[GH-ISSUE #2688] [Express ] › ⚠ warning invalid signature #1854

New issue

Closed

opened 2026-02-26 07:32:44 +03:00 by kerem · 13 comments

kerem commented 2026-02-26 07:32:44 +03:00

Owner

Copy link

Originally created by @schumi2004 on GitHub (Mar 16, 2023).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2688

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • No Reason: unable to renew certificate, running version v2.19.9
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug
In the logs i see several messages like:
[Express ] › ⚠ warning invalid signature

Nginx Proxy Manager Version
2.19.9

To Reproduce
Steps to reproduce the behavior:
Just run NPM as normal and check logs

Expected behavior
No warning messages

Screenshots
n/a

Operating System
Docker

Additional context
[3/16/2023] [1:23:37 PM] [Express ] › ⚠ warning invalid signature
[3/16/2023] [1:23:38 PM] [Express ] › ⚠ warning invalid signature

I have no idea what above messages means so no clue if it can be ignored or not.
It says warning so i guess something is wrong.

Originally created by @schumi2004 on GitHub (Mar 16, 2023). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2688 <!-- Are you in the right place? - If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit. - If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask. - If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.* --> **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - No Reason: unable to renew certificate, running version v2.19.9 - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** In the logs i see several messages like: [Express ] › ⚠ warning invalid signature **Nginx Proxy Manager Version** 2.19.9 **To Reproduce** Steps to reproduce the behavior: Just run NPM as normal and check logs **Expected behavior** No warning messages **Screenshots** n/a **Operating System** Docker **Additional context** [3/16/2023] [1:23:37 PM] [Express ] › ⚠ warning invalid signature [3/16/2023] [1:23:38 PM] [Express ] › ⚠ warning invalid signature I have no idea what above messages means so no clue if it can be ignored or not. It says warning so i guess something is wrong.

kerem 2026-02-26 07:32:44 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-26 07:32:44 +03:00

Author

Owner

Copy link

@SeanChengN commented on GitHub (Mar 18, 2023):

same problem

<!-- gh-comment-id:1474810804 --> @SeanChengN commented on GitHub (Mar 18, 2023): same problem

kerem commented 2026-02-26 07:32:44 +03:00

Author

Owner

Copy link

@jc21 commented on GitHub (Mar 18, 2023):

That error isn't part of the codebase and it's been seen before in #775 but the reporter said it fixed itself. I would think it's something related to the JWT given in the API request. Some things to try:

• use the new 2.9.21 docker image tag
• add the following environment variable to your docker-compose configuration:

  environment:
    DEBUG: 1

and you should see more info in the logs.

<!-- gh-comment-id:1474819608 --> @jc21 commented on GitHub (Mar 18, 2023): That error isn't part of the codebase and it's been seen before in #775 but the reporter said it fixed itself. I would think it's something related to the JWT given in the API request. Some things to try: - use the new `2.9.21` docker image tag - add the following environment variable to your docker-compose configuration: ```yml environment: DEBUG: 1 ``` and you should see more info in the logs.

kerem commented 2026-02-26 07:32:44 +03:00

Author

Owner

Copy link

@schumi2004 commented on GitHub (Mar 21, 2023):

I moved to other solution but will test when i find some time.

<!-- gh-comment-id:1477416768 --> @schumi2004 commented on GitHub (Mar 21, 2023): I moved to other solution but will test when i find some time.

kerem commented 2026-02-26 07:32:44 +03:00

Author

Owner

Copy link

@Marcbacca commented on GitHub (Mar 21, 2023):

I'm having the same issue as well in Unraid with the official image, latest 2.9.21 version. Every time in Homepage I hit refresh to access the api/logs for stats, this error pops up in the logs.

Homepage error display - API Error: Internal Error
nginx logs - [Express ] › ⚠ warning invalid signature

I should mention that I needed to previously chmod 755 the /data/logs dir in the docker because syslog was broken (was 777 and wouldn't start), not sure how those permissions were ever changed in the first place. I'm not sure if this could be related to this issue..

