[GH-ISSUE #1296] Error running task internal.seal-document failed

kerem commented

2026-02-26 18:46:41 +03:00

Owner

Originally created by @hernanpc-pulppo on GitHub (Aug 22, 2024).
Original GitHub issue: https://github.com/documenso/documenso/issues/1296

Issue Description

I am self hosting documenso using railway. I have changed the env variables to the public url and updated the SMTP transports and everything is working like a charm. However, whenever i sign a document, the document remains in "pending" state (and the user sees a "Waiting for others to sign" message):

Captura de pantalla 2024-08-21 a la(s) 11 56 36 p m

Captura de pantalla 2024-08-21 a la(s) 11 56 53 p m

If i check the logs, i see the following error:

Submitting job to endpoint: https://legal.pulppo.com/api/jobs/internal.seal-document/cm04uxati0011o857fob74tgn
[JOBS]: Triggering job internal.seal-document with payload {
  documentId: 3,
  requestMetadata: {
    ipAddress: '201.141.20.188',
    userAgent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36'
  }
}
[JOBS]: Job internal.seal-document failed g [BackgroundTaskFailedError]: Task failed
    at Object.runTask (/app/apps/web/.next/server/chunks/6993.js:1:17387)
    at async Object.handler (/app/apps/web/.next/server/chunks/6993.js:1:26407)
    at async /app/apps/web/.next/server/chunks/6993.js:1:15439

Captura de pantalla 2024-08-21 a la(s) 11 57 06 p m

Any help will be deeply appreciated

Steps to Reproduce

Deploy documenso on railway, update env variables to use a valid SMTP transport, create an account, create a document with one signer, send the document and sign it. It never goes to a completed state.

Expected Behavior

The document should update to a completed state.

Current Behavior

No response

Screenshots (optional)

No response

Operating System [e.g., Windows 10]

OSX

Browser [e.g., Chrome, Firefox]

Chrome

Version [e.g., 2.0.1]

latest

Please check the boxes that apply to this issue report.

I have searched the existing issues to make sure this is not a duplicate.
I have provided steps to reproduce the issue.
I have included relevant environment information.
I have included any relevant screenshots.
I understand that this is a voluntary contribution and that there is no guarantee of resolution.
I want to work on creating a PR for this issue if approved

Originally created by @hernanpc-pulppo on GitHub (Aug 22, 2024). Original GitHub issue: https://github.com/documenso/documenso/issues/1296 ### Issue Description I am self hosting documenso using railway. I have changed the env variables to the public url and updated the SMTP transports and everything is working like a charm. However, whenever i sign a document, the document remains in "pending" state (and the user sees a "Waiting for others to sign" message): <img width="612" alt="Captura de pantalla 2024-08-21 a la(s) 11 56 36 p m" src="https://github.com/user-attachments/assets/f307a0b0-5305-41d7-95d1-c301e9d5fd12"> <img width="356" alt="Captura de pantalla 2024-08-21 a la(s) 11 56 53 p m" src="https://github.com/user-attachments/assets/53dd23fc-97a6-42a8-b263-48dfa0e45ccf"> If i check the logs, i see the following error: ``` Submitting job to endpoint: https://legal.pulppo.com/api/jobs/internal.seal-document/cm04uxati0011o857fob74tgn [JOBS]: Triggering job internal.seal-document with payload { documentId: 3, requestMetadata: { ipAddress: '201.141.20.188', userAgent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36' } } [JOBS]: Job internal.seal-document failed g [BackgroundTaskFailedError]: Task failed at Object.runTask (/app/apps/web/.next/server/chunks/6993.js:1:17387) at async Object.handler (/app/apps/web/.next/server/chunks/6993.js:1:26407) at async /app/apps/web/.next/server/chunks/6993.js:1:15439 ``` <img width="882" alt="Captura de pantalla 2024-08-21 a la(s) 11 57 06 p m" src="https://github.com/user-attachments/assets/04106ec5-0794-4033-ad38-7ab091f7812a"> Any help will be deeply appreciated ### Steps to Reproduce Deploy documenso on railway, update env variables to use a valid SMTP transport, create an account, create a document with one signer, send the document and sign it. It never goes to a completed state. ### Expected Behavior The document should update to a completed state. ### Current Behavior _No response_ ### Screenshots (optional) _No response_ ### Operating System [e.g., Windows 10] OSX ### Browser [e.g., Chrome, Firefox] Chrome ### Version [e.g., 2.0.1] latest ### Please check the boxes that apply to this issue report. - [X] I have searched the existing issues to make sure this is not a duplicate. - [X] I have provided steps to reproduce the issue. - [X] I have included relevant environment information. - [X] I have included any relevant screenshots. - [X] I understand that this is a voluntary contribution and that there is no guarantee of resolution. - [X] I want to work on creating a PR for this issue if approved

kerem

2026-02-26 18:46:41 +03:00

closed this issue
added the
status: triage
label

kerem commented

2026-02-26 18:46:42 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Aug 22, 2024):

Thank you for opening your first issue and for being a part of the open signing revolution!

One of our team members will review it and get back to you as soon as it possible 💚

Meanwhile, please feel free to hop into our community in Discord

@github-actions[bot] commented on GitHub (Aug 22, 2024): Thank you for opening your first issue and for being a part of the open signing revolution! <br /> One of our team members will review it and get back to you as soon as it possible 💚 <br /> Meanwhile, please feel free to hop into our community in [Discord](https://documen.so/discord)

kerem commented

2026-02-26 18:46:42 +03:00

Author

Owner

@hernanpc-pulppo commented on GitHub (Aug 22, 2024):

Fixed, it was a Failed to get private key bags error, solved by generating the cert with the -legacy flag.

