Metadata Private Key Error After Upgrading to Passbolt 5.x – Healthcheck Fails

Installation Issues
1

Hi team,

After upgrading from Passbolt 4.x to 5.x, we’re encountering a healthcheck failure, and we’re unsure how to resolve it. Below are the steps we followed and the error message we’re getting:
Commands used:

sudo apt --only-upgrade install passbolt-ce-server=5.1.0-1  
sudo apt --only-upgrade install passbolt-ce-server=5.0.0-1  
sudo apt --only-upgrade install passbolt-ce-server=4.12.1-1  
sudo apt --only-upgrade install passbolt-ce-server=4.12.0-1

Healthcheck output:

[FAIL] No server metadata private key found. Record not found in table `metadata_private_keys`.
[FAIL] 3 error(s) found. Hang in there!

Database check:


MariaDB [passboltdata]> select * from metadata_private_keys;
Empty set (0.000 sec)

We’re not sure what this means or how to regenerate or fix the missing key. This issue didn’t happen prior to the 5.x upgrade.

Any help or guidance on how to fix this would be really appreciated.

Thanks in advance!

2

Please let me know if anyone has any suggestions or if there’s anything I should cross-check to help fix this.
Thanks in advance!

3

Hi, Had a similar problem when upgrading passbolt from version 5.0.0 to 5.1.0
I check with the command:

sudo -u www-data /usr/share/php/passbolt/bin/cake passbolt healthcheck

I get this output:

[FAIL] No server metadata private key found.
[FAIL] 1 error(s) found. Hang in there!

4

Hi. To make the error disappear you need to go to the passbolt web interface and there in the organization settings generate everything you need, etc.

Screenshot_21052025
Screenshot_210520251778×732 54.8 KB

1 Like
5

Great!! @ilyaM — following your steps fixed the issue! :tada:
Thank you so much for your help :folded_hands:

Steps followed:

  1. Logged into the Passbolt web UI as an administrator
  2. Navigated to Admin → Organization Settings
  3. Located the Metadata Key / Integration Settings / OpenID Metadata section (name may vary by version)
  4. Clicked “Generate Metadata Private Key”
  5. Followed the on-screen instructions

This successfully generated and stored the key in the metadata_private_keys table, and the error is now resolved. :+1:

6

Hello there, it’s not a blocker to have metadata private key unless you are using encrypted metadata feature (enabled by default with v5.1), passbolt will function as normally with this error if E2EE metadata is disabled. More info on that here: https://www.passbolt.com/blog/the-road-to-passbolt-v5-encrypted-metadata-and-other-core-security-changes-2

7

Hi, I’m upgrading the CE from version 4.9 to 5.1 and I have the same issue.
How can I generate the metadata key?
Passbolt don’t start and I can’t use the UI descripted in the previus messages.

8

I think you have a different problem. This error in the healthcheck shouldn’t prevent passbolt from starting. This error will be transformed into a warning in next release, as this is not mandatory for now to have encrypted metadata enabled.

Best you open a new thread with information about your environment, error logs, etc. so that we can help you

9

As Ishan wrote:

seem mandatory now.

so now I’m upgrading from 4.9 to 5.0, activate the encrypted metadata and after upgrade to 5.1.
Passbolt don’t start because it is looking for the key that there isn’t into database.
I’ll return to you if all will resolve or I open a new thread if I will have some trouble.

10

Although the health-check is failing, the metadata key is required only when creation of content type with encrypted metadata is enabled. We’ll drop the error message to reflect the organisation’s settings. For now, don’t worry about it.

Internal ticket reference: PB-42800