Could not verify the server key. The authentication failed. After attempting to login on mobile browser

Installation Issues
1

Checklist
I have read intro post:
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
Double check the tutorials steps and read the troubleshooting advice.
– See. https//passbolt.com/help/tech/install

  1. Search the community forum for similar issues and try to follow the resolution steps if applicable.
    – http//community.passbolt.com/search
    The similar post titles don’t seem to have the same problem

  2. Provide your system information:
    – Server operating system name and version: TrueNAS 25.04.2.6, Docker version 27.5.0, build a187fa5
    – Web server name and version: Apache (I can’t find the version)
    – Database server name and version: mariadb from 12.2.2-MariaDB, client 15.2 for debian-linux-gnu (x86_64) using EditLine wrapper
    – Php version: PHP 8.4.16 (cli) (built: Dec 18 2025 21:19:25) (NTS)
    – Passbolt version: App Version: v5.9.0-1-ce-non-root, Version: v1.4.0

  3. Provide a copy of your healthcheck running as the web server user
    – See Step 8 here: https//help.passbolt.com/hosting/install/ce/from-source.html

    Environment

    [INFO] Linux 39b12e6df0d6 6.12.15-production+truenas #1 SMP PREEMPT_DYNAMIC Wed Oct 29 14:40:06 UTC 2025 x86_64 GNU/Linux
    [PASS] PHP version 8.4.16.
    [PASS] PHP version is 8.2 or above.
    [PASS] 64-bit architecture system detected.
    [INFO] gpg (GnuPG) 2.4.7 / libgcrypt 1.11.0
    [PASS] PCRE compiled with unicode support.
    [PASS] Mbstring extension is installed.
    [PASS] Intl extension is installed.
    [PASS] GD or Imagick extension is installed.
    [PASS] The temporary directory and its content are writable and not executable.
    [PASS] The logs directory /var/log/passbolt/ and its content are writable.
    [WARN] System clock and NTP service information cannot be found.
    [HELP] See timedatectl | grep -i -A 1 clock. More information:

    Config files

    [PASS] The application config file is present
    [WARN] The passbolt config file is missing in /etc/passbolt/
    [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
    [HELP] The passbolt config file is not required if passbolt is configured with environment variables

    Core config

    [PASS] Cache is working.
    [PASS] Debug mode is off.
    [PASS] Unique value set for security.salt
    [PASS] Full base url is set to http//192.168.50.50:30097
    [PASS] App.fullBaseUrl validation OK.
    [PASS] /healthcheck/status is reachable.

    SSL Certificate

    [PASS] SSL peer certificate validates.
    [PASS] Hostname is matching in SSL certificate.
    [PASS] Not using a self-signed certificate.

    SMTP settings

    [PASS] The SMTP Settings plugin is enabled.
    [PASS] SMTP Settings coherent. You may send a test email to validate them.
    [WARN] The SMTP Settings source is: env variables.
    [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
    [WARN] The SMTP Settings plugin endpoints are enabled.
    [HELP] It is recommended to disable the plugin endpoints.
    [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
    [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
    [PASS] No custom SSL configuration for SMTP server.

    JWT Authentication

    [PASS] The JWT Authentication plugin is enabled.
    [FAIL] The /etc/passbolt/jwt/ directory should not be writable.
    [HELP] You can try:
    [HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
    [HELP] sudo chmod 750 /etc/passbolt/jwt/
    [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
    [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
    [PASS] A valid JWT key pair was found.

    GPG Configuration

    [PASS] PHP GPG Module is installed and loaded.
    [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
    [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
    [FAIL] The server OpenPGP key is not set.
    [HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
    [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
    [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
    [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
    [FAIL] The server key fingerprint doesn’t match the one defined in /etc/passbolt/passbolt.php.
    [HELP] Double check the key fingerprint, example:
    [HELP] sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg” www-data | grep -i -B 2 ‘SERVER_KEY_EMAIL’
    [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
    [HELP] See. https//www.passbolt.com/help/tech/install#toc_gpg
    [FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
    [HELP] Import the private server key in the keyring of the webserver user.
    [HELP] you can try:
    [HELP] sudo su -s /bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc” www-data
    [FAIL] The server key does not have a valid email id.
    [HELP] Edit or generate another key with a valid email id.
    [FAIL] The private key cannot be used to decrypt a message
    [FAIL] The private key cannot be used to decrypt and verify a message
    [FAIL] The public key cannot be used to verify a signature.