Congrats on the awesome product!

@hernanpc-pulppo commented on GitHub (Aug 22, 2024): Fixed, it was a `Failed to get private key bags` error, solved by generating the cert with the `-legacy` flag. Congrats on the awesome product!

kerem commented

2026-02-26 18:46:42 +03:00

Author

Owner

@jsbrain commented on GitHub (Sep 27, 2024):

The problem actually stems from setting an export password when creating the .p12 certificate or not. With an export password it does not work!

@jsbrain commented on GitHub (Sep 27, 2024): The problem actually stems from setting an export password when creating the .p12 certificate or not. With an export password it does not work!

kerem commented

2026-02-26 18:46:42 +03:00

Author

Owner

@philxws692 commented on GitHub (Oct 9, 2024):

doesnt work for me either way, I already tried the -legacy flag and also the cert without an export password, still the same error, anyone any ideas?

@philxws692 commented on GitHub (Oct 9, 2024): doesnt work for me either way, I already tried the `-legacy` flag and also the cert without an export password, still the same error, anyone any ideas?

kerem commented

2026-02-26 18:46:42 +03:00

Author

Owner

@jsbrain commented on GitHub (Oct 10, 2024):

This is my compose file:

services:
  documenso_postgres:
    image: postgres:15
    environment:
      - POSTGRES_USER=${POSTGRES_USER:?err}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?err}
      - POSTGRES_DB=${POSTGRES_DB:?err}
      - POSTGRES_HOST=${POSTGRES_HOST:?err}
      - POSTGRES_PORT=${POSTGRES_PORT:-5432}
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -U ${POSTGRES_USER}']
      interval: 10s
      timeout: 5s
      retries: 5
    ports:
      - 51541:5432
    volumes:
      - documenso_postgres:/var/lib/postgresql/data

  documenso:
    user: ${PUID}:${PGID}
    image: documenso/documenso:v1.7.1-rc.3
    depends_on:
      documenso_postgres:
        condition: service_healthy
    environment:
      - PORT=${PORT:-3000}
      - NEXTAUTH_URL=${NEXTAUTH_URL:-${NEXT_PUBLIC_WEBAPP_URL}}
      - NEXTAUTH_SECRET=${NEXTAUTH_SECRET:?err}
      - NEXT_PRIVATE_ENCRYPTION_KEY=${NEXT_PRIVATE_ENCRYPTION_KEY:?err}
      - NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY=${NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY:?err}
      - NEXT_PRIVATE_GOOGLE_CLIENT_ID=${NEXT_PRIVATE_GOOGLE_CLIENT_ID}
      - NEXT_PRIVATE_GOOGLE_CLIENT_SECRET=${NEXT_PRIVATE_GOOGLE_CLIENT_SECRET}
      - NEXT_PUBLIC_WEBAPP_URL=${NEXT_PUBLIC_WEBAPP_URL:?err}
      - NEXT_PRIVATE_INTERNAL_WEBAPP_URL=${NEXT_PRIVATE_INTERNAL_WEBAPP_URL:-http://localhost:$PORT}
      - NEXT_PUBLIC_MARKETING_URL=${NEXT_PUBLIC_MARKETING_URL:-https://documenso.com}
      - NEXT_PRIVATE_DATABASE_URL=${NEXT_PRIVATE_DATABASE_URL:?err}
      - NEXT_PRIVATE_DIRECT_DATABASE_URL=${NEXT_PRIVATE_DIRECT_DATABASE_URL:-${NEXT_PRIVATE_DATABASE_URL}}
      - NEXT_PUBLIC_UPLOAD_TRANSPORT=${NEXT_PUBLIC_UPLOAD_TRANSPORT:-database}
      - NEXT_PRIVATE_UPLOAD_ENDPOINT=${NEXT_PRIVATE_UPLOAD_ENDPOINT}
      - NEXT_PRIVATE_UPLOAD_FORCE_PATH_STYLE=${NEXT_PRIVATE_UPLOAD_FORCE_PATH_STYLE}
      - NEXT_PRIVATE_UPLOAD_REGION=${NEXT_PRIVATE_UPLOAD_REGION}
      - NEXT_PRIVATE_UPLOAD_BUCKET=${NEXT_PRIVATE_UPLOAD_BUCKET}
      - NEXT_PRIVATE_UPLOAD_ACCESS_KEY_ID=${NEXT_PRIVATE_UPLOAD_ACCESS_KEY_ID}
      - NEXT_PRIVATE_UPLOAD_SECRET_ACCESS_KEY=${NEXT_PRIVATE_UPLOAD_SECRET_ACCESS_KEY}
      - NEXT_PRIVATE_SMTP_TRANSPORT=${NEXT_PRIVATE_SMTP_TRANSPORT:?err}
      - NEXT_PRIVATE_SMTP_HOST=${NEXT_PRIVATE_SMTP_HOST}
      - NEXT_PRIVATE_SMTP_PORT=${NEXT_PRIVATE_SMTP_PORT}
      - NEXT_PRIVATE_SMTP_USERNAME=${NEXT_PRIVATE_SMTP_USERNAME}
      - NEXT_PRIVATE_SMTP_PASSWORD=${NEXT_PRIVATE_SMTP_PASSWORD}
      - NEXT_PRIVATE_SMTP_APIKEY_USER=${NEXT_PRIVATE_SMTP_APIKEY_USER}
      - NEXT_PRIVATE_SMTP_APIKEY=${NEXT_PRIVATE_SMTP_APIKEY}
      - NEXT_PRIVATE_SMTP_SECURE=${NEXT_PRIVATE_SMTP_SECURE}
      - NEXT_PRIVATE_SMTP_FROM_NAME=${NEXT_PRIVATE_SMTP_FROM_NAME:?err}
      - NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS:?err}
      - NEXT_PRIVATE_RESEND_API_KEY=${NEXT_PRIVATE_RESEND_API_KEY}
      - NEXT_PRIVATE_MAILCHANNELS_API_KEY=${NEXT_PRIVATE_MAILCHANNELS_API_KEY}
      - NEXT_PRIVATE_MAILCHANNELS_ENDPOINT=${NEXT_PRIVATE_MAILCHANNELS_ENDPOINT}
      - NEXT_PRIVATE_MAILCHANNELS_DKIM_DOMAIN=${NEXT_PRIVATE_MAILCHANNELS_DKIM_DOMAIN}
      - NEXT_PRIVATE_MAILCHANNELS_DKIM_SELECTOR=${NEXT_PRIVATE_MAILCHANNELS_DKIM_SELECTOR}
      - NEXT_PRIVATE_MAILCHANNELS_DKIM_PRIVATE_KEY=${NEXT_PRIVATE_MAILCHANNELS_DKIM_PRIVATE_KEY}
      - NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT=${NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT}
      - NEXT_PUBLIC_POSTHOG_KEY=${NEXT_PUBLIC_POSTHOG_KEY}
      - NEXT_PUBLIC_DISABLE_SIGNUP=${NEXT_PUBLIC_DISABLE_SIGNUP}
      - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH:-/opt/documenso/cert.p12}

