Cannot complete initial setup because of not specified error

[lb-saschatrebbin]

This looks great.

I tried to set up a simple docker instance. but I cannot get further than this:

It doesn't seem to matter what I put in the form page 1 or if I deactivate the test module on form page 2.

The problem is, the logs seemingly do not show this configuration error:

2026-03-17T20:37:03.824524182Z                                    Work Management Platform
2026-03-17T20:37:03.824530427Z 
2026-03-17T20:37:03.825761513Z 2026/03/17 20:37:03 INFO connecting to SQLite database path=/data/windshift.db
2026-03-17T20:37:03.832447415Z 2026/03/17 20:37:03 INFO SQLite database initialized max_read_conns=120 max_write_conns=1 mode=WAL
2026-03-17T20:37:04.021156225Z 2026/03/17 20:37:04 INFO checking setup status attempt=1 max_retries=5
2026-03-17T20:37:04.021213570Z 2026/03/17 20:37:04 WARN setup status: NOT COMPLETED - server will run in setup mode
2026-03-17T20:37:04.350836589Z 2026/03/17 20:37:04 INFO WebAuthn configuration initialized rp_id=cdf39a8f26e5 rp_name=Windshift development_mode=false
2026-03-17T20:37:04.350883690Z 2026/03/17 20:37:04 WARN 🔓 Authentication middleware initialized in SETUP mode - authentication disabled for initial configuration
2026-03-17T20:37:04.519244639Z 2026/03/17 20:37:04 INFO notification scheduler started
2026-03-17T20:37:04.519302588Z 2026/03/17 20:37:04 INFO Starting recurrence scheduler (5-minute interval)
2026-03-17T20:37:04.519315010Z 2026/03/17 20:37:04 INFO recurrence scheduler started
2026-03-17T20:37:04.519351275Z 2026/03/17 20:37:04 INFO action service initialized
2026-03-17T20:37:04.574518530Z 2026/03/17 20:37:04 INFO starting email scheduler (IMAP polling)
2026-03-17T20:37:04.574575044Z 2026/03/17 20:37:04 INFO email scheduler started (IMAP polling)
2026-03-17T20:37:04.574588306Z 2026/03/17 20:37:04 INFO event coordinator initialized
2026-03-17T20:37:04.574600269Z 2026/03/17 20:37:04 INFO comment service initialized
2026-03-17T20:37:04.574611414Z 2026/03/17 20:37:04 INFO attachments enabled path=/data/attachments
2026-03-17T20:37:04.578596699Z 2026/03/17 20:37:04 INFO SCM sync scheduler started (5-minute interval)
2026-03-17T20:37:04.619904326Z 2026/03/17 20:37:04 INFO initializing plugin system
2026-03-17T20:37:04.620021621Z 2026/03/17 20:37:04 WARN failed to load plugins from directory dir=plugins error="failed to create plugins directory: mkdir plugins: permission denied"
2026-03-17T20:37:04.620306256Z 2026/03/17 20:37:04 INFO LLM fallback service not configured
2026-03-17T20:37:04.620596662Z 2026/03/17 20:37:04 ERRO Failed to create CORS middleware error="cors: for security reasons, insecure origin patterns like \"http://windshift.apps.hivenet.xyz\" are by default prohibited when credentialed access is enabled"
2026-03-17T20:37:04.620624205Z 2026/03/17 20:37:04 INFO CSRF protection enabled (Sec-Fetch-Site)
2026-03-17T20:37:04.639176568Z 2026/03/17 20:37:04 INFO HTTP server starting port=8080
2026-03-17T20:37:04.639250248Z 2026/03/17 20:37:04 WARN ⚠️  Running without HTTPS - credentials will be transmitted in plaintext. Use --tls-cert and --tls-key for production.

My Setup

I'm simply running the Docker compose file almost as provided by the guide:

services:
  windshift:
    image: ghcr.io/windshiftapp/windshift:latest
    restart: unless-stopped
    expose:
      - "8080"
    tmpfs:
      - /tmp:size=64M
    environment:
      - BASE_URL=https://windshift.***.***.xyz
      - SSO_SECRET=${SSO_SECRET}
      - DB_PATH=/data/windshift.db
      - ATTACHMENT_PATH=/data/attachments
    volumes:
      - windshift-data:/data

volumes:
  windshift-data:

The only diffeence should be the expose directive instead of the ports directive.
But that is by design to not export the app port to the outside.
My reverse proxy can connect, otherwise I couldn't take the screenshot above.
The .env file is also created as mentioned in the guide.

---

A few things I noticed:

2026-03-17T20:37:04.620021621Z 2026/03/17 20:37:04 WARN failed to load plugins from directory dir=plugins error="failed to create plugins directory: mkdir plugins: permission denied"

This might be nothing, but surely a newly created docker volume wil have the correct permissions for the corresponding container, right?
I even tried it with a local subfolder with correct permissions instead of a docker volumen, but that didn't change anything.

2026-03-17T20:37:04.620596662Z 2026/03/17 20:37:04 ERRO Failed to create CORS middleware error="cors: for security reasons, insecure origin patterns like "http://windshift.apps.hivenet.xyz\" are by default prohibited when credentialed access is enabled"
2026-03-17T20:37:04.639250248Z 2026/03/17 20:37:04 WARN ⚠️ Running without HTTPS - credentials will be transmitted in plaintext. Use --tls-cert and --tls-key for production.

My instance is not available by HTTP, my reverse proxy doesn't allow that.
Where does that HTTP come from?
The BASE_URL is set with HTTPS, the DOMAIN in the .env file has no protocol.

How can I help debug this further?

[stefan-ernst]

Hey, thank you for reporting this. I understand you are behind a proxy that does the TLS termination?

In that case, tell Windshift to skip the origin building by using USE_PROXY=true

https://windshift.sh/docs/02-deployment/04-reverse-proxy

Can you see if this helps?

[stefan-ernst]

On another note, I will try to simplify the setup to account for these cases. The flags were added one by one to improve web security but are kind of hard to navigate now

[stefan-ernst]

the newest release will now auto-assume that a reverse proxy is used when https is used without supplying TLS certs. USE_PROXY is still recommended so Windshift assumes the right security posture. But its not strictly needed anymore.

The plugins dir was moved into the mapped data/ directory so the error does not happen anymore when using docker.