EDIT: With debug = 1

[3/21/2023] [11:22:31 PM] [Express ] › ⬤ debug JsonWebTokenError: invalid signature
at /app/node_modules/jsonwebtoken/verify.js:171:19
at getSecret (/app/node_modules/jsonwebtoken/verify.js:97:14)
at Object.module.exports [as verify] (/app/node_modules/jsonwebtoken/verify.js:101:10)
at /app/models/token.js:71:11
at new Promise ()
at Object.load (/app/models/token.js:65:11)
at /app/lib/access.js:228:20
at new Promise ()
at Object.load (/app/lib/access.js:226:11)
at /app/lib/express/jwt-decode.js:7:10

<!-- gh-comment-id:1478068857 --> @Marcbacca commented on GitHub (Mar 21, 2023): I'm having the same issue as well in Unraid with the official image, latest 2.9.21 version. Every time in Homepage I hit refresh to access the api/logs for stats, this error pops up in the logs. Homepage error display - API Error: Internal Error nginx logs - [Express ] › ⚠ warning invalid signature I should mention that I needed to previously chmod 755 the /data/logs dir in the docker because syslog was broken (was 777 and wouldn't start), not sure how those permissions were ever changed in the first place. I'm not sure if this could be related to this issue.. EDIT: With debug = 1 [3/21/2023] [11:22:31 PM] [Express ] › ⬤ debug JsonWebTokenError: invalid signature at /app/node_modules/jsonwebtoken/verify.js:171:19 at getSecret (/app/node_modules/jsonwebtoken/verify.js:97:14) at Object.module.exports [as verify] (/app/node_modules/jsonwebtoken/verify.js:101:10) at /app/models/token.js:71:11 at new Promise (<anonymous>) at Object.load (/app/models/token.js:65:11) at /app/lib/access.js:228:20 at new Promise (<anonymous>) at Object.load (/app/lib/access.js:226:11) at /app/lib/express/jwt-decode.js:7:10

kerem commented 2026-02-26 07:32:44 +03:00

Author

Owner

Copy link

@swoop124 commented on GitHub (Mar 23, 2023):

Hello,

i have the same errors and did also a DEBUG: 1 and got same messagesa as Marcbacca.

any News?

<!-- gh-comment-id:1480804962 --> @swoop124 commented on GitHub (Mar 23, 2023): Hello, i have the same errors and did also a `DEBUG: 1 `and got same messagesa as `Marcbacca`. any News?

kerem commented 2026-02-26 07:32:44 +03:00

Author

Owner

Copy link

@SeanChengN commented on GitHub (Mar 24, 2023):

2.9.22
[3/24/2023] [9:26:49 AM] [Express ] › ⬤ debug JsonWebTokenError: invalid signature at /app/node_modules/jsonwebtoken/verify.js:171:19 at getSecret (/app/node_modules/jsonwebtoken/verify.js:97:14) at Object.module.exports [as verify] (/app/node_modules/jsonwebtoken/verify.js:101:10) at /app/models/token.js:71:11 at new Promise (<anonymous>) at Object.load (/app/models/token.js:65:11) at /app/lib/access.js:228:20 at new Promise (<anonymous>) at Object.load (/app/lib/access.js:226:11) at /app/lib/express/jwt-decode.js:7:10

<!-- gh-comment-id:1482127088 --> @SeanChengN commented on GitHub (Mar 24, 2023): 2.9.22 `[3/24/2023] [9:26:49 AM] [Express ] › ⬤ debug JsonWebTokenError: invalid signature at /app/node_modules/jsonwebtoken/verify.js:171:19 at getSecret (/app/node_modules/jsonwebtoken/verify.js:97:14) at Object.module.exports [as verify] (/app/node_modules/jsonwebtoken/verify.js:101:10) at /app/models/token.js:71:11 at new Promise (<anonymous>) at Object.load (/app/models/token.js:65:11) at /app/lib/access.js:228:20 at new Promise (<anonymous>) at Object.load (/app/lib/access.js:226:11) at /app/lib/express/jwt-decode.js:7:10`

kerem commented 2026-02-26 07:32:44 +03:00

Author

Owner

Copy link

@henkiewie commented on GitHub (Mar 24, 2023):

I had the same error (2.9.22). Restarted the docker container that was/is using the API (in my case homepage gave an API error) and both errors were gone. Maybe it helps someone.

