Password recovery not working

Hello. For the sake of experiment, I installed Hestia on pure debian 11. After installation, I set it up in the admin panel and created a test user “test1”. Then I decided to test the password recovery functionality and I have to admit that it does not work correctly:

  1. When using the mailbox format [email protected] the mail is not coming.
  2. Even if I enter a correct login, but an incorrect email, there will be a message that the data for restoring access has been sent. That’s not so.
  3. Let’s say this can be solved by writing a mailbox in the format [email protected] which is essentially the same thing, but the time is not incorrectly indicated in the title of the letter. Running the check at 18.30, I receive an email with the title “Password recovery 2023-07-02 15:30:07”, although the correct time is indicated in the system (I checked it using “date”). The time zone in the control panel also indicated the correct one, i.e. Europe/Moscow, which should work as UTC+3, but for some reason this does not happen.
  4. And the most important thing. If I enter everything correctly, I will receive an email with a link like:
    And this link doesn’t work. At least because there is a colon missing between the panel address and the port.


The first time I installed hestiaCP I failed to place single quotes (') around the password specified in the command string, and the special character[s], well, oops, you know… Anyway, I then did the password reset thang and it did not work for me, either. But as I vaguely recall the email mentioned/contained 2 methods/links, and the other method did work for me. hth


1 Like

The second method involves entering the code sent by mail into a special field for password recovery, but the link to the page with this field also does not work. By the way, for the same reason — the colon is missing.

What version are you currently using?

Debian GNU/Linux 11 and Hestia v1.7.8.

I seem to understand the problem. She was in Russian template. When I changed the panel language to English, a colon appeared between the panel address and the port. Could you please fix this bug in the Russian language template?

In 1.8.0 we will rewrite the whole system anyway…

But it was there also a bug have it fixed it there

1 Like

By the way, I will allow myself one more comment about the logic of password recovery:

In cp Hestia, after requesting password recovery and entering login/mail, we remain on the login/mail page.

In cp MyVesta (another fork vesta), we automatically move to the page for entering the secret code that was sent to us by mail.

I think the second option is even more logical in some sense. However, first you need to check the ratio of login and mail, because now we see the message “Data for recovery has been sent” regardless of the correctness of the specified mail.

PS Will you rewrite the entire password recovery system or the entire panel? These phrases are frightening. And when will users wait for version 1.8?

Old behaviour allowed hackers to “guess” what username / email address were used and unkowingly share information you wanted.

New text looks like:

Password reset instructions have been sent to the email address associated with this account.

Hello System Administrator,

To reset your Hestia Control Panel password, please follow this link:

Alternatively, you may go to https://xxxx:8083/reset/?action=code&user=admin and enter the following reset code:

If you did not request password reset, please ignore this message and accept our apologies.

Best regards,

The MyVestaCP option seems better to me, but okay, I realized that this is not a bug, but a feature.
PS So what’s up with version 1.8? Will you rewrite the entire panel or did I misunderstand something? And when can I expect it?

  • Debian 12 support
  • SRS support on email
  • 0-RTT support for email
  • Improved tls support and many more…

I know what SRS is, but I had no luck trying to find what RRT means on the internet at large, the Hestia Github, or this forum. Would you mind clarifying the acronym?

Some extra protection

1 Like

It appears that 0-RTT is good search term to learn more. Thanks!

Please do not forget to fix the password recovery bug in the Russian version of the template. And why is the time displayed incorrectly in the title of the letter? Maybe it should be removed from the name altogether?

We have changed all the translations:

By the way, are you sure that these \n will be displayed correctly? Because now it looks like this:

Will be fixed in 1.8.0

Old was everything not correctly encode in the translations

We will fix it in:

{{name}} will be replace with the account “user” name
{{user}} username
{{hostname}} or with / with out port number if not set

and {{password}} with password

Good. And over time, something was decided in the title of the letter? If it stays there, then I’d like to understand why it’s 3 hours behind. Most likely the problem is that I have a UTC+3 time zone, but I have already specified it in the panel. What else needs to be done? In Debian itself, the time and time zone are also specified correctly.