Something broke after updating to v5.4.1

I have been using passbolt for a couple of years now without any issues, i updated to v5.4.1 and a converted all the passwords to the new encrypted metadata. After a couple of days, the passwords no longer show up in the dashboard. Passbolt health check passes.

I do get errors in the console log.

Notice that there is only 7 passwords showing, when i have 700+

Passbolt health check:

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
 If you want to have more information about the different checks, please take a look at the documentation: https://www.passbolt.com/docs/admin/server-maintenance/passbolt-api-status/
-------------------------------------------------------------------------------

 Environment

 [INFO] Linux vault 6.8.12-11-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.12-11 (2025-05-22T09:39Z) x86_64 GNU/Linux
 [PASS] PHP version 8.2.29.
 [PASS] PHP version is 8.2 or above.
 [PASS] 64-bit architecture system detected.
 [INFO] gpg (GnuPG) 2.2.40 / libgcrypt 1.10.1
 [PASS] PCRE compiled with unicode support.
 [PASS] Mbstring extension is installed.
 [PASS] Intl extension is installed.
 [PASS] GD or Imagick extension is installed.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory /var/log/passbolt/ and its content are writable.
 [PASS] System clock is synchronized.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Cache is working.
 [PASS] Debug mode is off.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://domain_name.censored
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates.
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate.

 SMTP settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [PASS] The SMTP Settings source is: database.
 [PASS] The SMTP Settings plugin endpoints are disabled.
 [PASS] No custom SSL configuration for SMTP server.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled.
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one.
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (5.4.1).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [PASS] Host availability will be checked.
 [PASS] Serving the compiled version of the javascript app.
 [PASS] All email notifications will be sent.
 [PASS] The database schema is up to date.

 Database

 [PASS] The application is able to connect to the database
 [PASS] 34 tables found.
 [PASS] Some default content is present.

 Metadata

 [PASS] The server is able to decrypt the metadata private key.
 [PASS] Active metadata key found or not required.
 [PASS] The server has access to the metadata keys or does not require access to it.
 [PASS] The server metadata private key is valid.

 [PASS] No error found. Nice one, sparky!

Anyone know what could be the issue ?

Hi @LostAndFound ,

Sorry that this is happening to you,
Would you be able to share with us the result of the datacheck command, please?

sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt datacheck" www-data

This would give us a good overview of whether or not there’s anything wrong with your resources cryptographically.

Finally, would you please be able to check if you have the same issue on a different browser, like Edge and Firefox (as Edge is also on 5.4.1 as well but Firefox is still on 5.4.0), please?

Thank you in advance,
Best regards,
Louis

Hello @louis,

here are the results from the datacheck

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
Data check shell
[PASS] Data integrity for AuthenticationTokens.
  [PASS] Can validate: 3295/3295
[PASS] Data integrity for Comments.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Favorites.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Gpgkeys.
  [PASS] Can encrypt: 2/2
    [PASS] Encryption success for key __censored__
    [PASS] Encryption success for key __censored__
  [PASS] Pass validation service checks: 2/2
    [PASS] Validation success for key __censored__
    [PASS] Validation success for key __censored__
  [PASS] Entity data and armored key data matches: 2/2
    [PASS] Validation success for key __censored__
    [PASS] Validation success for key __censored__
  [PASS] Is not expired: 2/2
    [PASS] Expiration date valid for key __censored__.
    [PASS] Expiration date valid for key __censored__.
  [PASS] Is armored key format valid: 2/2
    [PASS] Armored key format valid for key __censored__ dev@domain.censored
    [PASS] Armored key format valid for key __censored__ user@domain.censored
[PASS] Data integrity for Groups.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Profiles.
  [PASS] Can validate: 8/8
[PASS] Data integrity for Resources.
  [PASS] Can validate: 796/796
[PASS] Data integrity for Secrets.
  [PASS] Can validate: 763/763
[PASS] Data integrity for Users.
  [PASS] Can validate: 2/2
    [PASS] Validation success for user __censored__
    [PASS] Validation success for user __censored__

from the uncensored results all the results pass.

I tried it using Firefox and i get the same results, only 7 show.

From the looks of things, everything looks fine but simply does not show in the gui.

is there a way for me to create a an export using the terminal for all the passwords in clear text into keepass, i need access to them.

Hi @LostAndFound,

Thank you for your reply,

Unfortunately, E2EE of resource metadata is still in beta on our passbolt-cli client, you can try using it but you’d need to compile it yourself: https://github.com/passbolt/go-passbolt-cli/tree/v0.4.0-beta.2

We would need the browser extension’s network logs reproducing it. These can be obtained following our guide here: https://www.passbolt.com/docs/hosting/troubleshooting/logs/#browser-extension

Would you also be able to provide a screenshot of the console errors you shared earlier, but with the verbose console logging enabled and details elements expanded, just like so:

This would show the following error format:

On which you can then expand the details part and the different fields/parts that are causing this issue (here the uris field in my screenshot).

In order to keep these logs confidential and to get faster replies from us, would you be able to share those by e-mail to contact@passbolt.com, adding in the e-mail body that Louis sent you, with a link to this reply/thread, please?

Thank you in advance,
Best regards,
Louis

I tried exporting using the cli and i get this error

Command: passbolt export keepass -f export.kdbx -p ‘123456789’

  Skipping Export of Resource ffa43xxxxxxx3312  Because of: Get Resource ffa4xxxxxxxxx53312: Validate Secret Data: Compiling Json Schema: "file:///Users/username/Downloads/secret.json#" is not valid against metaschema: jsonschema validation failed with 'https://json-schema.org/draft/2020-12/schema#'
- at '': 'allOf' failed
  - at '/properties/custom_fields': 'allOf' failed
    - at '/properties/custom_fields/properties/items': 'allOf' failed
      - at '/properties/custom_fields/properties/items/items': 'allOf' failed
        - at '/properties/custom_fields/properties/items/items/properties/secret_key': got array, want boolean or object
Decryping Resources [762/762] ████████████████████████████████████████ 100% | 2s

the file gets created but its 1kb and with nothing inside of it.

I added the verbose to the console log and here is the errors, i dont see the full error though

I will send this to the contact email and attach the thread plus the .har file from the network log