Error 400 - "armored_key": "The OpenPGP key can not be used to encrypt." [pubring.kbx file permissions]

I have read intro post:
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

– Server operating system name and version : Red Hat Enterprise Linux release 8.7 (Ootpa)

  • Web server name and version: nginx/1.14.1
    – Database server name and version: 10.3.35-MariaDB
    – Php version: 8.1.14
    – Passbolt version: 3.9.0

Status-report :

Open source password manager for teams

Passbolt PRO 3.9.0
Cakephp 4.3.7
Linux srv-passbolt-test01 4.18.0-425.10.1.el8_7.x86_64 #1 SMP Wed Dec 14 16:00:01 EST 2022 x86_64 x86_64 x86_64 GNU/Linux
PHP 8.1.14 (cli) (built: Jan 4 2023 06:45:14) (NTS gcc x86_64)
mysql Ver 15.1 Distrib 10.3.35-MariaDB, for Linux (x86_64) using readline 5.1
gpg (GnuPG) 2.2.20
libgcrypt 1.8.5
ERROR: /usr/share/php/passbolt/bin/ ligne 64: composer : commande introuvable

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/ _

Open source password manager for teams

Healthcheck shell


[PASS] PHP version 8.1.14.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://xxx
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check https://
[HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate


[PASS] The application is able to connect to the database
[PASS] 46 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[FAIL] Could not connect to passbolt repository to check versions It is not possible check if your version is up to date.
[HELP] Check the network configuration to allow this script to check for updates.
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[PASS] All email notifications will be sent.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found

SMTP Settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Or set to true in /etc/passbolt/passbolt.php.

[FAIL] 3 error(s) found. Hang in there!

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/ _

Open source password manager for teams

Cleanup shell (dry-run)

No issue found, data looks squeaky clean!

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/ _

Open source password manager for teams

Data check shell
[PASS] Data integrity for AuthenticationTokens.
[PASS] Can validate: 23/23
[PASS] Data integrity for Comments.
[PASS] Can validate: 0/0
[PASS] Data integrity for Favorites.
[PASS] Can validate: 0/0
[PASS] Data integrity for Gpgkeys.
[PASS] Can encrypt: 4/4
[PASS] Pass validation service checks: 4/4
[PASS] Entity data and armored key data matches: 4/4
[PASS] Is not expired: 4/4
[PASS] Is armored key format valid: 4/4
[PASS] Data integrity for Groups.
[PASS] Can validate: 5/5
[PASS] Data integrity for Profiles.
[PASS] Can validate: 8/8
[PASS] Data integrity for Resources.
[PASS] Can validate: 152/152
[PASS] Data integrity for Secrets.
[PASS] Can validate: 380/380
[PASS] Data integrity for Users.
[PASS] Can validate: 8/8

Hi everyone,

I created my server and could create my accounts just after this.

When I tried to create another one the day after, I’ve encountered this error.

After many searches, I think it’s because of the time but I can’t find any solution.
When I mde my healthceck and status-report, it appears there is 1 hour delay between my server and the time on the log.

When I check my timedate :

  •           Local time: lun. 2023-01-23 10:51:19 CET*
  •       Universal time: lun. 2023-01-23 09:51:19 UTC*
  •             RTC time: lun. 2023-01-23 09:51:19*
  •            Time zone: Europe/Paris (CET, +0100)*

System clock synchronized: no

  •          NTP service: active*
  •      RTC in local TZ: no*

And when I do a chronyc tracking :
Reference ID : 7F7F0101 ()
Stratum : 10
Ref time (UTC) : Mon Jan 23 09:52:14 2023
System time : 0.000000065 seconds fast of NTP time
Last offset : +0.000000000 seconds
RMS offset : 0.000000000 seconds
Frequency : 0.092 ppm fast
Residual freq : +0.000 ppm
Skew : 0.000 ppm
Root delay : 0.000000000 seconds
Root dispersion : 0.000000000 seconds
Update interval : 0.0 seconds
Leap status : Normal

But when I retry to activate my account, the time is still 1 hour before.

I really appreciate your help,
Thank you

Hi @Cedric2 Welcome to the forum!

What you are showing on the server seems ok. But also check the client machine both for correct configuration and accuracy.

The following will cause problems due to the client machine being off:

  • inaccurate time due to needing an update, off by x seconds
  • incorrect time, for example the timezone is set to UTC but the time displayed is correct for the local time

Hi Garrett,

Thank you for your answer. When you are talking about the client, is it the machine (windows) I’m using ?

The thing is, what looks strange for me, is that I could activate my account (and my colleagues too) just after I finished setting up my server (the same machine for me) but not the second day. As if my passbolt server lost the synchronisation for the NTP.

I couldn’t activate my account is my computer was misconfigured.
Do you see what I mean ?

Hello @Cedric2

Since you are using Passbolt PRO, please contact us at, we will help you to fix this issue.

When I look at my server, timedatectl give me this :

           Local time: lun. 2023-01-23 14:51:48 CET
       Universal time: lun. 2023-01-23 13:51:48 UTC
             RTC time: lun. 2023-01-23 13:51:48
            Time zone: Europe/Paris (CET, +0100)

My computer have the same time as the local time, not the UTC.

Hi antony,

I do this in few minutes, thank you.

@Cedric2 Please post back the solution after resolving the issue with Pro support if you the time, thanks.

I’ll do :slight_smile:
Stay in touch :wink:


The problem is solved. There was a problem with the rights on pubring.kbx file.
You must change the owner for ngninx for RHEL (or www-data for debian based I guess).
I don’t know what caused this but now it’s working.

Thanks to Max and @antony for their help.