      - JOBS_PROVIDER=${JOBS_PROVIDER}
      - NEXT_PRIVATE_JOBS_PROVIDER=${NEXT_PRIVATE_JOBS_PROVIDER}
      - TRIGGER_API_KEY=${TRIGGER_API_KEY}
      - NEXT_PRIVATE_TRIGGER_API_KEY=${NEXT_PRIVATE_TRIGGER_API_KEY}
      - TRIGGER_API_URL=${TRIGGER_API_URL}
      - NEXT_PRIVATE_TRIGGER_API_URL=${NEXT_PRIVATE_TRIGGER_API_URL}

      # - NEXT_PRIVATE_SIGNING_PASSPHRASE=${NEXT_PRIVATE_SIGNING_PASSPHRASE}
      # - NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS}

    # ports:
    #   - ${PORT:-3000}:${PORT:-3000}
    volumes:
      - ./certificate.p12:/opt/documenso/cert.p12

volumes:
  documenso_postgres:

and this is how I created the certificate, in my case without using an export password:

openssl genrsa -aes256 -out private.key 2048
openssl req -new -x509 -key private.key -out certificate.crt -days 1095
# IMPORTANT: DO NOT USE AN EXPORT PASSWORD, OR SIGNING WITH DOCUMENSO WON'T WORK!!!
# Ref: https://github.com/documenso/documenso/issues/1343
openssl pkcs12 -export -out certificate.p12 -inkey private.key -in certificate.crt -legacy

Important are the permissions of the certificate, if they are not properly set it won't work. I use a little (kinda unsafe) trick here and set

PUID=0
PGID=0

in my .env file, which sets the container user and hence the file permissions to root.

Other than that this should work with the default .env file.

