[Bug]: "Failed to load PDF file."

[bigbeka]

Issue Description

At "Request signature", trying to place signature on to PDF, the thumbnail does not load and throws error: Failed to load PDF file.

Docker STDOUT:

OpenSign-container        |  HTTP  8/31/2024 11:39:35 AM 172.18.0.3 GET /placeHolderSign/T6YAU4fWg5
OpenSign-container        |  HTTP  8/31/2024 11:39:35 AM 172.18.0.3 Returned 200 in 2 ms
OpenSign-container        |  HTTP  8/31/2024 11:39:35 AM 172.18.0.3 GET /manifest.json
OpenSign-container        |  HTTP  8/31/2024 11:39:35 AM 172.18.0.3 Returned 200 in 1 ms
OpenSign-container        |  HTTP  8/31/2024 11:39:35 AM 172.18.0.3 GET /locales/en-GB/translation.json
OpenSign-container        |  HTTP  8/31/2024 11:39:35 AM 172.18.0.3 Returned 200 in 1 ms
OpenSign-container        |  HTTP  8/31/2024 11:39:35 AM 172.18.0.3 GET /locales/en/translation.json
OpenSign-container        |  HTTP  8/31/2024 11:39:35 AM 172.18.0.3 Returned 200 in 3 ms
OpenSign-container        |  HTTP  8/31/2024 11:39:35 AM 172.18.0.3 GET /version.txt
OpenSign-container        |  HTTP  8/31/2024 11:39:35 AM 172.18.0.3 Returned 304 in 5 ms
mongo-container           | {"t":{"$date":"2024-08-31T11:39:32.482+00:00"},"s":"I",  "c":"WTCHKPT",  "id":22430,   "ctx":"Checkpointer","msg":"WiredTiger message","attr":{"message":{"ts_sec":1725104372,"ts_usec":482041,"thread":"1:0x7621b3200640","session_name":"WT_SESSION.checkpoint","category":"WT_VERB_CHECKPOINT_PROGRESS","category_id":6,"verbose_level":"DEBUG_1","verbose_level_id":1,"msg":"saving checkpoint snapshot min: 330, snapshot max: 330 snapshot count: 0, oldest timestamp: (0, 0) , meta checkpoint timestamp: (0, 0) base write gen: 1"}}}

Expected Behavior

It should load the thumbnail of the pdf and its pages.

Current Behavior

Error: Failed to load PDF file.

Steps to reproduce

1. Create Digital Ocean droplet
2. Point subdomain A record to the IP address of the droplet
3. Run without changing anything export HOST_URL=https://sign.FQDN.io && curl --remote-name-all https://raw.githubusercontent.com/OpenSignLabs/OpenSign/docker_beta/docker-compose.yml https://raw.githubusercontent.com/OpenSignLabs/OpenSign/docker_beta/Caddyfile https://raw.githubusercontent.com/OpenSignLabs/OpenSign/docker_beta/.env.local_dev && mv .env.local_dev .env.prod && docker compose up --force-recreate
4. Create admin account
5. Create first Request signatures
6. On the last step of Request signatures, the PDF does not load

Screenshots of the issue(optional)

Operating System [e.g. MacOS Sonoma 14.1, Windows 11]

Ubuntu 24.04

What browsers are you seeing the problem on?

Safari

What version of OpenSign™ are you seeing this issue on? [e.g. 1.0.6]

Latest [version: v2.2.0]

What environment are you seeing the problem on?

Production (app.opensignlabs.com)

Please check the boxes that apply to this issue report.

• [X] I have searched the existing issues & discussions to make sure that this is not a duplicate.

Code of Conduct

• [X] I agree to follow this project's Code of Conduct
• [X] I have searched the existing issues & discussions to make sure that this is not a duplicate.

[bigbeka]

@andrew-opensignlabs Just picking up your comment from #159 here.

The issue I am having is on Digital Ocean, LXC (Ubuntu 22.04) and MacOS ARM.

I am running Ubuntu 22.04 LXC container (Proxmox). Everything is vanilla, including the docker compose and .env.prod

I ran the same vanilla docker compose on my Mac, the first time PDF preview loaded, following times I have Failed to load PDF file.

Most importantly, I am not using S3 storage in any of the environments I tested. I am only using local storage option.

