|
| 1 | +--- |
| 2 | +id: TASK-019 |
| 3 | +title: 'Fix deployment crash: invalid private key in sign_jwt.py' |
| 4 | +status: To Do |
| 5 | +assignee: [] |
| 6 | +created_date: '2026-03-16 23:02' |
| 7 | +labels: |
| 8 | + - deployment |
| 9 | + - dokploy |
| 10 | +dependencies: [] |
| 11 | +references: |
| 12 | + - 'app/sign_jwt.py:50' |
| 13 | + - 'app/main.py:23' |
| 14 | + - 'app/meetup_query.py:16' |
| 15 | + - CLAUDE.local.md |
| 16 | +priority: high |
| 17 | +--- |
| 18 | + |
| 19 | +## Description |
| 20 | + |
| 21 | +<!-- SECTION:DESCRIPTION:BEGIN --> |
| 22 | +Gunicorn workers crash on startup with `ValueError: Invalid private key` in `sign_jwt.py:50`. |
| 23 | + |
| 24 | +**Stack trace summary:** |
| 25 | +- `main.py:23` imports `meetup_query` |
| 26 | +- `meetup_query.py:16` imports `sign_jwt.main` |
| 27 | +- `sign_jwt.py:50` calls `serialization.load_pem_private_key()` which raises `ValueError: Invalid private key` |
| 28 | + |
| 29 | +Both workers (pid 12, 13) fail to boot, causing gunicorn master to shut down. |
| 30 | + |
| 31 | +**Likely causes:** |
| 32 | +1. The `MEETUP_PRIVATE_KEY` env var is missing or empty on the Dokploy deployment |
| 33 | +2. The private key value has been corrupted (e.g., newlines stripped, base64 encoding issues when pushed via `ic --env prod env`) |
| 34 | +3. The key is being loaded at module level (import time), so any env var issue is fatal with no graceful error handling |
| 35 | + |
| 36 | +**Environment:** |
| 37 | +- Host: 85.31.233.80 (Dokploy) |
| 38 | +- Logs from: 2026-03-16T22:59:21Z |
| 39 | + |
| 40 | +**Investigation steps:** |
| 41 | +1. Check if the private key env var is set: `ic --env prod exec web` and inspect env |
| 42 | +2. Verify the key format — PEM keys need literal newlines, not `\n` escape sequences |
| 43 | +3. Compare the deployed key value against the local `.env` value |
| 44 | +4. If the key is correct but mangled, consider base64-encoding it and decoding at runtime |
| 45 | +<!-- SECTION:DESCRIPTION:END --> |
| 46 | + |
| 47 | +## Acceptance Criteria |
| 48 | +<!-- AC:BEGIN --> |
| 49 | +- [ ] #1 Gunicorn workers start successfully without ValueError on Dokploy |
| 50 | +- [ ] #2 Private key is correctly loaded from environment in the deployed container |
| 51 | +- [ ] #3 sign_jwt.py handles missing/invalid key gracefully at import time (log error instead of crash) |
| 52 | +<!-- AC:END --> |
0 commit comments