    Application configuration

    [PASS] Using latest passbolt version (5.9.0).
    [FAIL] Passbolt is not configured to force SSL use.
    [HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
    [FAIL] App.fullBaseUrl is not set to HTTPS.
    [HELP] Check App.fullBaseUrl url scheme in /etc/passbolt/passbolt.php.
    [PASS] Selenium API endpoints are disabled.
    [PASS] Search engine robots are told not to index content.
    [INFO] The Self Registration plugin is enabled.
    [INFO] Registration is closed, only administrators can add users.
    [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
    [WARN] Host availability checking is disabled.
    [HELP] Make sure this instance is not publicly available on the internet.
    [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
    [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
    [PASS] Serving the compiled version of the javascript app.
    [WARN] Some email notifications are disabled by the administrator.
    [PASS] The database schema is up to date.

    Database

    [PASS] The application is able to connect to the database
    [PASS] 35 tables found.
    [PASS] Some default content is present.
    [PASS] The database version is supported.

    Metadata

    [FAIL] Unable to decrypt the metadata private key data. The config for the server private key fingerprint is not available or incomplete.
    [PASS] Active metadata key found or not required.
    [PASS] The server has access to the metadata keys or does not require access to it.
    [FAIL] The server metadata private key is not valid. Unable to decrypt the metadata private key (id: 337a1466-09ac-4eaa-95a1-d5b2794be966) data. The config for the server private key fingerprint is not available or incomplete.

    [FAIL] 12 error(s) found. Hang in there!

    Open source password manager for teams

    Passbolt CE 5.9.0
    Cakephp 5.2.9
    Linux 39b12e6df0d6 6.12.15-production+truenas #1 SMP PREEMPT_DYNAMIC Wed Oct 29 14:40:06 UTC 2025 x86_64 GNU/Linux
    PHP 8.4.16 (cli) (built: Dec 18 2025 21:19:25) (NTS)
    ERROR: /usr/share/php/passbolt/bin/utils.sh: line 64: mysql: command not found
    gpg (GnuPG) 2.4.7
    libgcrypt 1.11.0

    Environment

    [INFO] Linux 39b12e6df0d6 6.12.15-production+truenas #1 SMP PREEMPT_DYNAMIC Wed Oct 29 14:40:06 UTC 2025 x86_64 GNU/Linux
    [PASS] PHP version 8.4.16.
    [PASS] PHP version is 8.2 or above.
    [PASS] 64-bit architecture system detected.
    [INFO] gpg (GnuPG) 2.4.7 / libgcrypt 1.11.0
    [PASS] PCRE compiled with unicode support.
    [PASS] Mbstring extension is installed.
    [PASS] Intl extension is installed.
    [PASS] GD or Imagick extension is installed.
    [PASS] The temporary directory and its content are writable and not executable.
    [PASS] The logs directory /var/log/passbolt/ and its content are writable.
    [WARN] System clock and NTP service information cannot be found.
    [HELP] See timedatectl | grep -i -A 1 clock. More information:

    Config files

    [PASS] The application config file is present
    [WARN] The passbolt config file is missing in /etc/passbolt/
    [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
    [HELP] The passbolt config file is not required if passbolt is configured with environment variables

    Core config

    [PASS] Cache is working.
    [PASS] Debug mode is off.
    [PASS] Unique value set for security.salt
    [PASS] Full base url is set to http//192.168.50.50:30097
    [PASS] App.fullBaseUrl validation OK.
    [PASS] /healthcheck/status is reachable.

    SSL Certificate

    [PASS] SSL peer certificate validates.
    [PASS] Hostname is matching in SSL certificate.
    [PASS] Not using a self-signed certificate.