<!-- gh-comment-id:1482487303 --> @henkiewie commented on GitHub (Mar 24, 2023): I had the same error (2.9.22). Restarted the docker container that was/is using the API (in my case homepage gave an API error) and both errors were gone. Maybe it helps someone.

kerem commented 2026-02-26 07:32:44 +03:00

Author

Owner

Copy link

@Marcbacca commented on GitHub (Mar 27, 2023):

Can confirm, the patch 3-4 days ago appears to have fixed the issue. Yesterday's/today's updates haven't broken it.. seems to be fixed.

<!-- gh-comment-id:1485110793 --> @Marcbacca commented on GitHub (Mar 27, 2023): Can confirm, the patch 3-4 days ago appears to have fixed the issue. Yesterday's/today's updates haven't broken it.. seems to be fixed.

kerem commented 2026-02-26 07:32:44 +03:00

Author

Owner

Copy link

@scorpio2k2 commented on GitHub (Mar 27, 2023):

I still have the same issue:
Image used: jc21/nginx-proxy-manager latest 5b3ff21ccf9

[3/27/2023] [2:52:03 PM] [Express ] › ⬤ debug JsonWebTokenError: invalid signature
at /app/node_modules/jsonwebtoken/verify.js:171:19
at getSecret (/app/node_modules/jsonwebtoken/verify.js:97:14)
at Object.module.exports [as verify] (/app/node_modules/jsonwebtoken/verify.js:101:10)
at /app/models/token.js:65:11
at new Promise ()
at Object.load (/app/models/token.js:60:11)
at /app/lib/access.js:228:20
at new Promise ()
at Object.load (/app/lib/access.js:226:11)
at /app/lib/express/jwt-decode.js:7:10

<!-- gh-comment-id:1485263307 --> @scorpio2k2 commented on GitHub (Mar 27, 2023): I still have the same issue: Image used: jc21/nginx-proxy-manager latest 5b3ff21ccf9 [3/27/2023] [2:52:03 PM] [Express ] › ⬤ debug JsonWebTokenError: invalid signature at /app/node_modules/jsonwebtoken/verify.js:171:19 at getSecret (/app/node_modules/jsonwebtoken/verify.js:97:14) at Object.module.exports [as verify] (/app/node_modules/jsonwebtoken/verify.js:101:10) at /app/models/token.js:65:11 at new Promise (<anonymous>) at Object.load (/app/models/token.js:60:11) at /app/lib/access.js:228:20 at new Promise (<anonymous>) at Object.load (/app/lib/access.js:226:11) at /app/lib/express/jwt-decode.js:7:10

kerem commented 2026-02-26 07:32:44 +03:00

Author

Owner

Copy link

@jc21 commented on GitHub (Mar 28, 2023):

I looked into this further, the warning is just a warning. It will happen when the JWT you use to access the API was encrypted with a different set of keys than is currently on file.

Prior to 2.10, this would be common, especially for those not using a mounted config file, as the keys would be generated after every docker container restart and wiped out.

With 2.10.0, these keys are now saved in the data folder and read from there.

I'll close this for now. If anyone experiences this with 2.10.0 or above AND think it's related to other behaviour, such as not being able to login, then please reopen.

