23)
    at authorizeAdminApi (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/authorize.js:76:25)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at authenticate (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/session/middleware.js:103:16)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at authenticate (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/api-key/admin.js:43:16)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:281:22
    at Function.process_params (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:335:12)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:275:10)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/cors/lib/index.js:228:13
    at handleCORS (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/web/shared/middlewares/api/cors.js:73:16)
    at corsMiddleware (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/cors/lib/index.js:204:7)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:317:13)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:335:12)

[2019-10-07 21:20:14] ERROR "GET /ghost/api/canary/admin/users/me/?include=roles" 403 8ms

NAME: NoPermissionError
MESSAGE: Authorization failed

level: normal

"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."
NoPermissionError: Authorization failed
    at new NoPermissionError (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/ghost-ignition/lib/errors/index.js:114:23)
    at authorizeAdminApi (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/authorize.js:76:25)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at authenticate (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/session/middleware.js:103:16)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at authenticate (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/api-key/admin.js:43:16)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:281:22
    at param (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:354:14)
    at param (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:365:14)
    at Function.process_params (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:410:3)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:275:10)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/cors/lib/index.js:228:13
    at handleCORS (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/web/shared/middlewares/api/cors.js:73:16)
    at corsMiddleware (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/cors/lib/index.js:204:7)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:317:13)

[2019-10-07 21:25:07] INFO "GET /ghost/" 200 12ms
[2019-10-07 21:25:07] INFO "GET /ghost/assets/ghost.min-06031c34f7208e301e1a039fefa8b02d.css" 200 20ms
[2019-10-07 21:25:08] INFO "GET /ghost/assets/ghost.min-975a8c4cd6329f05e8d6edf138e459dc.js" 200 85ms
[2019-10-07 21:25:08] INFO "GET /ghost/assets/vendor.min-8a9c6f8a3daf9a5470d26dae32d1c192.js" 200 212ms
[2019-10-07 21:25:08] ERROR "GET /ghost/api/canary/admin/users/me/?include=roles" 403 5ms

NAME: NoPermissionError
MESSAGE: Authorization failed

level: normal

"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."

Those lines show that the setup and login completed ok on the server-side. Judging from the later error message it sounds like something is stopping the cookie that is set on the successful login request from being saved or included with later requests.

Have you tried using Incognito mode in Chrome or a different browser without any browser extensions? Is there anything else you may have in your setup that would block cookies?

@Kevin I’ve tried different browsers with the same result.

As far as I’m aware, nothing should be blocking cookies. The only thing that I’ve done that might possibly be a problem was uninstall/reinstall Ghost with the CLI commands.

Is there any other logs somewhere that might help point to a solution? Could it be an issue with my Firewall maybe?

There may be some logs in your browser’s dev tools, you could also inspect the network requests to make sure that the browser is receiving the Set-Cookie header on the POST /ghost/api/canary/admin/session request and double-check that the Cookie header is being sent on the GET /ghost/api/canary/admin/settings/?type=blog%2Ctheme%2Cprivate%2Cmembers request.

Could it be an issue with my Firewall maybe?

Possibly, if the firewall is interfering with request headers then it may cause problems.

I’m just now realizing it might be an issue with my Nginx config

proxy_cache_path /var/run/cache levels=1:2 keys_zone=STATIC:75m inactive=24h max_size=512m;

server {

    server_name example.com www.example.com;
    add_header X-Cache $upstream_cache_status;
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        try_files _ @ghost;
    }

    location /content/images {
      alias /var/www/example.com/html/versions/2.31.1/content;
      access_log off;
      expires max;

      try_files $uri @ghost;
    }

    location /assets {
      alias /var/www/example.com/html/versions/2.31.1/content/themes/casper/assets;
      access_log off;
      expires max;

      try_files $uri @ghost;
    }


    location @ghost {
        proxy_cache STATIC;
        proxy_cache_valid 200 30m;
        proxy_cache_valid 404 1m;
        proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
        proxy_ignore_headers Set-Cookie;
        proxy_hide_header Set-Cookie;
        proxy_hide_header X-powered-by;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        expires 10m;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://127.0.0.1:2368;
    }
}

server {

    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;

    server_name example.com www.example.com;

    return 404; # managed by Certbot
}
        proxy_ignore_headers Set-Cookie;
        proxy_hide_header Set-Cookie;

Gonna try removing them tonight. I got the idea for this config from this post:

@ghost_throw that caching setup is quite heavy, you’ll definitely see problems (even after removing the cookie header rules) unless you exclude the /ghost/* paths so that admin API requests are not cached.

@Kevin You’re talking about the location blocks? As far as I can tell, they’re necessary to prevent 404ing for assets and images.

Is there a recommended Nginx config for caching?

Here’s my latest Nginx config. I excluded the Admin panel from being cached:

proxy_cache_path /var/run/cache levels=1:2 keys_zone=STATIC:75m inactive=24h max_size=512m;

server {

    server_name example.com www.example.com;
    add_header X-Cache $upstream_cache_status;
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        try_files _ @ghost;
    }

    location /content/images {
        alias /var/www/example.com/html/versions/2.33.0/content/images;
        access_log off;
        expires max;

        try_files $uri @ghost;
    }

    location /assets {
        alias /var/www/example.com/html/versions/2.33.0/content/themes/casper/assets;
        access_log off;
        expires max;

        try_files $uri @ghost;
    }

    location ~ ^/(?:ghost|signout) { 
        add_header Cache-Control "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0";

        proxy_hide_header X-powered-by;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        expires 10m;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://127.0.0.1:2368;
    }

    location @ghost {
        proxy_cache STATIC;
        proxy_cache_valid 200 30m;
        proxy_cache_valid 404 1m;
        proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
        proxy_ignore_headers Set-Cookie;
        proxy_hide_header Set-Cookie;
        proxy_hide_header X-powered-by;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        expires 10m;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://127.0.0.1:2368;
    }
}

server {

    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;

    server_name example.com www.example.com;

    return 404; # managed by Certbot
}