    SMTP settings

    [PASS] The SMTP Settings plugin is enabled.
    [PASS] SMTP Settings coherent. You may send a test email to validate them.
    [WARN] The SMTP Settings source is: env variables.
    [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
    [WARN] The SMTP Settings plugin endpoints are enabled.
    [HELP] It is recommended to disable the plugin endpoints.
    [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
    [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
    [PASS] No custom SSL configuration for SMTP server.

    JWT Authentication

    [PASS] The JWT Authentication plugin is enabled.
    [FAIL] The /etc/passbolt/jwt/ directory should not be writable.
    [HELP] You can try:
    [HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
    [HELP] sudo chmod 750 /etc/passbolt/jwt/
    [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
    [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
    [PASS] A valid JWT key pair was found.

    GPG Configuration

    [PASS] PHP GPG Module is installed and loaded.
    [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
    [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
    [FAIL] The server OpenPGP key is not set.
    [HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
    [HELP] See. https//www.passbolt.com/help/tech/install#toc_gpg
    [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
    [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
    [FAIL] The server key fingerprint doesn’t match the one defined in /etc/passbolt/passbolt.php.
    [HELP] Double check the key fingerprint, example:
    [HELP] sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg” www-data | grep -i -B 2 ‘SERVER_KEY_EMAIL’
    [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
    [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
    [FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
    [HELP] Import the private server key in the keyring of the webserver user.
    [HELP] you can try:
    [HELP] sudo su -s /bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc” www-data
    [FAIL] The server key does not have a valid email id.
    [HELP] Edit or generate another key with a valid email id.
    [FAIL] The private key cannot be used to decrypt a message
    [FAIL] The private key cannot be used to decrypt and verify a message
    [FAIL] The public key cannot be used to verify a signature.

    Application configuration

    [PASS] Using latest passbolt version (5.9.0).
    [FAIL] Passbolt is not configured to force SSL use.
    [HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
    [FAIL] App.fullBaseUrl is not set to HTTPS.
    [HELP] Check App.fullBaseUrl url scheme in /etc/passbolt/passbolt.php.
    [PASS] Selenium API endpoints are disabled.
    [PASS] Search engine robots are told not to index content.
    [INFO] The Self Registration plugin is enabled.
    [INFO] Registration is closed, only administrators can add users.
    [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
    [WARN] Host availability checking is disabled.
    [HELP] Make sure this instance is not publicly available on the internet.
    [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
    [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
    [PASS] Serving the compiled version of the javascript app.
    [WARN] Some email notifications are disabled by the administrator.
    [PASS] The database schema is up to date.

    Database

    [PASS] The application is able to connect to the database
    [PASS] 35 tables found.
    [PASS] Some default content is present.
    [PASS] The database version is supported.

    Metadata

    [FAIL] Unable to decrypt the metadata private key data. The config for the server private key fingerprint is not available or incomplete.
    [PASS] Active metadata key found or not required.
    [PASS] The server has access to the metadata keys or does not require access to it.
    [FAIL] The server metadata private key is not valid. Unable to decrypt the metadata private key (id: 337a1466-09ac-4eaa-95a1-d5b2794be966) data. The config for the server private key fingerprint is not available or incomplete.

    [FAIL] 12 error(s) found. Hang in there!

    Open source password manager for teams

    Cleanup shell (dry-run)

    No issue found, data looks squeaky clean!

    Open source password manager for teams

    Data check shell
    [PASS] Data integrity for AuthenticationTokens.
    [PASS] Can validate: 45/45
    [PASS] Data integrity for Comments.
    [PASS] Can validate: 0/0
    [PASS] Data integrity for Favorites.
    [PASS] Can validate: 0/0
    [PASS] Data integrity for Gpgkeys.
    [PASS] Can encrypt: 1/1
    [PASS] Pass validation service checks: 1/1
    [PASS] Entity data and armored key data matches: 1/1
    [PASS] Is not expired: 1/1
    [PASS] Is armored key format valid: 1/1
    [PASS] Data integrity for Groups.
    [PASS] Can validate: 0/0
    [PASS] Data integrity for Profiles.
    [PASS] Can validate: 1/1
    [PASS] Data integrity for Resources.
    [PASS] Can validate: 27/27
    [PASS] Is metadata key exist and active: 0/0
    [PASS] Data integrity for Secrets.
    [PASS] Can validate: 26/26
    [PASS] Data integrity for Users.
    [PASS] Can validate: 1/1
    [PASS] Data integrity for MetadataKeys.
    [PASS] Check metadata private keys present: 1/1
    tail: cannot open ‘/var/log/passbolt/error.log’ for reading: No such file or directory