@jsbrain commented on GitHub (Oct 10, 2024): This is my compose file: ```yaml services: documenso_postgres: image: postgres:15 environment: - POSTGRES_USER=${POSTGRES_USER:?err} - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?err} - POSTGRES_DB=${POSTGRES_DB:?err} - POSTGRES_HOST=${POSTGRES_HOST:?err} - POSTGRES_PORT=${POSTGRES_PORT:-5432} healthcheck: test: ['CMD-SHELL', 'pg_isready -U ${POSTGRES_USER}'] interval: 10s timeout: 5s retries: 5 ports: - 51541:5432 volumes: - documenso_postgres:/var/lib/postgresql/data documenso: user: ${PUID}:${PGID} image: documenso/documenso:v1.7.1-rc.3 depends_on: documenso_postgres: condition: service_healthy environment: - PORT=${PORT:-3000} - NEXTAUTH_URL=${NEXTAUTH_URL:-${NEXT_PUBLIC_WEBAPP_URL}} - NEXTAUTH_SECRET=${NEXTAUTH_SECRET:?err} - NEXT_PRIVATE_ENCRYPTION_KEY=${NEXT_PRIVATE_ENCRYPTION_KEY:?err} - NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY=${NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY:?err} - NEXT_PRIVATE_GOOGLE_CLIENT_ID=${NEXT_PRIVATE_GOOGLE_CLIENT_ID} - NEXT_PRIVATE_GOOGLE_CLIENT_SECRET=${NEXT_PRIVATE_GOOGLE_CLIENT_SECRET} - NEXT_PUBLIC_WEBAPP_URL=${NEXT_PUBLIC_WEBAPP_URL:?err} - NEXT_PRIVATE_INTERNAL_WEBAPP_URL=${NEXT_PRIVATE_INTERNAL_WEBAPP_URL:-http://localhost:$PORT} - NEXT_PUBLIC_MARKETING_URL=${NEXT_PUBLIC_MARKETING_URL:-https://documenso.com} - NEXT_PRIVATE_DATABASE_URL=${NEXT_PRIVATE_DATABASE_URL:?err} - NEXT_PRIVATE_DIRECT_DATABASE_URL=${NEXT_PRIVATE_DIRECT_DATABASE_URL:-${NEXT_PRIVATE_DATABASE_URL}} - NEXT_PUBLIC_UPLOAD_TRANSPORT=${NEXT_PUBLIC_UPLOAD_TRANSPORT:-database} - NEXT_PRIVATE_UPLOAD_ENDPOINT=${NEXT_PRIVATE_UPLOAD_ENDPOINT} - NEXT_PRIVATE_UPLOAD_FORCE_PATH_STYLE=${NEXT_PRIVATE_UPLOAD_FORCE_PATH_STYLE} - NEXT_PRIVATE_UPLOAD_REGION=${NEXT_PRIVATE_UPLOAD_REGION} - NEXT_PRIVATE_UPLOAD_BUCKET=${NEXT_PRIVATE_UPLOAD_BUCKET} - NEXT_PRIVATE_UPLOAD_ACCESS_KEY_ID=${NEXT_PRIVATE_UPLOAD_ACCESS_KEY_ID} - NEXT_PRIVATE_UPLOAD_SECRET_ACCESS_KEY=${NEXT_PRIVATE_UPLOAD_SECRET_ACCESS_KEY} - NEXT_PRIVATE_SMTP_TRANSPORT=${NEXT_PRIVATE_SMTP_TRANSPORT:?err} - NEXT_PRIVATE_SMTP_HOST=${NEXT_PRIVATE_SMTP_HOST} - NEXT_PRIVATE_SMTP_PORT=${NEXT_PRIVATE_SMTP_PORT} - NEXT_PRIVATE_SMTP_USERNAME=${NEXT_PRIVATE_SMTP_USERNAME} - NEXT_PRIVATE_SMTP_PASSWORD=${NEXT_PRIVATE_SMTP_PASSWORD} - NEXT_PRIVATE_SMTP_APIKEY_USER=${NEXT_PRIVATE_SMTP_APIKEY_USER} - NEXT_PRIVATE_SMTP_APIKEY=${NEXT_PRIVATE_SMTP_APIKEY} - NEXT_PRIVATE_SMTP_SECURE=${NEXT_PRIVATE_SMTP_SECURE} - NEXT_PRIVATE_SMTP_FROM_NAME=${NEXT_PRIVATE_SMTP_FROM_NAME:?err} - NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS:?err} - NEXT_PRIVATE_RESEND_API_KEY=${NEXT_PRIVATE_RESEND_API_KEY} - NEXT_PRIVATE_MAILCHANNELS_API_KEY=${NEXT_PRIVATE_MAILCHANNELS_API_KEY} - NEXT_PRIVATE_MAILCHANNELS_ENDPOINT=${NEXT_PRIVATE_MAILCHANNELS_ENDPOINT} - NEXT_PRIVATE_MAILCHANNELS_DKIM_DOMAIN=${NEXT_PRIVATE_MAILCHANNELS_DKIM_DOMAIN} - NEXT_PRIVATE_MAILCHANNELS_DKIM_SELECTOR=${NEXT_PRIVATE_MAILCHANNELS_DKIM_SELECTOR} - NEXT_PRIVATE_MAILCHANNELS_DKIM_PRIVATE_KEY=${NEXT_PRIVATE_MAILCHANNELS_DKIM_PRIVATE_KEY} - NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT=${NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT} - NEXT_PUBLIC_POSTHOG_KEY=${NEXT_PUBLIC_POSTHOG_KEY} - NEXT_PUBLIC_DISABLE_SIGNUP=${NEXT_PUBLIC_DISABLE_SIGNUP} - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH:-/opt/documenso/cert.p12} - JOBS_PROVIDER=${JOBS_PROVIDER} - NEXT_PRIVATE_JOBS_PROVIDER=${NEXT_PRIVATE_JOBS_PROVIDER} - TRIGGER_API_KEY=${TRIGGER_API_KEY} - NEXT_PRIVATE_TRIGGER_API_KEY=${NEXT_PRIVATE_TRIGGER_API_KEY} - TRIGGER_API_URL=${TRIGGER_API_URL} - NEXT_PRIVATE_TRIGGER_API_URL=${NEXT_PRIVATE_TRIGGER_API_URL} # - NEXT_PRIVATE_SIGNING_PASSPHRASE=${NEXT_PRIVATE_SIGNING_PASSPHRASE} # - NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS} # ports: # - ${PORT:-3000}:${PORT:-3000} volumes: - ./certificate.p12:/opt/documenso/cert.p12 volumes: documenso_postgres: ``` and this is how I created the certificate, in my case without using an export password: ```sh openssl genrsa -aes256 -out private.key 2048 openssl req -new -x509 -key private.key -out certificate.crt -days 1095 # IMPORTANT: DO NOT USE AN EXPORT PASSWORD, OR SIGNING WITH DOCUMENSO WON'T WORK!!! # Ref: https://github.com/documenso/documenso/issues/1343 openssl pkcs12 -export -out certificate.p12 -inkey private.key -in certificate.crt -legacy ``` Important are the permissions of the certificate, if they are not properly set it won't work. I use a little (kinda unsafe) trick here and set ```txt PUID=0 PGID=0 ``` in my .env file, which sets the container user and hence the file permissions to `root`. Other than that this should work with the default .env file.

