Central not starting due to missing /etc/dh/nginx.pem

diego_villanueva · December 19, 2022, 8:34pm

1. What is the issue? Please be detailed.

Odk central stop work after trying to Move the Docker data directory to the new volume.

I follow the intruction to the nex link recommended in the installation documentation, and my server does not work after that, i try to fix but at thi moment i'm stuck in the proccess

I have managed to rebuild the server, but now I have an error with the nginx service, and check the long and is looking for some non-existent files in thir dir "/etc/dh/nginx.pem", copy the files to this location and still not lift the service correctly

Nginx Logs:

nginx_1               | writing a new nginx configuration file..
nginx_1               | starting nginx with certbot..
nginx_1               | Starting the Nginx service
nginx_1               | Starting the autorenewal service
nginx_1               | 2022/12/19 20:22:08 [emerg] 78#78: PEM_read_bio_DHparams("/etc/dh/nginx.pem") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: DH PARAMETERS)
nginx_1               | nginx: [emerg] PEM_read_bio_DHparams("/etc/dh/nginx.pem") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: DH PARAMETERS)
nginx_1               | writing a new nginx configuration file..
nginx_1               | starting nginx with certbot..
nginx_1               | Starting the Nginx service
nginx_1               | Starting the autorenewal service
nginx_1               | 2022/12/19 20:23:16 [emerg] 78#78: PEM_read_bio_DHparams("/etc/dh/nginx.pem") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: DH PARAMETERS)
nginx_1               | nginx: [emerg] PEM_read_bio_DHparams("/etc/dh/nginx.pem") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: DH PARAMETERS)

Docker compose Status:

root@mcticentral:~/central# docker-compose ps
            Name                          Command                 State       Ports
-------------------------------------------------------------------------------------
central_enketo_1               docker-entrypoint.sh /bin/ ...   Up           8005/tcp
central_enketo_redis_cache_1   docker-entrypoint.sh redis ...   Up           6379/tcp
central_enketo_redis_main_1    docker-entrypoint.sh redis ...   Up           6379/tcp
central_mail_1                 /bin/entrypoint.sh exim -b ...   Up           25/tcp
central_nginx_1                /bin/bash /scripts/odk-set ...   Restarting
central_postgres_1             docker-entrypoint.sh postgres    Up           5432/tcp
central_pyxform_1              gunicorn --bind 0.0.0.0:80 ...   Up
central_secrets_1              docker-entrypoint.sh ./gen ...   Exit 0
central_service_1              docker-entrypoint.sh ./wai ...   Up           8383/tcp
root@mcticentral:~/central#

i need some help with this issue

thanks in advanced

yanokwa · December 19, 2022, 10:21pm

openssl's key generation has failed and left an empty file at /etc/dh/nginx.pem. The empty file is causing a reboot loop of your web server.

This issue was fixed in latest version of Central (currently Central v2022.3.1). See https://github.com/getodk/central/pull/327 for more.

What happens if you run the following command in your Central directory?

docker-compose exec nginx cat /etc/dh/nginx.pem

It should print something like this

-----BEGIN DH PARAMETERS-----
MIICWwIBAAKBgHxfVtXbRdpTXdJh4fd/S9Z9my2a2W/W9g/uwqDVJhxJQuwQbk41
RJw1dNmambxnh9kK7BXtzFTYO1VHdwcSZpve1ApI8yHn9cVnJP0hh9xmTFFX7/uq
FKKUg2/uWRKFgj9L/HeWG0MLQn6Y6K0a8PY+5NiFGI+BwDDE3BuPelwxAgMBAAEC
gYBZ8JQaKOyV2s2xUymW0k5keQbb7uwo7ZmZof7LUfiyYeRsU+GA2xKXqCytJBji
Gb9eDaTO3HoJQO6pAkEAswEVQWXrfumA33bpeY9ing0Xzd+r/5IiRtr1YbH8GYYD
O/3bJysCvsfJ/WDujq5fdsvG8PXJkMXB6EZ0hL4Vgw==
-----END DH PARAMETERS-----

If the above command doesn't print anything, it means nginx.pem is indeed empty and you need to remove it. The following command will do that.

docker-compose exec nginx rm /etc/dh/nginx.pem

Then all you should need to do after is rebuild and bring everything back up.

docker-compose build;
docker-compose stop;
docker-compose up -d;

After you confirm everything is working, I'd recommend planning time for an upgrade to the latest version of Central.

diego_villanueva · December 20, 2022, 9:45pm

Thank's for your fast response yanokwa

when i try to run this command:

docker-compose exec nginx cat /etc/dh/nginx.pem

the server response this:

Error response from daemon: Container (Container name) is restarting, wait until the container is running

i manualy check my nginx.pem file and, yes the file are empty

if i try to run this other command:

docker-compose exec nginx rm /etc/dh/nginx.pem

the server response the same:

Error response from daemon: Container (Container name) is restarting, wait until the container is running

my odk central server it's up to date to the last version, the problem appeared when i try to move docker to another place in my server because in the root directory i don't have enough space to continue recolecting data for teh project.

can i copy an old file from some place to replace? or better, generate a new file?

Thanks in advanced.

yanokwa · December 20, 2022, 10:06pm

Hmm, let's try something different then.

If you haven't rebooted, give that a try just so we rule out any issues with state data.

