We've just updated our Central server from 0.8 to 0.9 to take advantage of some of the new Enketo integration. The upgrade itself has been successful, however when going to preview a form, Enketo throws up a Loading Error: "unable to verify the first certificate".
We host ODK Central ourselves in-house on Ubuntu 18.04, and use a custom SSL certificate.
Aside from the certificate files and specifying an internal SMTP server, there is no other change to the default configuration.
In the .env file, we had SSL_TYPE=customssl and DOMAIN=local
After getting the error, I've changed DOMAIN=<our domain>
I've since wiped, rebuilt and brought up the nginx container...
`~/central$ docker-compose up -d nginx`
`Starting secrets ...`
`Recreating mail ...`
`central_postgres_1 is up-to-date`
`enketo_redis_cache is up-to-date`
`Starting secrets ... done`
`Recreating mail ... done`
`Recreating enketo ... done`
`Recreating service ... done`
`Creating nginx ... done`
@MatthewMac do you have a firewall running by any chance? Please take a read through the upgrade notes for v0.9 and see whether that could possibly apply to you.
That's the only thing I can really think of right now. It'd be helpful to hear from others whether they were able to successfully update to 0.9 with custom SSL.
No firewall running. ufw is disabled.
I went and built a whole fresh server (straight to 0.9 - no upgrade), again with our custom SSL. Same issue.
Happy to test anything else.
@MatthewMac we're doing a big push to get v1.0 out with Enketo submissions. I don't have any more ideas at the moment. I think you're probably most interested in the submission functionality (is that right?) so I propose that we do more troubleshooting once v1.0 is in quality assurance and Team Central has a little more time.
Really appreciate your patience as got Enketo submissions ready, @MatthewMac and @dr_michaelmarks. We're especially eager to hear what you think of the public link feature that benefited a lot from my conversation with @chrissyhroberts.
I think @dmenne is on to something and it's likely related to the way that your certificate is issued. It looks like Enketo does stricter verification of the certificate chain. To turn it around, @dmenne, have you been able to use Enketo features with your certificate issued by your private certificate authority?
@MatthewMac do you use a public root certificate authority or a private one? Is it possible that the certificate used for your server doesn't include the full certificate chain? That is, the fullchain.pem file described in the docs is supposed to include the server's certificate, followed by any intermediate certificates that may separate the server and the root, followed by the root CA's certificate. Depending on what certificate authority you use, you may need to build this file yourself. If it's a public CA and you let us know which one, we may be able to provide more specific guidance.
We have two Central servers setup currently.
In answer to question from @dmenne
On the one still running 0.8 (@MatthewMac this is ODK-survey) App users work ok
On the one we upgraded to 0.9 and now 1.0 App-Users seem to work but Enketo doesnt work.
Will feedback on the preview / web-submission / public link features once we get through the certificate issue.
@LN: I still have not been able to connect to Enketo with the private certificate that works with ODK Central. However, I have not put any research into it, because we have a much more serious problem with Enketo: uploading attachments to devices "behind the back", which works on ODK Collect with SSHelper, but I have no idea how to do it for Enketo.
@LN Many thanks for the suggestion on the certificate. All is now working
Turns out the openssl util was stripping out the root and intermediate certs. I just needed to stitch them together manually. I can see that although the browser was happy with just the domain cert, enketo needs the full chain.
@Francis_Opiyo can you please say more about what you've tried? Does your fullchain.pem look like what @MatthewMac outlined above? Did you include all intermediate certificates?
Is there a particular reason you're not using Let's Encrypt? If you have questions about Let's Encrypt do let us know and we can provide more information. In general it's a really good certificate option.