kerem commented

2026-02-26 18:46:42 +03:00

Author

Owner

@nathanael-h commented on GitHub (Oct 10, 2024):

Hello, I managed to have seal-document to work with a certificate.p12 file encrypted using a password.
Here is the command I used to generate it on Debian 12 :

openssl pkcs12 -export -out certificate-legacy.p12 -inkey private.key -in certificate.crt -legacy

Then I entered twice a password, and added it to .env and compose.yaml file:

# grep NEXT_PRIVATE_SIGNING_PASSPHRASE .env
NEXT_PRIVATE_SIGNING_PASSPHRASE="xxxxxxxxxx-YYYYYY_aaaaaaa"
root@docker1:/opt/sign# grep NEXT_PRIVATE_SIGNING_PASSPHRASE compose.yml 
      - NEXT_PRIVATE_SIGNING_PASSPHRASE=${NEXT_PRIVATE_SIGNING_PASSPHRASE:?err}

Also regarding the permission for the certificate file, I changed the owner from the docker host to 1001

chown 1001 certificate-legacy.p12

so that inside the container the file readable by the 1001 user, in this context the NextJS user.

# docker exec -it -u 0 documenso-production-documenso-1   ls -lah /opt/documenso/cert.p12
-rw-------    1 nextjs   root        2.5K Oct 10 15:23 /opt/documenso/cert.p12

@nathanael-h commented on GitHub (Oct 10, 2024): Hello, I managed to have seal-document to work with a certificate.p12 file encrypted using a password. Here is the command I used to generate it on Debian 12 : ``` openssl pkcs12 -export -out certificate-legacy.p12 -inkey private.key -in certificate.crt -legacy ``` Then I entered twice a password, and added it to `.env` and `compose.yaml` file: ``` # grep NEXT_PRIVATE_SIGNING_PASSPHRASE .env NEXT_PRIVATE_SIGNING_PASSPHRASE="xxxxxxxxxx-YYYYYY_aaaaaaa" root@docker1:/opt/sign# grep NEXT_PRIVATE_SIGNING_PASSPHRASE compose.yml - NEXT_PRIVATE_SIGNING_PASSPHRASE=${NEXT_PRIVATE_SIGNING_PASSPHRASE:?err} ```` Also regarding the permission for the certificate file, I changed the owner from the docker host to 1001 ``` chown 1001 certificate-legacy.p12 ``` so that inside the container the file readable by the 1001 user, in this context the `NextJS` user. ``` # docker exec -it -u 0 documenso-production-documenso-1 ls -lah /opt/documenso/cert.p12 -rw------- 1 nextjs root 2.5K Oct 10 15:23 /opt/documenso/cert.p12 ```

kerem commented

2026-02-26 18:46:42 +03:00

Author

Owner

@philxws692 commented on GitHub (Oct 13, 2024):

Thanks to both of you for our reply. Indeed it was a problem with the permissions hence the nextjs user was not the owner of the cert.p12. Changing it to the UID 1001 inside of the container makes the sealing work just fine. I only changed the permissions outside of the container, which of course did not have any effect.
Sooo, thank you very much guys 🤝🏼

@philxws692 commented on GitHub (Oct 13, 2024): Thanks to both of you for our reply. Indeed it was a problem with the permissions hence the `nextjs` user was not the owner of the `cert.p12`. Changing it to the `UID` 1001 inside of the container makes the sealing work just fine. I only changed the permissions outside of the container, which of course did not have any effect. Sooo, thank you very much guys 🤝🏼

kerem commented

2026-02-26 18:46:42 +03:00

Author

Owner

@roshi112 commented on GitHub (Apr 9, 2025):

JOBS_PROVIDER=${JOBS_PROVIDER}
- NEXT_PRIVATE_JOBS_PROVIDER=${NEXT_PRIVATE_JOBS_PROVIDER}
- TRIGGER_API_KEY=${TRIGGER_API_KEY}
- NEXT_PRIVATE_TRIGGER_API_KEY=${NEXT_PRIVATE_TRIGGER_API_KEY}
- TRIGGER_API_URL=${TRIGGER_API_URL}
- NEXT_PRIVATE_TRIGGER_API_URL=${NEXT_PRIVATE_TRIGGER_API_URL}

can you please tell what values needs to be fill there ?

This is my compose file:

services:
documenso_postgres:
image: postgres:15
environment:
- POSTGRES_USER=${POSTGRES_USER:?err}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?err}
- POSTGRES_DB=${POSTGRES_DB:?err}
- POSTGRES_HOST=${POSTGRES_HOST:?err}
- POSTGRES_PORT=${POSTGRES_PORT:-5432}
healthcheck:
test: ['CMD-SHELL', 'pg_isready -U ${POSTGRES_USER}']
interval: 10s
timeout: 5s
retries: 5
ports:
- 51541:5432
volumes:
- documenso_postgres:/var/lib/postgresql/data