In ~/central/files/nginx/odk-setup.sh, does Line 4 say the following:

DHPATH=/etc/dh/nginx.pem
if [ ! -s "$DHPATH" ] && [ "$SSL_TYPE" != "upstream" ]

If it does not, change it to match the snippet above and try rebuilding.

If it does, change it to match the snippet below and try rebuilding.

DHPATH=/etc/dh/nginx.pem
rm -f "$DHPATH";
if [ ! -s "$DHPATH" ] && [ "$SSL_TYPE" != "upstream" ]

If that works OK, change the file back to how it was and you should be fine going forward.

diego_villanueva · December 21, 2022, 5:08pm

hello Yanokwa:

after the new procedure that you suggesting me, and re-build my odk central server, the result was the next:

docker-compose ps


            Name                          Command                  State                   Ports
------------------------------------------------------------------------------------------------------------
central_enketo_1               docker-entrypoint.sh /bin/      Up               8005/tcp
                               ...
central_enketo_redis_cache_1   docker-entrypoint.sh redis      Up               6379/tcp
                               ...
central_enketo_redis_main_1    docker-entrypoint.sh redis      Up               6379/tcp
                               ...
central_mail_1                 /bin/entrypoint.sh exim -b      Up               25/tcp
                               ...
central_nginx_1                /bin/bash /scripts/odk-set      Up (unhealthy)   0.0.0.0:443->443/tcp,:::443-
                               ...                                              >443/tcp, 0.0.0.0:80->80/tcp
                                                                                ,:::80->80/tcp
central_postgres_1             docker-entrypoint.sh postgres   Up               5432/tcp
central_pyxform_1              gunicorn --bind 0.0.0.0:80      Up
                               ...
central_secrets_1              docker-entrypoint.sh ./gen      Exit 0
                               ...
central_service_1              docker-entrypoint.sh ./wai      Up               8383/tcp
                               ...

i was check the nginx logs with this command

docker-compose logs nginx

teh result was here:

Attaching to central_nginx_1
nginx_1               | diffie hellman private key does not exist; creating..
nginx_1               | Generating DH parameters, 2048 bit long safe prime, generator 2
nginx_1               | This is going to take a long time

if i try to connect by the local IP address, the web browser showme the portal, but when i try to log in with my user and pass the portal was rejecting me.

Incorrect email address and/or password.

but my user and pass are correct

Thanks for all of your help.

Best Regards!

yanokwa · December 21, 2022, 6:11pm

This is good progress.

At this stage, you have to wait to docker-compose logs nginx to show successful generation of the key. It usually only takes a few minutes, even on slow machines.

Can you confirm that you changed the file back, so the rm command has been removed?

diego_villanueva · December 21, 2022, 8:13pm

Yes Yanokwa thats correct, i edited my file and change every thing to the first state.

docker-compose ps

show:

 Name                          Command                  State                   Ports
------------------------------------------------------------------------------------------------------------
central_enketo_1               docker-entrypoint.sh /bin/ ...   Up             8005/tcp
central_enketo_redis_cache_1   docker-entrypoint.sh redis ...   Up             6379/tcp
central_enketo_redis_main_1    docker-entrypoint.sh redis ...   Up             6379/tcp
central_mail_1                 /bin/entrypoint.sh exim -b ...   Up             25/tcp
central_nginx_1                /bin/bash /scripts/odk-set ...   Up (healthy)   0.0.0.0:443->443/tcp,:::443->
                                                                               443/tcp, 0.0.0.0:80->80/tcp,:
                                                                               ::80->80/tcp
central_postgres_1             docker-entrypoint.sh postgres    Up             5432/tcp
central_pyxform_1              gunicorn --bind 0.0.0.0:80 ...   Up
central_secrets_1              docker-entrypoint.sh ./gen ...   Exit 0
central_service_1              docker-entrypoint.sh ./wai ...   Up             8383/tcp

but the server still denies my access.

and another doubt I have, is: what will happen with information that was loaded on my server

yanokwa · December 22, 2022, 5:51am

It sounds like your install is working well, but in your move of the docker data folder, you've lost the link to your old database. That's probably why you can't login, your install is probably pointing to a new database.

Did you take a backup before attempting the move?

diego_villanueva · December 22, 2022, 3:31pm

o.k i undertand, i have and old backup, but the new one no.

If i try to roll back and rebuild the server in the old location for the project, maybe reconect to the old database?

or

There is a way to reconnect or recover the previous database?

thanks in advanced

Best regards.

P.D: sorry for all this inconvenience, but i'm completly new in the managment to ODK Central.

diego_villanueva · January 5, 2023, 3:18pm

some any advice about to my last post???

thanks in advanced.

yanokwa · January 6, 2023, 12:33am

@diego_villanueva I think what might be easiest at this stage is if we get access to your server. I will send you an email so we can coordinate that process and update this public topic once we have a resolution.

diego_villanueva · January 6, 2023, 5:26pm

thaks for all of your help Yaw.

i'll send you the information.

thanks in advanced.

yanokwa · January 12, 2023, 8:20pm

I investigated the issues on this server, and unfortunately, I could not get the old database back.

My guess is that something went wrong when the Docker data directory was moved and without a whole machine backup or a backup of the data directory, there was no way to roll back. I've suggested extundelete and TestDisk as a last resort, but I'm not optimistic those will work.

Data loss is the worst and I feel terrible that this has happened. It's an unfortunate reminder that running production servers is hard work. We'll continue to strongly recommend that self-hosters set up backups so they have a safety-net.

If anyone has other ideas on how we can help prevent these kinds of issues, please share.