Failed task: Perform store maintenance operations

Issues
1

Issue Description

There are failed tasks in log.

Relevant Log Output

S3 error (store.s3-error): reason = SignatureDoesNotMatchThe request signature we calculated does not match the signature you provided. Check your secret access key and signing method.AWS4-HMAC-SHA256
20260617T231104Z
20260617/auto/s3/aws4_request
0d83bed7ff145503fc9927d44917ce78499cfdb092fa922870d8baf06c055a9541 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 36 30 36 31 37 54 32 33 31 31 30 34 5a 0a 32 30 32 36 30 36 31 37 2f 61 75 74 6f 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 30 64 38 33 62 65 64 37 66 66 31 34 35 35 30 33 66 63 39 39 32 37 64 34 34 39 31 37 63 65 37 38 34 39 39 63 66 64 62 30 39 32 66 61 39 32 32 38 37 30 64 38 62 61 66 30 36 63 30 35 35 61 39 35DELETE
/[BUCKET-NAME]/9yk1hsu1cnl0kumtvcgnlpumcefgcegp2bi1zprjdzrcsmcqt1iq

content-length:
content-type:text/plain
host:[ACCOUNT-ID].r2.cloudflarestorage.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20260617T231104Z

content-length;content-type;host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b85544 45 4c 45 54 45 0a 2f 6c 69 63 68 74 2d 6d 61 69 6c 2f 39 79 6b 31 68 73 75 31 63 6e 6c 30 6b 75 6d 74 76 63 67 6e 6c 70 75 6d 63 65 66 67 63 65 67 70 32 62 69 31 7a 70 72 6a 64 7a 72 63 73 6d 63 71 74 31 69 71 0a 0a 63 6f 6e 74 65 6e 74 2d 6c 65 6e 67 74 68 3a 0a 63 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 74 65 78 74 2f 70 6c 61 69 6e 0a 68 6f 73 74 3a 37 64 36 34 63 65 62 66 33 64 38 64 64 30 36 33 65 66 32 34 31 36 30 38 34 65 33 32 39 63 39 32 2e 72 32 2e 63 6c 6f 75 64 66 6c 61 72 65 73 74 6f 72 61 67 65 2e 63 6f 6d 0a 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 32 30 32 36 30 36 31 37 54 32 33 31 31 30 34 5a 0a 0a 63 6f 6e 74 65 6e 74 2d 6c 65 6e 67 74 68 3b 63 6f 6e 74 65 6e 74 2d 74 79 70 65 3b 68 6f 73 74 3b 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3b 78 2d 61 6d 7a 2d 64 61 74 65 0a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35a6334e12b6d415c1f732094ebfd0bb0f753679671d6d0cc359723d014a9f801e, code = 403, causedBy = crates/store/src/dispatch/blob.rs:221, causedBy = crates/store/src/write/blob.rs:141, causedBy = crates/services/src/task_manager/maintenance.rs:273

Stalwart Version

v0.16.x

Installation Method

Binary (Linux)

Database Backend

RocksDB

Blob Storage

S3-compatible

Search Engine

Internal

Directory Backend

Internal

I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.

on

I have searched this support forum (open and closed topics) and confirm this is not a duplicate.

on

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

on

2

The error is a SignatureDoesNotMatch (HTTP 403) from Cloudflare R2, which means the secretKey configured in Stalwart’s BlobStore does not match what R2 expects. This is purely a credentials mismatch, not a Stalwart bug.

Common causes and fixes:

  1. Wrong secret key - The most likely cause. In the WebUI, go to Settings > Storage > Blob Store and double-check (re-paste) the secretKey value against what Cloudflare shows in your R2 API token settings. Even a single extra space or truncated character will cause this error.

  2. Wrong accessKey - Make sure the accessKey in Stalwart matches the API token’s Access Key ID in R2 (not your Cloudflare account ID or email).

  3. Wrong region for Cloudflare R2 - R2 requires a Custom region variant. The endpoint should be https://<ACCOUNT-ID>.r2.cloudflarestorage.com and the region name should typically be auto. Confirm your region/endpoint is set correctly.

  4. Token scope - The R2 API token must have at minimum Object Read & Write permission on the bucket (so it can perform DELETE operations, as seen in the failing request).

The error is occurring during a maintenance task that attempts to delete blobs, which means reads/writes may have been working but the token may be misconfigured or recently rotated/expired.

See the S3-compatible blob store documentation and the BlobStore reference for the full field descriptions.

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.

3

The error is clear: SignatureDoesNotMatch with HTTP 403 means the secretKey (and possibly accessKey) configured for your Cloudflare R2 bucket does not match what R2 expects when verifying the AWS Signature V4 request. This is a credentials mismatch, not a Stalwart bug.

Here are the things to check and fix in your BlobStore configuration (Settings > Storage > Blob Store in the WebUI):

  1. secretKey - This is the most likely culprit. Copy the R2 API token secret value exactly, with no leading/trailing whitespace. R2 generates a separate “Secret Access Key” when you create an API token; make sure you are using that value and not the token itself or the account password.

  2. accessKey - Confirm this matches the “Access Key ID” shown in your R2 API token, not your Cloudflare account ID.

  3. region - For Cloudflare R2 you must use the Custom variant and set the endpoint to https://<ACCOUNT-ID>.r2.cloudflarestorage.com. The region name is typically auto. An incorrect region causes signature mismatches because the region is part of the signed string.

  4. Re-generate the API token in the Cloudflare dashboard if there is any doubt about whether the secret was copied correctly. R2 only shows the secret once.

The log shows the DELETE request hitting <ACCOUNT-ID>.r2.cloudflarestorage.com (the maintenance task purging old blobs), which means the endpoint is reachable but the credentials are wrong. Once you correct the secretKey/accessKey pair in the BlobStore config, the maintenance task will succeed.

Reference: S3-compatible blob storage documentation

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.

4

The error is a SignatureDoesNotMatch (HTTP 403) from Cloudflare R2, which means the secretKey configured in Stalwart’s BlobStore does not match what R2 expects when verifying the AWS Signature V4 request.

Here is what to check:

  1. Wrong secret key value – The most common cause. Go to the WebUI under Settings > Storage > Blob Store and verify the secretKey field exactly matches the R2 API token secret. Even a single extra space or character will produce this error. Consider using the EnvironmentVariable or File secret variant to avoid copy-paste mistakes.

  2. Wrong access key – The accessKey must be the R2 Access Key ID (not your Cloudflare account ID or email). Double-check that both the access key and secret key are from the same R2 API token pair.

  3. Key was regenerated – If you recently regenerated the R2 API token, the old secret key is immediately invalid. Update secretKey in the BlobStore configuration with the new value.

  4. Endpoint / region mismatch – For Cloudflare R2 you must set region to Custom and supply your R2 endpoint (https://<ACCOUNT-ID>.r2.cloudflarestorage.com) along with the region name (typically auto). Mismatched endpoint/region can also produce signature failures.

The log shows the operation is a DELETE issued during store maintenance (blob garbage collection), so reads/writes may appear to work while the mismatch only surfaces on cleanup – but the underlying credential issue applies to all operations.

Docs reference: S3-compatible blob storage configuration

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.