Getting 500 Internal Server Error: The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

Cipriano_Vera · October 8, 2025, 2:52am

We are getting the following message when want to add a totp token in our collaboration platform that is linked with our privacyidea server. the logs message on the privacyidea show the following

[2025-10-07 15:28:57,015] ERROR in app: Exception on /token/init [POST]privacyidea-1  | Traceback (most recent call last):privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/jwt/api_jws.py”, line 204, in _loadprivacyidea-1  |     signature = base64url_decode(crypto_segment)privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/jwt/utils.py”, line 42, in base64url_decodeprivacyidea-1  |     return base64.urlsafe_b64decode(input)privacyidea-1  |   File “/usr/local/lib/python3.7/base64.py”, line 133, in urlsafe_b64decodeprivacyidea-1  |     return b64decode(s)privacyidea-1  |   File “/usr/local/lib/python3.7/base64.py”, line 87, in b64decodeprivacyidea-1  |     return binascii.a2b_base64(s)privacyidea-1  | binascii.Error: Incorrect paddingprivacyidea-1  |privacyidea-1  | During handling of the above exception, another exception occurred:privacyidea-1  |privacyidea-1  | Traceback (most recent call last):privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 2447, in wsgi_appprivacyidea-1  |     response = self.full_dispatch_request()privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 1952, in full_dispatch_requestprivacyidea-1  |     rv = self.handle_user_exception(e)privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 1821, in handle_user_exceptionprivacyidea-1  |     reraise(exc_type, exc_value, tb)privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/flask/_compat.py”, line 39, in reraiseprivacyidea-1  |     raise valueprivacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 1948, in full_dispatch_requestprivacyidea-1  |     rv = self.preprocess_request()privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 2242, in preprocess_requestprivacyidea-1  |     rv = func()privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/auth.py”, line 401, in decorated_functionprivacyidea-1  |     check_auth_token(required_role=[“user”, “admin”])privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/auth.py”, line 421, in check_auth_tokenprivacyidea-1  |     r = verify_auth_token(auth_token, required_role)privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/lib/utils.py”, line 292, in verify_auth_tokenprivacyidea-1  |     headers = jwt.get_unverified_header(auth_token)privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/jwt/api_jws.py”, line 166, in get_unverified_headerprivacyidea-1  |     headers = self._load(jwt)[2]privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/jwt/api_jws.py”, line 206, in _loadprivacyidea-1  |     raise DecodeError(‘Invalid crypto padding’)privacyidea-1  | jwt.exceptions.DecodeError: Invalid crypto paddingprivacyidea-1  | 2025-10-07 15:28:57,015 ERROR app.py Exception on /token/init [POST]privacyidea-1  | Traceback (most recent call last):privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/jwt/api_jws.py”, line 204, in _loadprivacyidea-1  |     signature = base64url_decode(crypto_segment)privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/jwt/utils.py”, line 42, in base64url_decodeprivacyidea-1  |     return base64.urlsafe_b64decode(input)privacyidea-1  |   File “/usr/local/lib/python3.7/base64.py”, line 133, in urlsafe_b64decodeprivacyidea-1  |     return b64decode(s)privacyidea-1  |   File “/usr/local/lib/python3.7/base64.py”, line 87, in b64decodeprivacyidea-1  |     return binascii.a2b_base64(s)privacyidea-1  | binascii.Error: Incorrect paddingprivacyidea-1  |privacyidea-1  | During handling of the above exception, another exception occurred:privacyidea-1  |privacyidea-1  | Traceback (most recent call last):privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 2447, in wsgi_appprivacyidea-1  |     response = self.full_dispatch_request()privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 1952, in full_dispatch_requestprivacyidea-1  |     rv = self.handle_user_exception(e)privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 1821, in handle_user_exceptionprivacyidea-1  |     reraise(exc_type, exc_value, tb)privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/flask/_compat.py”, line 39, in reraiseprivacyidea-1  |     raise valueprivacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 1948, in full_dispatch_requestprivacyidea-1  |     rv = self.preprocess_request()privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 2242, in preprocess_requestprivacyidea-1  |     rv = func()privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/auth.py”, line 401, in decorated_functionprivacyidea-1  |     check_auth_token(required_role=[“user”, “admin”])privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/auth.py”, line 421, in check_auth_tokenprivacyidea-1  |     r = verify_auth_token(auth_token, required_role)privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/lib/utils.py”, line 292, in verify_auth_tokenprivacyidea-1  |     headers = jwt.get_unverified_header(auth_token)privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/jwt/api_jws.py”, line 166, in get_unverified_headerprivacyidea-1  |     headers = self._load(jwt)[2]privacyidea-1  |   File “/opt/privacyidea/lib/python3.7/site-packages/jwt/api_jws.py”, line 206, in _loadprivacyidea-1  |     raise DecodeError(‘Invalid crypto padding’)privacyidea-1  | jwt.exceptions.DecodeError: Invalid crypto padding

We are running privacyidea version 3.5.2

running a docker container and we just created a new api token for the service and validated through the following commands

pi-manage api createtoken
pi-manage admin add {token username}

pi-manage api createtoken -r validate

cornelinux · October 9, 2025, 2:33pm

Hello and welcome.

