Hello
What is the problem? Please be detailed.
I'm having trouble configuring a letsencrypt cert with Aggregate and nginx.
First I installed Aggregate (no cert) on tomcat8 on default port (8080) then installed enketo/nginx as per instructions skipping the ssl part: https://blog.enketo.org/install-enketo-production-ubuntu/ and redirected 127.0.0.1:8080/ODKAggregate to /odk in nginx sites-available/enabled
This configuration works and I can use mydomain.com/odk with Collect no problems.
Then I followed the enketo instructions to make a csr and use it with certbot and got three files:
0000_cert.pem, 0000_chain.pem and 0001_chain.pem.
I exported the cert with:
CERT_NAME=0000_cert
openssl pkcs12 -export -in $CERT_PATH/$CERT_NAME.pem -inkey $CERT_PATH/$CERT_NAME.key -out $CERT_PATH/$CERT_NAME.pfx
chmod 644 $CERT_PATH/$CERT_NAME.pfx
chown root:ssl-cert $CERT_PATH/$CERT_NAME.pfx
usermod -a -G ssl-cert tomcat8
and added to server.xml
sed -i.sslold -e '/<!-- Define an AJP/ i <Connector port="8443" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" secure="true" scheme="https"
clientAuth="false" sslProtocol="TLS"
keystoreFile="'"$CERT_PATH"'/'"$CERT_NAME"'.pfx"
keystoreType="PKCS12"
keystorePass="somepass" />'
-e 's//
/' /etc/tomcat8/server.xml
then I updated sites-available/enabled with this: https://drive.google.com/open?id=0ByT05oAp7x21VkhPU3hpQ0w5TG8
next I re-run the Aggregate installer with the ssl option (port 8443) and copy the war to webapps
finally restarted tomcat and nginx
When I go to mydomain.com/odk everything seems fine I get redirected correctly to https://mydomain.com:8443/ODKAggregate I can upload forms, change users, etc. but when I put mydomain.com/odk in Collect I get "trust anchor for certification path not found while accesing https://mydomain.com/odk/FormList".
I can't use Formuploader neither I get "Starting url: http://mydomain.com/odk/upload unexpected exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" I tried with http/https/https:8443
Enketo isn't working either I get this results:
with http://mydomain.com:8025/enketo/api/v1 I get redirected but secure connection failed
with http://mydomain.com/enketo/api/v1 I get this
every other combination gets: "There was an error obtaining the webform"
Also the ssllabs test says: "This server's certificate chain is incomplete. Grade capped to B." How can I fix this?
What ODK tool and version are you using? And on what device and operating system version?
I'm using Aggregate 1.4.14, Collect 1.9.1 and FormUploader 1.4.9
What steps can we take to reproduce the problem?
What you have you tried to fix the problem?
I tried to follow this https://community.letsencrypt.org/t/nginx-incomplete-certificate-chain/29388 but not sure which files should I concat and if I should replace cert.pem with it. Also most of the questions use apache and no csr so filenames are different.
I added this to my conf file but didn't work:
ssl_trusted_certificate 0000_chain.pem
ssl_trusted_certificate 0001_chain.pem
The altnames for the cert are: mydomain.com and www.mydomain.com. Do I need also mydomain.com/odk, etc.?
I'm using aws if I remove the inbound rules for 8080 and 8443 will nginx still redirect correctly?
Anything else we should know or have? If you have a test form or screenshots or logs, attach here.
Thanks