[andrew-opensignlabs]

Hi @bigbeka We have finally identified this issue and fixed. Please check and confirm.

[EDIflyer]

I'm still getting it here...

Was working OK initially then stopped the service to run in detached more so I could close my terminal session (export HOST_URL=https://sign.domain.tld && docker compose up -d) and now none of my stored PDFs are accessible.

err in document beforesave Cannot read properties of undefined (reading 'get') new entry is insert in contracts_Document

I can see all the signed documents in my library but can't access any of them, with just an error message...

[andrew-opensignlabs]

Did you upgrade to the latest version available on docker? Can you check by uploading a new file and see if its accessible? This might be due to the fact that we modified some file storage path related code when may render previously generated file paths inaccessible.

Additionally, it's not recommended to use local storage for storing signed files in publicly accessible production environments, as it offers lower security and creates file links that can be shared or accessed without an expiration time.

[EDIflyer]

I only just installed a couple of weeks ago so thought I was on the latest but see there's been an update - have pulled the new images and stopped and started the docker-compose - it has now changed the error in that I no longer get the PDF not found but just a general error:

I can upload a new document and sign it OK, then get a success message (and a confirmation email with the document attached). However it I go back to my OpenSign drive I then get a different error:

I hadn't appreciated there was a security issue with the local storage and links that can be accessed without expiration, will investigate the S3 bucket.

[EDIflyer]

OK I've now setup an AWS S3 bucket, added the various credentials listed at https://docs.opensignlabs.com/docs/self-host/cloud-storage/s3 to .env.prod.

The only bit I couldn't find when following the instructions was an S3 policy for Read, Write & List so I had to just go for full access instead...

I've set USE_LOCAL to false too, saved the file and restarted the containers however it still seems to be showing my OpenSign drive within it - where should I check in the logs to find out what is going on? I can't see anything obvious in the logs for either OpenSign-container or OpenSignServer-container docker logs.

At the AWS end it does look like the key has at least been used:

But if I tried to upload a file although it gets to 100% when I tried to submit the form I get an error:

The S3 bucket itself says it has no objects.

[EDIflyer]

OK so have now changed bucket ownership to ACLs enabled and disabled CORS and it is uploading PDFs to the bucket OK but not managing to read them back, giving a 400 bad request

Following the link into AWS gives the following response:

<Error>
  <Code>InvalidRequest</Code>
  <Message>The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.</Message>
  <RequestId>REDACTED</RequestId>
  <HostId>REDACTED</HostId>
</Error>

Could this be because older US AWS regions (I'm using eu-west-2) are still using an older encryption standard but new ones use AWS4? - see https://stackoverflow.com/questions/26533245/the-authorization-mechanism-you-have-provided-is-not-supported-please-use-aws4 Looks like it maybe needs to be specified when interacting S3 - if I'm right (and I appreciate that it's a big if!!) would it be possible to surface this into an environment variable if it's not possible to automatically use the right version?

[EDIflyer]

Updated to 2.3.0 and still the same issue with 400 Bad Request

[EDIflyer]

@andrew-opensignlabs (or other maintainers) any other suggestions much appreciated!

[EDIflyer]

Updated to 2.3.2 and no change, still getting 400 Bad Request when trying to load a document.

[andrew-opensignlabs]

@EDIflyer I’ve brought this to the attention of our dev team, and if it’s confirmed as an issue, it will be resolved in next week’s release.

[EDIflyer]

Many thanks @andrew-opensignlabs - please just let me know if any more information on my setup or logs, etc required.

[EDIflyer]

@EDIflyer I’ve brought this to the attention of our dev team, and if it’s confirmed as an issue, it will be resolved in next week’s release.

Hi @andrew-opensignlabs any update on this? I saw mention of S3 in the most recent update but still having the same issue after update?

[andrew-opensignlabs]

@EDIflyer did you set CORS policy in s3?

[EDIflyer]

@andrew-opensignlabs yep, I set those previously..

