The server metadata private key is not valid. Unable to validate metadata private key (id: <UUID>) cleartext data

antony · September 18, 2025, 4:37am

Hello @richarson,
In the user management interface, you should see a button that lets you “share” the missing metadata key with the affected user. Can you please do that?

This might not fix the healthCheck issue. It only ensures the missing key is shared. If you don’t see any missing-key notice, perfect. I suggest changing the domain manually to resolve the healthCheck. Please take a snapshot of the machine beforehand and, if possible, perform the change in a dedicated test environment to avoid any production risk. This is important.

To start, retrieve the server key. You can copy the contents of /etc/passbolt/gpg/serverkey_private.asc into a dedicated file (e.g., /path/to/file.gpg). Then import it with:

gpg --import /path/to/file.gpg

To verify the key was imported, run:

gpg --list-key

If the key is present, proceed to the database. Connect to the database and run:

SELECT data FROM metadata_private_keys WHERE id = "UUID";
- Replace UUID with the id that is failing on your healthCheck
Copy the PGP message.

Disconnect from the database and create a file for this message, for example encrypted_message.gpg, and paste the content into it. Note: GPG is picky about indentation. Ensure the message starts with -----BEGIN PGP MESSAGE----- with no leading spaces.

To decrypt the message, run:
- gpg --decrypt -o decrypted_message.txt encrypted_message.gpg
Then edit the decrypted JSON blob, especially the domain field. It should contain your old domain. Replace it with your new domain and save the file.

Now encrypt the updated content with the server key:

gpg --output reencrypted_message.txt --encrypt --armor --recipient SERVER_KEY_EMAIL decrypted_message.txt
- (Replace the placeholder with the email associated with the server key.)

Verify that reencrypted_message.txt contains a valid PGP message. If so, reconnect to your database and run:

UPDATE metadata_private_keys SET data = "NEW_PGP_MESSAGE_CONTENT" WHERE id = "UUID";
- Again, replace the UUID with the id that is failing on your healthCheck

If everything went well, disconnect from the database and run the healthCheck again. If the error is gone, delete all the files we created. Otherwise, let us know!