Checklist
I have read intro post: https://community.passbolt.com/t/about-the-installation-issues-category/12
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
Environment:
-
Passbolt CE 5.10.0-2 non-root (Kubernetes, Helm chart)
-
Traefik v3 ingress controller with TLS termination
-
MariaDB 11.8.5, Redis 8.4.1
-
Tested on Chrome and Firefox (latest browser extension versions)
Steps to reproduce:
-
Fresh install of Passbolt CE via Helm chart on Kubernetes
-
Create first admin user via CLI (
cake passbolt register_user) -
Complete account setup in browser with Passbolt extension
-
Navigate to Organisation settings > Resource types > Getting started > Enable encrypted metadata and new resource types (recommended)
-
Attempt to enable metadata encryption
-
Error appears immediately
Issue:
Upon logging in and setting the passphrase for the admin user, an error regarding being unable to enable encryption for metadata is populated and a recommendation message to enable it in the Admin settings is also displayed. However, enabling metadata encryption from Organisation settings > Resource types > Getting started > Enable encrypted metadata and new resource types (recommended) > Save , failed and returned the error below:
{
"code": 400,
"body": {
"armored_key": {
"isPublicKeyValidStrict": "The armored key is not valid."
}
}
}
The error occurs when the browser extension submits the metadata PGP key to the API. It reproduces on both Chrome and Firefox with the latest extension versions.
Server-side checks all pass:
kubectl exec -it -n <passbolt-namespace> <passbolt-pod-name> -- \
/usr/share/php/passbolt/bin/cake passbolt healthcheck --gpg
Defaulted container "passbolt" out of: passbolt, <passbolt-pod-name>-init (init)
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell
If you want to have more information about the different checks, please take a look at the documentation: https://www.passbolt.com/docs/admin/server-maintenance/passbolt-api-status/..
-------------------------------------------------------------------------------
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one.
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.
[PASS] No error found. Nice one, sparky!
kubectl exec -it -n <passbolt-namespace> <passbolt-pod-name> -- \
/usr/share/php/passbolt/bin/cake passbolt healthcheck --metadata
Defaulted container "passbolt" out of: passbolt, <passbolt-pod-name>-init (init)
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell
If you want to have more information about the different checks, please take a look at the documentation: https://www.passbolt.com/docs/admin/server-maintenance/passbolt-api-status/..
-------------------------------------------------------------------------------
Metadata
[PASS] The server is able to decrypt the metadata private key.
[PASS] Active metadata key found or not required.
[PASS] The server has access to the metadata keys or does not require access to it.
[PASS] The server metadata private key is valid.
[PASS] No error found. Nice one, sparky!
GPG key details: RSA 3072/4096, Gopengpg compatible format.
Troubleshooting steps taken:
-
Verified GPG keyring permissions (all owned by www-data, UID 33)
-
Confirmed GPG fingerprint matches via
healthcheck --gpg -
Completely nuked the namespace, PVCs, secrets, and reinstalled from scratch ā same error
-
Tested on both Passbolt CE 5.9.0-1 and 5.10.0-2 non-root ā same error on both
-
Reproduced on both Chrome and Firefox with latest browser extensions
-
Verified network policies allow all required egress (SMTP, HTTPS, DNS confirmed working)
-
Tested with and without Traefik stripping
X-Gpgauth-DebugandX-Gpgauth-Errorresponse headers -
Confirmed
metadata_keysdatabase table is empty (no corrupt entry from a prior failed attempt)
Note: Metadata encryption was successfully enabled on a separate 5.9.0 CE non-root Kubernetes instance set up about a month ago with an older passbolt browser extension version (5.10.4). Could this issue be tied to the recent browser extension update (5.11.0)?
Iād appreciate any assistance or guidance. Thank you.