Could you please reformat the logs with the traceback, so that readers can read it.

Thanks a lot!

Cipriano_Vera · October 9, 2025, 2:51pm

Hello thanks for the welcome
how should I reformat the log or just paste it on the blog.

Cipriano_Vera · October 9, 2025, 2:57pm

here is a better view of the logs

privacyidea-1 | [2025-10-09 13:41:51,358] ERROR in app: Exception on /token/init [POST]
privacyidea-1 | Traceback (most recent call last):
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/jwt/api_jws.py”, line 204, in _load
privacyidea-1 | signature = base64url_decode(crypto_segment)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/jwt/utils.py”, line 42, in base64url_decode
privacyidea-1 | return base64.urlsafe_b64decode(input)
privacyidea-1 | File “/usr/local/lib/python3.7/base64.py”, line 133, in urlsafe_b64decode
privacyidea-1 | return b64decode(s)
privacyidea-1 | File “/usr/local/lib/python3.7/base64.py”, line 87, in b64decode
privacyidea-1 | return binascii.a2b_base64(s)
privacyidea-1 | binascii.Error: Incorrect padding

privacyidea-1 | During handling of the above exception, another exception occurred:
privacyidea-1 |
privacyidea-1 | Traceback (most recent call last):
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 2447, in wsgi_app
privacyidea-1 | response = self.full_dispatch_request()
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 1952, in full_dispatch_request
privacyidea-1 | rv = self.handle_user_exception(e)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 1821, in handle_user_exception
privacyidea-1 | reraise(exc_type, exc_value, tb)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/flask/_compat.py”, line 39, in reraise
privacyidea-1 | raise value
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 1948, in full_dispatch_request
privacyidea-1 | rv = self.preprocess_request()
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 2242, in preprocess_request
privacyidea-1 | rv = func()
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/auth.py”, line 401, in decorated_function
privacyidea-1 | check_auth_token(required_role=[“user”, “admin”])
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/auth.py”, line 421, in check_auth_token
privacyidea-1 | r = verify_auth_token(auth_token, required_role)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/lib/utils.py”, line 292, in verify_auth_token
privacyidea-1 | headers = jwt.get_unverified_header(auth_token)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/jwt/api_jws.py”, line 166, in get_unverified_header
privacyidea-1 | headers = self._load(jwt)[2]
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/jwt/api_jws.py”, line 206, in _load
privacyidea-1 | raise DecodeError(‘Invalid crypto padding’)
privacyidea-1 | jwt.exceptions.DecodeError: Invalid crypto padding

cornelinux · October 9, 2025, 3:10pm

The most important part of the error/stacktrace is at the end: “invalid crypto padding”.

This indicates, that the encrypted data and your encryption key do not match. Maybe your docker container setup is bogus.

Cipriano_Vera · October 9, 2025, 3:17pm

Thank you for the quick reply,

with the encrypted data not matching the encryption key would generating a new private.pem and public.pem resolve my issue or new enckey?

Cipriano_Vera · October 14, 2025, 5:44pm

I was able to resolve the error regarding Invalid crypto padding. the admin token and validation token has single quotes around them when they did not need it.