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "PUT",
            "POST",
            "DELETE"
        ],
        "AllowedOrigins": [
            "https://sign.customdomain.com"
        ],
        "ExposeHeaders": []
    },
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "PUT",
            "POST",
            "DELETE"
        ],
        "AllowedOrigins": [
            "https://sign.ekora.io"
        ],
        "ExposeHeaders": []
    },
    {
        "AllowedHeaders": [],
        "AllowedMethods": [
            "GET"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": []
    }
]

Not sure if it's to do with the older encryption standard some of the US Azure instances use and an update is needed to the interface to support the more modern ones? (see link above)

[andrew-opensignlabs]

Are you still getting the same "Invalid Request" error? Or the error has changed? Try re-creating the bucket with the updated instructions.

[EDIflyer]

I'm still getting 'something went wrong' in the app and this in the console:

I didn't realise you had updated your instructions. I deleted the bucket and user, re-created using the instructions at https://docs.opensignlabs.com/docs/self-host/cloud-storage/s3 and am facing exactly the same error. The only change I made to the CORS was replacing https://app.opensignlabs.com with our custom domain name.

[andrew-opensignlabs]

@EDIflyer Could you try creating the bucket in a different AWS region? I understand it’s extra work, but it will help us narrow down the issue if it works in another region.

[Vikram-goognu]

we are just running single command to install and configure with domain, it will configure but showing me Error when upload the pdf we also try with s3 bucket configuration on .env.prod and showing same error. : Failed to load PDF file. command we run: export HOST_URL=https://opensign.xyz.com && curl --remote-name-all https://raw.githubusercontent.com/OpenSignLabs/OpenSign/docker_beta/docker-compose.yml https://raw.githubusercontent.com/OpenSignLabs/OpenSign/docker_beta/Caddyfile https://raw.githubusercontent.com/OpenSignLabs/OpenSign/docker_beta/.env.local_dev && mv .env.local_dev .env.prod && docker compose up --force-recreate

[cube-one-gxp-lifescience-partner]

Hello,

having the same issue but with a different installation. Normal users cannot access localhost:3001 and we use nginx as reverse proxy. The pdf file can be accessed successfully if localhost:3001 is changed to sign.mydomain.com manually.

HOST_URL is set to https://sign.mydomain.com

[Vikram-goognu]

HI team,

Yes we are accessing our url: https://opensign.shipyaari.com/ with ssl certificate also , but we are not able to upload pdf or any image also, we are getting error. [image: opensign.jpeg]

Please provide us with a solution.

Thanks & Regards

On Wed, Oct 9, 2024 at 3:28 PM cube one @.***> wrote:

Hello,

having the same issue but with a different installation. Normal users cannot access localhost:3001 and we use nginx as reverse proxy. The pdf file can be accessed successfully if localhost:3001 is changed to sign.mydomain.com manually.

HOST_URL is set to https://sign.mydomain.com

grafik.png (view on web) https://github.com/user-attachments/assets/d1cdae3d-1321-4861-8ce8-4b16e89034a1

— Reply to this email directly, view it on GitHub https://github.com/OpenSignLabs/OpenSign/issues/1138#issuecomment-2401874955, or unsubscribe https://github.com/notifications/unsubscribe-auth/BLEMK7H6XB6SZ22HZMLCWDLZ2T44XAVCNFSM6AAAAABNNZX762VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMBRHA3TIOJVGU . You are receiving this because you commented.Message ID: @.***>

[willieramosjr1]

I just finished installing hosting on my own VPS with vultr and I'm having the same issue fresh out of the box.

[ashugoognu]

we got this error: Bucket policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "", "Action": "s3:GetObject","s3:PutObject", "Resource": "arn:aws:s3:::opensign-1st/", "Condition": { "StringLike": { "aws:Referer": "https://opensign.domain.com/*" } } } ] }

CORS: [ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "GET", "PUT", "POST" ], "AllowedOrigins": [ "https://opensign.domain.com" ], "ExposeHeaders": [ "x-amz-server-side-encryption", "x-amz-request-id", "x-amz-id-2" ], "MaxAgeSeconds": 6000 } ]

[EDIflyer]

@EDIflyer Could you try creating the bucket in a different AWS region? I understand it’s extra work, but it will help us narrow down the issue if it works in another region.

Hi @andrew-opensignlabs sorry for the delay in replying - on holiday just now so has taken me a while to get round to it. I created a bucked in us-east-1 and confirm it's working OK. Presumably it's related to the issue mentioned above with different AWS regions implementing different security standards and the US one still being on an older version than the EU one?