Action failed: No ECDSA key found in PEM

Issue Description

Iḿ trying to reload the server settings via the webui.
this results in a message: Action failed No ECDSA key found in PEM
but it does not tell me which key is invalid making investigation hard

Expected Behavior

at lease to tell me where the error is.

Actual Behavior

Action failed No ECDSA key found in PEM

Reproduction Steps

1. WebUI → Actions → Reload → Server Settings

Stalwart Version

v0.16.x

Installation Method

Built from source

Database Backend

PostgreSQL

Blob Storage

S3-compatible

Search Engine

Meilisearch

Directory Backend

Internal

I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.

on

I have searched this support forum (open and closed topics) and confirm this is not a duplicate.

on

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

on

Let me look into this error to give a useful answer.

The error “No ECDSA key found in PEM” occurs during the Server Settings reload and points to a problem with one of your manually configured TLS certificate objects – specifically, the privateKey field of a Certificate object contains PEM data that does not include a valid ECDSA private key (e.g. it may be an RSA key, a malformed PEM block, a file path that can’t be read, or an environment variable reference that resolved to something unexpected).

Here is how to narrow it down:

1. Go to Settings > TLS > Certificates in the WebUI and open each Certificate object one by one.
2. Check the privateKey field of each certificate. The PEM block must begin with -----BEGIN EC PRIVATE KEY----- (or -----BEGIN PRIVATE KEY----- for PKCS#8-wrapped ECDSA keys). If you have an RSA key pair, the error message would be different – so any certificate configured with an ECDSA public cert must have a matching ECDSA private key.
3. If the field contains a file path (e.g. file:///etc/certs/key.pem) or an environment variable reference, verify that the path/variable is accessible to the server process and that the file actually contains the ECDSA private key.
4. Also check any AcmeProvider objects – the ACME account key is an ECDSA key and could be the culprit if it was not generated correctly.

Once you fix the offending certificate’s privateKey, the reload should succeed. Unfortunately the current error message does not include the certificate ID, which makes this harder than it should be – a human staff member may be able to confirm whether improved error context is planned.

Relevant docs: TLS Certificates - Manual certificates

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.

I do not have any manually managed certificates. All are provided by Lets Encrypt from within stalwart.

That error isn’t about your TLS certificates, it’s about an OIDC provider’s signing key, so your Let’s Encrypt setup is unrelated. You have an OIDC provider configured with an EC signature algorithm (ES256/ES384) but the signature key you supplied isn’t being recognized as an EC private key.

The most common cause is key format: the parser only accepts a PKCS8 key (-----BEGIN PRIVATE KEY-----), not the traditional SEC1 -----BEGIN EC PRIVATE KEY----- form.

If your key is SEC1, convert it with openssl pkcs8 -topk8 -nocrypt -in key.pem -out key.pk8.pem and use that, or switch the algorithm to match the key you have.