  4. Describe the problem thoroughly with as much details as possible so that people can reproduce the issues.
    – What steps did you take?
    In a mobile firefox browser went to the url “http//192.168.50.50:30097” and tried to login with the admin password that is used in the pc web browser.
    – What happened?
    I was presented with a prompt “Please enter your email to continue” on the mobile browser and input the admin email. Then a prompt that an email would be sent to that email. There is no email server details setup so I don’t expect this email to be delivered to literally the admin email “a@b.com”. I then went back to the pc browser to try to login normally and am now getting the error:
    “Something went wrong!

    The operation failed with the following error:

    Could not verify the server key. The authentication failed.”
    – What did you expect instead?
    I expected to be presented with the admin login, and then be able to login with the admin username and password on the mobile browser. I didn’t expect now not being able to login at all.
    I’ve been using this setup for 3 months without a hitch, until I tried to login on a mobile browser.

    cron.log is empty, cron-error.log is empty, cli-debug.log just has:
    info: {“message”:“Email digest sender command”,“sent”:0,“failed”:0,“pending”:0,“locked”:0}

I don’t think I need to change anything internally in the docker container so I’m not sure what happened.
Thank you for your help

2

Hello Lunar5202, I hope you are doing well.

Could you please answer these questions first:
Which O.S are you using on your mobile(android,IOS?)
Have you downloaded the mobile app?

The browser extension is not enabled on the mobile app. You need to install the app and use the QR code provided by the browser extension to transfer your GPG keys. You can follow this procedure described in this documentation.

I hope this helps. Please feel free to contact me if you have any problems.

3

Android, Firefox browser.

I’m not using the mobile app. I just tried to got to the admin page in a browser, like I would on a pc.
Now I can’t login any browser

4

G’day Lunar,

The mobile browser login attempt didn’t cause this. Passbolt without the browser extension will always prompt for an email. That’s the account recovery/setup flow, not a standard login.

The real issue is in your healthcheck. Your GPG keyring is out of sync with the key files on disk:

[FAIL] The server key fingerprint doesn't match the one defined in passbolt.php
[FAIL] The server public key defined in passbolt.php is not in the keyring
[FAIL] The private key cannot be used to decrypt a message

The key files exist (serverkey_private.asc is readable), but they haven’t been imported into the GPG keyring at /var/lib/passbolt/.gnupg. This typically happens when a Docker container is recreated. The keyring is ephemeral unless it’s on a persistent volume. Given you’re on TrueNAS, a recent update may have recreated the container.

To re-import the key into the keyring, run this inside the passbolt container:

su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data

Then run the healthcheck again. If you still see failures (particularly “The server key does not have a valid email id”), the server key itself may need to be
regenerated. Let us know what the healthcheck shows after the import and we can go from there.

One thing to check: is /var/lib/passbolt/.gnupg mapped to a persistent volume in your Docker Compose config? If not, every container restart will wipe the keyring and you’ll hit this again.

Cheers,
Gareth

5

Thanks, I don’t think it worked. The volume is persistent so it’s shouldn’t be killed during updates.

/bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc” www-data
gpg: key 165DB69E912A53A0: “Passbolt default user passbolt@yourdomain.com” not changed
gpg: key 165DB69E912A53A0: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1

Open source password manager for teams

Healthcheck shell

If you want to have more information about the different checks, please take a look at the documentation: https://www.passbolt.com/docs/admin/server-maintenance/passbolt-api-status/…

Environment

[INFO] Linux 39b12e6df0d6 6.12.15-production+truenas #1 SMP PREEMPT_DYNAMIC Wed Oct 29 14:40:06 UTC 2025 x86_64 GNU/Linux
[PASS] PHP version 8.4.16.
[PASS] PHP version is 8.2 or above.
[PASS] 64-bit architecture system detected.
[INFO] gpg (GnuPG) 2.4.7 / libgcrypt 1.11.0
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory /var/log/passbolt/ and its content are writable.
[WARN] System clock and NTP service information cannot be found.
[HELP] See timedatectl | grep -i -A 1 clock. More information: https://www.passbolt.com/docs/hosting/configure/ntp/

Config files

[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables

Core config

[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to http://192.168.50.50:30097
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates.
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate.