Now I am running into another issue after entering the TOTP token using PrivacyIDEA app
binascii.Error: Non-hexadecimal digit found
privacyidea-1 | 2025-10-14 17:42:39,304 ERROR app.py Exception on /validate/samlcheck [GET]
privacyidea-1 | Traceback (most recent call last):
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 2447, in wsgi_app
privacyidea-1 | response = self.full_dispatch_request()
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 1952, in full_dispatch_request
privacyidea-1 | rv = self.handle_user_exception(e)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 1821, in handle_user_exception
privacyidea-1 | reraise(exc_type, exc_value, tb)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/flask/_compat.py”, line 39, in reraise
privacyidea-1 | raise value
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 1950, in full_dispatch_request
privacyidea-1 | rv = self.dispatch_request()
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/flask/app.py”, line 1936, in dispatch_request
privacyidea-1 | return self.view_functionsrule.endpoint
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/lib/postpolicy.py”, line 108, in policy_wrapper
privacyidea-1 | response = wrapped_function(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/lib/postpolicy.py”, line 108, in policy_wrapper
privacyidea-1 | response = wrapped_function(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/lib/postpolicy.py”, line 108, in policy_wrapper
privacyidea-1 | response = wrapped_function(*args, **kwds)
privacyidea-1 | [Previous line repeated 8 more times]
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/lib/decorators.py”, line 41, in function_wrapper
privacyidea-1 | response = wrapped_function(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/lib/prepolicy.py”, line 154, in policy_wrapper
privacyidea-1 | return wrapped_function(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/lib/prepolicy.py”, line 154, in policy_wrapper
privacyidea-1 | return wrapped_function(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/lib/prepolicy.py”, line 154, in policy_wrapper
privacyidea-1 | return wrapped_function(*args, **kwds)
privacyidea-1 | [Previous line repeated 5 more times]
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/decorators.py”, line 100, in check_user_or_serial_in_request_wrapper
privacyidea-1 | f_result = func(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/subscriptions.py”, line 333, in check_subscription_wrapper
privacyidea-1 | f_result = func(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/lib/prepolicy.py”, line 154, in policy_wrapper
privacyidea-1 | return wrapped_function(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/event.py”, line 99, in event_wrapper
privacyidea-1 | f_result = func(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/api/validate.py”, line 396, in check
privacyidea-1 | success, details = check_user_pass(user, password, options=options)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 93, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 186, in auth_cache
privacyidea-1 | res, reply_dict = wrapped_function(user_object, passw, options)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 93, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 254, in auth_user_does_not_exist
privacyidea-1 | return wrapped_function(user_object, passw, options)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 93, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 223, in auth_user_has_no_token
privacyidea-1 | return wrapped_function(user_object, passw, options)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 93, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 355, in auth_user_timelimit
privacyidea-1 | res, reply_dict = wrapped_function(user_object, passw, options)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 93, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 442, in auth_lastauth
privacyidea-1 | res, reply_dict = wrapped_function(user_or_serial, passw, options)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 93, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 332, in auth_user_passthru
privacyidea-1 | return wrapped_function(user_object, passw, options)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/log.py”, line 194, in log_wrapper
privacyidea-1 | f_result = func(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/token.py”, line 2071, in check_user_pass
privacyidea-1 | allow_reset_all_tokens=True)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/log.py”, line 194, in log_wrapper
privacyidea-1 | f_result = func(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 93, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 638, in reset_all_user_tokens
privacyidea-1 | r = wrapped_function(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/policydecorators.py”, line 93, in policy_wrapper
privacyidea-1 | return self.decorator_function(wrapped_function, *args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/challengeresponsedecorators.py”, line 150, in generic_challenge_response_reset_pin
privacyidea-1 | success, reply_dict = wrapped_function(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/token.py”, line 2225, in check_token_list
privacyidea-1 | tokenobject.authenticate(passw, user, options=options)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/decorators.py”, line 45, in token_locked_wrapper
privacyidea-1 | f_result = func(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/tokenclass.py”, line 456, in authenticate
privacyidea-1 | otp_counter = self.check_otp(otpval, options=options)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/decorators.py”, line 45, in token_locked_wrapper
privacyidea-1 | f_result = func(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/tokens/totptoken.py”, line 360, in check_otp
privacyidea-1 | symetric=True)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/log.py”, line 194, in log_wrapper
privacyidea-1 | f_result = func(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/tokens/HMAC.py”, line 155, in checkOtp
privacyidea-1 | otpval = self.generate(c)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/tokens/HMAC.py”, line 121, in generate
privacyidea-1 | hmac = self.hmac(counter=counter, key=key)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/tokens/HMAC.py”, line 83, in hmac
privacyidea-1 | dig = self.secretObj.hmac_digest(data_input, self.hashfunc)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/crypto.py”, line 128, in hmac_digest
privacyidea-1 | self.setupKey()
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/crypto.py”, line 150, in setupKey
privacyidea-1 | akey = decrypt(self.val, self.iv)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/log.py”, line 194, in log_wrapper
privacyidea-1 | f_result = func(*args, **kwds)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/crypto.py”, line 393, in decrypt
privacyidea-1 | res = hsm.decrypt(to_bytes(enc_data), to_bytes(iv), key_id=key_id)
privacyidea-1 | File “/opt/privacyidea/lib/python3.7/site-packages/privacyidea/lib/security/default.py”, line 495, in decrypt
privacyidea-1 | data = binascii.unhexlify(output)
privacyidea-1 | binascii.Error: Non-hexadecimal digit found
privacyidea-1 | 2025-10-14 17:42:39,305 DEBUG log.py Entering log with arguments (<privacyidea.lib.auditmodules.sqlaudit.Audit object at 0x7fa5e5872bd0>, {‘info’: ‘500 Internal Server Error: The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.’}) and keywords {}

Any sugguestion on how to resolve the issue.

Cipriano_Vera · October 15, 2025, 3:43pm

Resolved the issue by restoring database to previous point and added original enckey /private and public files, restart service and worked.