documenso:
user: ${PUID}:${PGID}
image: documenso/documenso:v1.7.1-rc.3
depends_on:
documenso_postgres:
condition: service_healthy
environment:
- PORT=${PORT:-3000}
- NEXTAUTH_URL=${NEXTAUTH_URL:-${NEXT_PUBLIC_WEBAPP_URL}}
- NEXTAUTH_SECRET=${NEXTAUTH_SECRET:?err}
- NEXT_PRIVATE_ENCRYPTION_KEY=${NEXT_PRIVATE_ENCRYPTION_KEY:?err}
- NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY=${NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY:?err}
- NEXT_PRIVATE_GOOGLE_CLIENT_ID=${NEXT_PRIVATE_GOOGLE_CLIENT_ID}
- NEXT_PRIVATE_GOOGLE_CLIENT_SECRET=${NEXT_PRIVATE_GOOGLE_CLIENT_SECRET}
- NEXT_PUBLIC_WEBAPP_URL=${NEXT_PUBLIC_WEBAPP_URL:?err}
- NEXT_PRIVATE_INTERNAL_WEBAPP_URL=${NEXT_PRIVATE_INTERNAL_WEBAPP_URL:-http://localhost:$PORT}
- NEXT_PUBLIC_MARKETING_URL=${NEXT_PUBLIC_MARKETING_URL:-https://documenso.com}
- NEXT_PRIVATE_DATABASE_URL=${NEXT_PRIVATE_DATABASE_URL:?err}
- NEXT_PRIVATE_DIRECT_DATABASE_URL=${NEXT_PRIVATE_DIRECT_DATABASE_URL:-${NEXT_PRIVATE_DATABASE_URL}}
- NEXT_PUBLIC_UPLOAD_TRANSPORT=${NEXT_PUBLIC_UPLOAD_TRANSPORT:-database}
- NEXT_PRIVATE_UPLOAD_ENDPOINT=${NEXT_PRIVATE_UPLOAD_ENDPOINT}
- NEXT_PRIVATE_UPLOAD_FORCE_PATH_STYLE=${NEXT_PRIVATE_UPLOAD_FORCE_PATH_STYLE}
- NEXT_PRIVATE_UPLOAD_REGION=${NEXT_PRIVATE_UPLOAD_REGION}
- NEXT_PRIVATE_UPLOAD_BUCKET=${NEXT_PRIVATE_UPLOAD_BUCKET}
- NEXT_PRIVATE_UPLOAD_ACCESS_KEY_ID=${NEXT_PRIVATE_UPLOAD_ACCESS_KEY_ID}
- NEXT_PRIVATE_UPLOAD_SECRET_ACCESS_KEY=${NEXT_PRIVATE_UPLOAD_SECRET_ACCESS_KEY}
- NEXT_PRIVATE_SMTP_TRANSPORT=${NEXT_PRIVATE_SMTP_TRANSPORT:?err}
- NEXT_PRIVATE_SMTP_HOST=${NEXT_PRIVATE_SMTP_HOST}
- NEXT_PRIVATE_SMTP_PORT=${NEXT_PRIVATE_SMTP_PORT}
- NEXT_PRIVATE_SMTP_USERNAME=${NEXT_PRIVATE_SMTP_USERNAME}
- NEXT_PRIVATE_SMTP_PASSWORD=${NEXT_PRIVATE_SMTP_PASSWORD}
- NEXT_PRIVATE_SMTP_APIKEY_USER=${NEXT_PRIVATE_SMTP_APIKEY_USER}
- NEXT_PRIVATE_SMTP_APIKEY=${NEXT_PRIVATE_SMTP_APIKEY}
- NEXT_PRIVATE_SMTP_SECURE=${NEXT_PRIVATE_SMTP_SECURE}
- NEXT_PRIVATE_SMTP_FROM_NAME=${NEXT_PRIVATE_SMTP_FROM_NAME:?err}
- NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS:?err}
- NEXT_PRIVATE_RESEND_API_KEY=${NEXT_PRIVATE_RESEND_API_KEY}
- NEXT_PRIVATE_MAILCHANNELS_API_KEY=${NEXT_PRIVATE_MAILCHANNELS_API_KEY}
- NEXT_PRIVATE_MAILCHANNELS_ENDPOINT=${NEXT_PRIVATE_MAILCHANNELS_ENDPOINT}
- NEXT_PRIVATE_MAILCHANNELS_DKIM_DOMAIN=${NEXT_PRIVATE_MAILCHANNELS_DKIM_DOMAIN}
- NEXT_PRIVATE_MAILCHANNELS_DKIM_SELECTOR=${NEXT_PRIVATE_MAILCHANNELS_DKIM_SELECTOR}
- NEXT_PRIVATE_MAILCHANNELS_DKIM_PRIVATE_KEY=${NEXT_PRIVATE_MAILCHANNELS_DKIM_PRIVATE_KEY}
- NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT=${NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT}
- NEXT_PUBLIC_POSTHOG_KEY=${NEXT_PUBLIC_POSTHOG_KEY}
- NEXT_PUBLIC_DISABLE_SIGNUP=${NEXT_PUBLIC_DISABLE_SIGNUP}
- NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH:-/opt/documenso/cert.p12}
  - JOBS_PROVIDER=${JOBS_PROVIDER}
  - NEXT_PRIVATE_JOBS_PROVIDER=${NEXT_PRIVATE_JOBS_PROVIDER}
  - TRIGGER_API_KEY=${TRIGGER_API_KEY}
  - NEXT_PRIVATE_TRIGGER_API_KEY=${NEXT_PRIVATE_TRIGGER_API_KEY}
  - TRIGGER_API_URL=${TRIGGER_API_URL}
  - NEXT_PRIVATE_TRIGGER_API_URL=${NEXT_PRIVATE_TRIGGER_API_URL}