SMTP settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[WARN] The SMTP Settings source is: env variables.
[HELP] It is recommended to set the SMTP Settings in the database through the administration section.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled.
[FAIL] The /etc/passbolt/jwt/ directory should not be writable.
[HELP] You can try:
[HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
[HELP] sudo chmod 750 /etc/passbolt/jwt/
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
[PASS] A valid JWT key pair was found.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[FAIL] The server OpenPGP key is not set.
[HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[FAIL] The server key fingerprint doesn’t match the one defined in /etc/passbolt/passbolt.php.
[HELP] Double check the key fingerprint, example:
[HELP] sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg” www-data | grep -i -B 2 ‘SERVER_KEY_EMAIL’
[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc” www-data
[FAIL] The server key does not have a valid email id.
[HELP] Edit or generate another key with a valid email id.
[FAIL] The private key cannot be used to decrypt a message
[FAIL] The private key cannot be used to decrypt and verify a message
[FAIL] The public key cannot be used to verify a signature.

Application configuration

[PASS] Using latest passbolt version (5.9.0).
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[FAIL] App.fullBaseUrl is not set to HTTPS.
[HELP] Check App.fullBaseUrl url scheme in /etc/passbolt/passbolt.php.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema is up to date.

Database

[PASS] The application is able to connect to the database
[PASS] 35 tables found.
[PASS] Some default content is present.
[PASS] The database version is supported.

Metadata

[FAIL] Unable to decrypt the metadata private key data. The config for the server private key fingerprint is not available or incomplete.
[PASS] Active metadata key found or not required.
[PASS] The server has access to the metadata keys or does not require access to it.
[FAIL] The server metadata private key is not valid. Unable to decrypt the metadata private key (id: 337a1466-09ac-4eaa-95a1-d5b2794be966) data. The config for the server private key fingerprint is not available or incomplete.

[FAIL] 12 error(s) found. Hang in there!

6

G’day Lunar,

The import output is the giveaway here:

gpg: key 165DB69E912A53A0: "Passbolt default user passbolt@yourdomain.com" not changed

That’s an auto-generated key created on first startup using default values (because PASSBOLT_KEY_EMAIL wasn’t set). The key was already in the keyring and it’s the same key that’s been working for 3 months. The problem is that the configured fingerprint doesn’t match it.

You need to compare the two. Run this inside the container:

gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg

Then check what PASSBOLT_GPG_SERVER_KEY_FINGERPRINT is set to in your docker-compose.yml (or however TrueNAS exposes the environment config).

If the fingerprints don’t match, something changed the configured value. Since you’re on TrueNAS, an app update may have reset or overridden that environment variable while the keyring on the persistent volume stayed the same.

Can you share both values so we can confirm?

Also to clarify on the mobile browser behaviour, passbolt requires the browser extension to log in. Without it, any browser will show the email/recovery flow rather than the passphrase prompt. That’s expected, not a sign something broke.

Cheers,
Gareth

7

gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg

/var/lib/passbolt/.gnupg/pubring.kbx

pub rsa3072 2025-08-12 [SC]
~ 53A0
uid [ unknown] Passbolt default user passbolt@yourdomain.com
sub rsa3072 2025-08-12 [E]

pub rsa3072 2025-08-12 [SC]
~ E33F
uid [ unknown] a b a@b.com
sub rsa3072 2025-08-12 [E]

There is no option to set PASSBOLT_KEY_EMAIL or PASSBOLT_GPG_SERVER_KEY_FINGERPRINT in the setup form. I don’t remember having to enter those environment vars during setup. TrueNAS apps hide the docker-compose.yml

1 Like
8

There are two keys in your keyring:

Passbolt is configured to use one of these fingerprints, but authenticating against the other. That’s the mismatch.