<!-- gh-comment-id:1486233157 --> @jc21 commented on GitHub (Mar 28, 2023): I looked into this further, the warning is just a warning. It will happen when the JWT you use to access the API was encrypted with a different set of keys than is currently on file. Prior to 2.10, this would be common, especially for those not using a mounted config file, as the keys would be generated after every docker container restart and wiped out. With 2.10.0, these keys are now saved in the data folder and read from there. I'll close this for now. If anyone experiences this with 2.10.0 or above AND think it's related to other behaviour, such as not being able to login, then please reopen.

kerem commented 2026-02-26 07:32:44 +03:00

Author

Owner

Copy link

@eriksneff commented on GitHub (Mar 30, 2023):

@jc21 thx for looking into this. Not sure what the impact is here, but I'm on npm v2.10.1 and I'm seeing this ⚠️ warning invalid signature message about once a minute as I navigate through my system. Here's a screenshot that I'm not sure will help:

<!-- gh-comment-id:1489538051 --> @eriksneff commented on GitHub (Mar 30, 2023): @jc21 thx for looking into this. Not sure what the impact is here, but I'm on npm v2.10.1 and I'm seeing this `⚠️ warning invalid signature` message about once a minute as I navigate through my system. Here's a screenshot that I'm not sure will help: 

kerem commented 2026-02-26 07:32:44 +03:00

Author

Owner

Copy link

@GVA-Guillaume commented on GitHub (Jul 12, 2023):

Last version and I have also this warning

But this is not only a warning,
because, the UI freeze it's then it's impossible to manage anything

[7/12/2023] [4:19:04 PM] [Express ] › ⬤ debug JsonWebTokenError: invalid signature
at /app/node_modules/jsonwebtoken/verify.js:171:19
at getSecret (/app/node_modules/jsonwebtoken/verify.js:97:14)
at Object.module.exports [as verify] (/app/node_modules/jsonwebtoken/verify.js:101:10)
at /app/models/token.js:65:11
at new Promise ()
at Object.load (/app/models/token.js:60:11)
at /app/lib/access.js:228:20
at new Promise ()
at Object.load (/app/lib/access.js:226:11)
at /app/lib/express/jwt-decode.js:7:10

<!-- gh-comment-id:1632650699 --> @GVA-Guillaume commented on GitHub (Jul 12, 2023): Last version and I have also this warning <img width="670" alt="Capture d’écran 2023-07-12 à 16 36 42" src="https://github.com/NginxProxyManager/nginx-proxy-manager/assets/128600399/3fb45437-82c8-4a3a-9a4d-c15885b5059a"> But this is not only a warning, because, the UI freeze it's then it's impossible to manage anything [7/12/2023] [4:19:04 PM] [Express ] › ⬤ debug JsonWebTokenError: invalid signature at /app/node_modules/jsonwebtoken/verify.js:171:19 at getSecret (/app/node_modules/jsonwebtoken/verify.js:97:14) at Object.module.exports [as verify] (/app/node_modules/jsonwebtoken/verify.js:101:10) at /app/models/token.js:65:11 at new Promise (<anonymous>) at Object.load (/app/models/token.js:60:11) at /app/lib/access.js:228:20 at new Promise (<anonymous>) at Object.load (/app/lib/access.js:226:11) at /app/lib/express/jwt-decode.js:7:10

kerem commented 2026-02-26 07:32:44 +03:00

Author

Owner

Copy link

@GVA-Guillaume commented on GitHub (Jul 12, 2023):

After some investigations two points :

strangely the problem comes from the database name, it seems that we are not able to harden the database" "npm" of the most EXPOSED service in the network, a very clear security issue, most of the Dockerfile and/or Entrepont scripts needs to be fixed

• to be rootless
• not hardcoded about all the env variables, everything must be changed

<!-- gh-comment-id:1632882658 --> @GVA-Guillaume commented on GitHub (Jul 12, 2023): After some investigations two points : strangely the problem comes from the database name, it seems that we are not able to harden the database" "npm" of the most EXPOSED service in the network, a very clear security issue, most of the Dockerfile and/or Entrepont scripts needs to be fixed - to be rootless - not hardcoded about all the env variables, everything must be changed

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#1854

No description provided.