  # - NEXT_PRIVATE_SIGNING_PASSPHRASE=${NEXT_PRIVATE_SIGNING_PASSPHRASE}
  # - NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS}

# ports:
#   - ${PORT:-3000}:${PORT:-3000}
volumes:
  - ./certificate.p12:/opt/documenso/cert.p12
volumes:
documenso_postgres:
and this is how I created the certificate, in my case without using an export password:

openssl genrsa -aes256 -out private.key 2048
openssl req -new -x509 -key private.key -out certificate.crt -days 1095

IMPORTANT: DO NOT USE AN EXPORT PASSWORD, OR SIGNING WITH DOCUMENSO WON'T WORK!!!

Ref: https://github.com/documenso/documenso/issues/1343

openssl pkcs12 -export -out certificate.p12 -inkey private.key -in certificate.crt -legacy
Important are the permissions of the certificate, if they are not properly set it won't work. I use a little (kinda unsafe) trick here and set

PUID=0
PGID=0
in my .env file, which sets the container user and hence the file permissions to root.

Other than that this should work with the default .env file.

@roshi112 commented on GitHub (Apr 9, 2025): - JOBS_PROVIDER=${JOBS_PROVIDER} - NEXT_PRIVATE_JOBS_PROVIDER=${NEXT_PRIVATE_JOBS_PROVIDER} - TRIGGER_API_KEY=${TRIGGER_API_KEY} - NEXT_PRIVATE_TRIGGER_API_KEY=${NEXT_PRIVATE_TRIGGER_API_KEY} - TRIGGER_API_URL=${TRIGGER_API_URL} - NEXT_PRIVATE_TRIGGER_API_URL=${NEXT_PRIVATE_TRIGGER_API_URL} can you please tell what values needs to be fill there ? > This is my compose file: > > services: > documenso_postgres: > image: postgres:15 > environment: > - POSTGRES_USER=${POSTGRES_USER:?err} > - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:?err} > - POSTGRES_DB=${POSTGRES_DB:?err} > - POSTGRES_HOST=${POSTGRES_HOST:?err} > - POSTGRES_PORT=${POSTGRES_PORT:-5432} > healthcheck: > test: ['CMD-SHELL', 'pg_isready -U ${POSTGRES_USER}'] > interval: 10s > timeout: 5s > retries: 5 > ports: > - 51541:5432 > volumes: > - documenso_postgres:/var/lib/postgresql/data > > documenso: > user: ${PUID}:${PGID} > image: documenso/documenso:v1.7.1-rc.3 > depends_on: > documenso_postgres: > condition: service_healthy > environment: > - PORT=${PORT:-3000} > - NEXTAUTH_URL=${NEXTAUTH_URL:-${NEXT_PUBLIC_WEBAPP_URL}} > - NEXTAUTH_SECRET=${NEXTAUTH_SECRET:?err} > - NEXT_PRIVATE_ENCRYPTION_KEY=${NEXT_PRIVATE_ENCRYPTION_KEY:?err} > - NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY=${NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY:?err} > - NEXT_PRIVATE_GOOGLE_CLIENT_ID=${NEXT_PRIVATE_GOOGLE_CLIENT_ID} > - NEXT_PRIVATE_GOOGLE_CLIENT_SECRET=${NEXT_PRIVATE_GOOGLE_CLIENT_SECRET} > - NEXT_PUBLIC_WEBAPP_URL=${NEXT_PUBLIC_WEBAPP_URL:?err} > - NEXT_PRIVATE_INTERNAL_WEBAPP_URL=${NEXT_PRIVATE_INTERNAL_WEBAPP_URL:-http://localhost:$PORT} > - NEXT_PUBLIC_MARKETING_URL=${NEXT_PUBLIC_MARKETING_URL:-https://documenso.com} > - NEXT_PRIVATE_DATABASE_URL=${NEXT_PRIVATE_DATABASE_URL:?err} > - NEXT_PRIVATE_DIRECT_DATABASE_URL=${NEXT_PRIVATE_DIRECT_DATABASE_URL:-${NEXT_PRIVATE_DATABASE_URL}} > - NEXT_PUBLIC_UPLOAD_TRANSPORT=${NEXT_PUBLIC_UPLOAD_TRANSPORT:-database} > - NEXT_PRIVATE_UPLOAD_ENDPOINT=${NEXT_PRIVATE_UPLOAD_ENDPOINT} > - NEXT_PRIVATE_UPLOAD_FORCE_PATH_STYLE=${NEXT_PRIVATE_UPLOAD_FORCE_PATH_STYLE} > - NEXT_PRIVATE_UPLOAD_REGION=${NEXT_PRIVATE_UPLOAD_REGION} > - NEXT_PRIVATE_UPLOAD_BUCKET=${NEXT_PRIVATE_UPLOAD_BUCKET} > - NEXT_PRIVATE_UPLOAD_ACCESS_KEY_ID=${NEXT_PRIVATE_UPLOAD_ACCESS_KEY_ID} > - NEXT_PRIVATE_UPLOAD_SECRET_ACCESS_KEY=${NEXT_PRIVATE_UPLOAD_SECRET_ACCESS_KEY} > - NEXT_PRIVATE_SMTP_TRANSPORT=${NEXT_PRIVATE_SMTP_TRANSPORT:?err} > - NEXT_PRIVATE_SMTP_HOST=${NEXT_PRIVATE_SMTP_HOST} > - NEXT_PRIVATE_SMTP_PORT=${NEXT_PRIVATE_SMTP_PORT} > - NEXT_PRIVATE_SMTP_USERNAME=${NEXT_PRIVATE_SMTP_USERNAME} > - NEXT_PRIVATE_SMTP_PASSWORD=${NEXT_PRIVATE_SMTP_PASSWORD} > - NEXT_PRIVATE_SMTP_APIKEY_USER=${NEXT_PRIVATE_SMTP_APIKEY_USER} > - NEXT_PRIVATE_SMTP_APIKEY=${NEXT_PRIVATE_SMTP_APIKEY} > - NEXT_PRIVATE_SMTP_SECURE=${NEXT_PRIVATE_SMTP_SECURE} > - NEXT_PRIVATE_SMTP_FROM_NAME=${NEXT_PRIVATE_SMTP_FROM_NAME:?err} > - NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS:?err} > - NEXT_PRIVATE_RESEND_API_KEY=${NEXT_PRIVATE_RESEND_API_KEY} > - NEXT_PRIVATE_MAILCHANNELS_API_KEY=${NEXT_PRIVATE_MAILCHANNELS_API_KEY} > - NEXT_PRIVATE_MAILCHANNELS_ENDPOINT=${NEXT_PRIVATE_MAILCHANNELS_ENDPOINT} > - NEXT_PRIVATE_MAILCHANNELS_DKIM_DOMAIN=${NEXT_PRIVATE_MAILCHANNELS_DKIM_DOMAIN} > - NEXT_PRIVATE_MAILCHANNELS_DKIM_SELECTOR=${NEXT_PRIVATE_MAILCHANNELS_DKIM_SELECTOR} > - NEXT_PRIVATE_MAILCHANNELS_DKIM_PRIVATE_KEY=${NEXT_PRIVATE_MAILCHANNELS_DKIM_PRIVATE_KEY} > - NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT=${NEXT_PUBLIC_DOCUMENT_SIZE_UPLOAD_LIMIT} > - NEXT_PUBLIC_POSTHOG_KEY=${NEXT_PUBLIC_POSTHOG_KEY} > - NEXT_PUBLIC_DISABLE_SIGNUP=${NEXT_PUBLIC_DISABLE_SIGNUP} > - NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH:-/opt/documenso/cert.p12} > > - JOBS_PROVIDER=${JOBS_PROVIDER} > - NEXT_PRIVATE_JOBS_PROVIDER=${NEXT_PRIVATE_JOBS_PROVIDER} > - TRIGGER_API_KEY=${TRIGGER_API_KEY} > - NEXT_PRIVATE_TRIGGER_API_KEY=${NEXT_PRIVATE_TRIGGER_API_KEY} > - TRIGGER_API_URL=${TRIGGER_API_URL} > - NEXT_PRIVATE_TRIGGER_API_URL=${NEXT_PRIVATE_TRIGGER_API_URL} > > # - NEXT_PRIVATE_SIGNING_PASSPHRASE=${NEXT_PRIVATE_SIGNING_PASSPHRASE} > # - NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS=${NEXT_PRIVATE_SIGNING_LOCAL_FILE_CONTENTS} > > # ports: > # - ${PORT:-3000}:${PORT:-3000} > volumes: > - ./certificate.p12:/opt/documenso/cert.p12 > > volumes: > documenso_postgres: > and this is how I created the certificate, in my case without using an export password: > > openssl genrsa -aes256 -out private.key 2048 > openssl req -new -x509 -key private.key -out certificate.crt -days 1095 > # IMPORTANT: DO NOT USE AN EXPORT PASSWORD, OR SIGNING WITH DOCUMENSO WON'T WORK!!! > # Ref: https://github.com/documenso/documenso/issues/1343 > openssl pkcs12 -export -out certificate.p12 -inkey private.key -in certificate.crt -legacy > Important are the permissions of the certificate, if they are not properly set it won't work. I use a little (kinda unsafe) trick here and set > > PUID=0 > PGID=0 > in my .env file, which sets the container user and hence the file permissions to `root`. > > Other than that this should work with the default .env file.

kerem commented

2026-02-26 18:46:42 +03:00

Author

Owner

@codersboutique commented on GitHub (Apr 14, 2025):

@roshi112 you should set the variables inside .env file

if you are having internal.seal-document error then these variables doesn't matter.

@codersboutique commented on GitHub (Apr 14, 2025): @roshi112 you should set the variables inside .env file if you are having internal.seal-document error then these variables doesn't matter.

kerem referenced this issue

2026-02-26 19:31:01 +03:00

[PR #366] [CLOSED] added state for handling multiple api call issue for changing name #914

Rows
Columns

[GH-ISSUE #1296] Error running task internal.seal-document failed #366

Issue Description

Steps to Reproduce

Expected Behavior

Current Behavior

Screenshots (optional)

Operating System [e.g., Windows 10]

Browser [e.g., Chrome, Firefox]

Version [e.g., 2.0.1]

Please check the boxes that apply to this issue report.

IMPORTANT: DO NOT USE AN EXPORT PASSWORD, OR SIGNING WITH DOCUMENSO WON'T WORK!!!

Ref: https://github.com/documenso/documenso/issues/1343