Since TrueNAS hides the docker-compose.yml you are going to need to work out how to set the environment variable PASSBOLT_GPG_SERVER_KEY_FINGERPRINT
https://www.passbolt.com/docs/hosting/configure/environment-reference/#gpg-server-key-configuration

I’m not familiar with TrueNAS so you will need to work out how that should be done within their ecosystem.

Cheers,
Gareth

9

Is there a way to remove the default keyring? Maybe it will revert to the new user? I don’t think the var was set before. Is there another way for it to find the key without setting that variable?

10

Ive set that var with the correct fingerprint for that user in the gpgkeys table.

Open source password manager for teams

Healthcheck shell

If you want to have more information about the different checks, please take a look at the documentation: https://www.passbolt.com/docs/admin/server-maintenance/passbolt-api-status/…

Environment

[INFO] Linux ae8206ec297d 6.12.15-production+truenas #1 SMP PREEMPT_DYNAMIC Wed Oct 29 14:40:06 UTC 2025 x86_64 GNU/Linux
[PASS] PHP version 8.4.16.
[PASS] PHP version is 8.2 or above.
[PASS] 64-bit architecture system detected.
[INFO] gpg (GnuPG) 2.4.7 / libgcrypt 1.11.0
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory /var/log/passbolt/ and its content are writable.
[WARN] System clock and NTP service information cannot be found.
[HELP] See timedatectl | grep -i -A 1 clock. More information: https://www.passbolt.com/docs/hosting/configure/ntp/

Config files

[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables

Core config

[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to http://192.168.50.50:30097
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates.
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate.

SMTP settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[WARN] The SMTP Settings source is: env variables.
[HELP] It is recommended to set the SMTP Settings in the database through the administration section.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled.
[FAIL] The /etc/passbolt/jwt/ directory should not be writable.
[HELP] You can try:
[HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
[HELP] sudo chmod 750 /etc/passbolt/jwt/
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
[HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
[PASS] A valid JWT key pair was found.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one.
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[FAIL] The server key fingerprint doesn’t match the one defined in /etc/passbolt/passbolt.php.
[HELP] Double check the key fingerprint, example:
[HELP] sudo su -s /bin/bash -c “gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg” www-data | grep -i -B 2 ‘SERVER_KEY_EMAIL’
[HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
[HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
[FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
[HELP] Import the private server key in the keyring of the webserver user.
[HELP] you can try:
[HELP] sudo su -s /bin/bash -c “gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc” www-data
[PASS] There is a valid email id defined for the server key.
[FAIL] The private key cannot be used to decrypt a message
[FAIL] The private key cannot be used to decrypt and verify a message
[FAIL] The public key cannot be used to verify a signature.

Application configuration

[PASS] Using latest passbolt version (5.9.0).
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[FAIL] App.fullBaseUrl is not set to HTTPS.
[HELP] Check App.fullBaseUrl url scheme in /etc/passbolt/passbolt.php.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
[PASS] The database schema is up to date.

Database

[PASS] The application is able to connect to the database
[PASS] 35 tables found.
[PASS] Some default content is present.
[PASS] The database version is supported.

Metadata

[FAIL] Unable to decrypt the metadata private key data. The OpenPGP server key defined in the config cannot be used to decrypt. There is an issue with the OpenPGP server key. The fingerprint does not match the one associated with the key on file.
[PASS] Active metadata key found or not required.
[PASS] The server has access to the metadata keys or does not require access to it.
[FAIL] The server metadata private key is not valid. Unable to decrypt the metadata private key (id: 337a1466-09ac-4eaa-95a1-d5b2794be966) data. The OpenPGP server key defined in the config cannot be used to decrypt. There is an issue with the OpenPGP server key. The fingerprint does not match the one associated with the key on file.

[FAIL] 10 error(s) found. Hang in there!

11

I don’t have /etc/passbolt/passbolt.php Do you know where it might be in the docker file?

12

Hey Lunar.

The gpgkeys table stores user public keys, not the server key.
PASSBOLT_GPG_SERVER_KEY_FINGERPRINT needs to match the key in the server key file.

There is no use of passbolt.php in the docker image. PHP config is handled by environment variables in the docker image.

