Migrating to new passbolt on Redhat 8, cannot import old 2048 keys

[ x] I have read intro post: About the Installation Issues category
[ x] I have read the tutorials, help and searched for similar issues
[X ] I provide relevant information about my server (component names and versions, etc.)
[ X] I provide a copy of my logs and healthcheck
[ X] I describe the steps I have taken to trouble shoot the problem
[X ] I describe the steps on how to reproduce the issue

I am trying to migrate a Passbolt 3.6.0 instance on Centos 7, to the latest Passbolt version on RedHat 8 following these instructions:

I imported the existing PGP key as part of the install process with no problems. However during the initial configuration of the server, when I try to import my private key from the old environment I get the following error:
An RSA key should have a length of 3072 bits minimum.

I have stopped the install/configure process at this point because all of the keys in our current environment are 2048 keys, and if we can’t use them in the new environment then there is no reason to continue with the migration.

The healthcheck for the new server complains about not using HTTPS, because I will not generate a new SSL key until I can get the migration to work:

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( |
) /
/ / /
/ / / /
/ _

Open source password manager for teams

Healthcheck shell


[PASS] PHP version 8.1.23.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.

Config files

[PASS] The application config file is present
[PASS] The passbolt config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.

SSL Certificate

[PASS] SSL peer certificate validates
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate


[PASS] The application is able to connect to the database
[PASS] 32 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.

Application configuration

[PASS] Using latest passbolt version (4.2.0).
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[FAIL] App.fullBaseUrl is not set to HTTPS.
[HELP] Check App.fullBaseUrl url scheme in /etc/passbolt/passbolt.php.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.

JWT Authentication

[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found

SMTP Settings

[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

[FAIL] 2 error(s) found. Hang in there!

Just to be clear it is the server key import that gave you an error correct?

If so you can always rotate that or in this case install with a new one. The downside here is some of your settings, such as the email server, won’t be configured correctly with the import so you’ll have to redo those.

It could be worth testing that to see if it gets you fully up and running even with the users having the older keys

I did not have any problems with the server key. The problem is when I try to import the user key for the first user.


Which step are you running into the issue on? Following the guide you posted there shouldn’t be a specific import for a first user as that’ll be in the database which gets moved over

In the migration guide it says to hit the URL after running the installer. The last step in the setup process is to create the initial user. When I try to import my key, it fails.

Should I do the migration steps before hitting the URL for the first time? If so, the migration guide should be updated.


It does look like the migration guide wording should be a bit more clear there, it gives that output about configuring but you aren’t supposed to configure it in the web browser at that point as the next step “Migrate data” has you move your config file and database backup into place

I was confused about that.
I will reset the system and do a clean install, without doing the configuration step, when I get back in the office on Thursday.

Thank you,