The documentation has the information you need.
https://www.passbolt.com/docs/hosting/configure/environment-reference/#configuration-methods-passboltphp-vs-environment-variables

Cheers,
Gareth

13

After setting the that variable it has been removed from the list, is this expected?:
gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg
/var/lib/passbolt/.gnupg/pubring.kbx

pub rsa3072 2025-08-12 [SC]
~ 53A0
uid [ unknown] Passbolt default user passbolt@yourdomain.com
sub rsa3072 2025-08-12 [E]

14

Sorry mate, I don’t have enough information to respond to your question.

Can you give greater detail? I’m having trouble understanding what changes you are making.

Cheers
Gareth

15

I set PASSBOLT_GPG_SERVER_KEY_FINGERPRINT to the a@b.com user’s fingerprint.
Now it is removed from the list of fingerprints.

16

If /var/lib/passbolt/.gnupg is a persistent volume and you restart the docker image it should still be there with any keys that were there before.

Either the path isn’t persistent or you removed the key?

Cheers
Gareth

17

It is persistent. It never got removed in other restarts I did today.

18

Should I just do:

https://www.passbolt.com/docs/hosting/faq/how-to-rotate-server-gpg-keys/#docker-installation

I’ve hit a maximum posts for the day sorry.
Is there a way to add the key back?

Or is there a way to make a new user? I’ve got a lot of passwords saved

Possible the entrypoint.sh is doing it:

#!/usr/bin/env bash

set -eo pipefail

passbolt_config=“/etc/passbolt”
gpg_private_key=“${PASSBOLT_GPG_SERVER_KEY_PRIVATE:-$passbolt_config/gpg/serverkey_private.asc}”
gpg_public_key=“${PASSBOLT_GPG_SERVER_KEY_PUBLIC:-$passbolt_config/gpg/serverkey.asc}”

ssl_key=‘/etc/passbolt/certs/certificate.key’
ssl_cert=‘/etc/passbolt/certs/certificate.crt’

deprecation_message=“”

subscription_key_file_paths=(“/etc/passbolt/subscription_key.txt” “/etc/passbolt/license”)

source $(dirname $0)/../passbolt/entrypoint-rootless.sh
source $(dirname $0)/../passbolt/env.sh
source $(dirname $0)/../passbolt/deprecated_paths.sh

manage_docker_env

check_deprecated_paths

if [ ! -f “$gpg_private_key” ] ||
[ ! -f “$gpg_public_key” ]; then
gpg_gen_key
gpg_import_key
else
gpg_import_key
fi

if [ ! -f “$ssl_key” ] && [ ! -L “$ssl_key” ] &&
[ ! -f “$ssl_cert” ] && [ ! -L “$ssl_cert” ]; then
gen_ssl_cert
fi

install

echo -e “$deprecation_message”

declare -p | grep -Ev ‘BASHOPTS|BASH_VERSINFO|EUID|PPID|SHELLOPTS|UID’ >/etc/environment

exec /usr/bin/supervisord -n

Removed in the sense they don’t show up when this is executed, they did a few hours ago in a previous post that you pointed out:
gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg

Now executing:

gpg --show-keys /etc/passbolt/gpg/serverkey_private.asc
sec rsa3072 2025-08-12 [SC]
..............53A0
uid Passbolt default user <passbolt@yourdomain.com>
ssb rsa3072 2025-08-12 [E]

19

If it was persistent then it should still exist. Sorry, not sure what else to say about that.

gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg
/var/lib/passbolt/.gnupg/pubring.kbx

pub rsa3072 2025-08-12 [SC]
~ 53A0
uid [ unknown] Passbolt default user passbolt@yourdomain.com
sub rsa3072 2025-08-12 [E]

pub rsa3072 2025-08-12 [SC]
~ E33F
uid [ unknown] a b a@b.com
sub rsa3072 2025-08-12 [E]
20

Hey Lunar,

Can you clarify what you mean by “removed from the list of fingerprints”? Did the key disappear from the keyring, or somewhere else?

Also, can you share the output of:

gpg --show-keys /etc/passbolt/gpg/serverkey_private.asc

That will tell us definitively which key the fingerprint needs to match.

Cheers,
Gareth