Enketo certificate issue on Central 0.9

Hi All

We've just updated our Central server from 0.8 to 0.9 to take advantage of some of the new Enketo integration. The upgrade itself has been successful, however when going to preview a form, Enketo throws up a Loading Error: "unable to verify the first certificate".

We host ODK Central ourselves in-house on Ubuntu 18.04, and use a custom SSL certificate.
Aside from the certificate files and specifying an internal SMTP server, there is no other change to the default configuration.

In the .env file, we had SSL_TYPE=customssl and DOMAIN=local
After getting the error, I've changed DOMAIN=<our domain>
I've since wiped, rebuilt and brought up the nginx container...

`~/central$ docker-compose up -d nginx`
`Starting secrets ...`
`Recreating mail  ...`
`central_postgres_1 is up-to-date`
`enketo_redis_cache is up-to-date`
`Starting secrets ... done`
`Recreating mail   ... done`
`Recreating enketo ... done`
`Recreating service ... done`
`Creating nginx     ... done`

but this hasn't had any effect on the problem.

Any suggestions welcome

Matthew

1 Like

@MatthewMac do you have a firewall running by any chance? Please take a read through the upgrade notes for v0.9 and see whether that could possibly apply to you.

That's the only thing I can really think of right now. It'd be helpful to hear from others whether they were able to successfully update to 0.9 with custom SSL.

Hi Hélène

No firewall running. ufw is disabled.
I went and built a whole fresh server (straight to 0.9 - no upgrade), again with our custom SSL. Same issue.
Happy to test anything else.

Matthew

1 Like

@MatthewMac we're doing a big push to get v1.0 out with Enketo submissions. I don't have any more ideas at the moment. I think you're probably most interested in the submission functionality (is that right?) so I propose that we do more troubleshooting once v1.0 is in quality assurance and Team Central has a little more time.

1 Like

@LN No problem at all. Very happy to wait (and not hold up development) for v1.0

If I find anything meanwhile, I'll certainly let you know.

1 Like

A post was split to a new topic: Central/Enketo integration with self-signed cert

Agree the submission functionality is key at LSHTM so hopefully we can get 1.0 soon and then resolve this.

1 Like

In your setup, have you been able to work with ODK Collect?

1 Like

@LN Unfrortunately still seeing the same issue with form preview after updating to 1.0

image

Really appreciate your patience as got Enketo submissions ready, @MatthewMac and @dr_michaelmarks. We're especially eager to hear what you think of the public link feature that benefited a lot from my conversation with @chrissyhroberts.

I think @dmenne is on to something and it's likely related to the way that your certificate is issued. It looks like Enketo does stricter verification of the certificate chain. To turn it around, @dmenne, have you been able to use Enketo features with your certificate issued by your private certificate authority?

@MatthewMac do you use a public root certificate authority or a private one? Is it possible that the certificate used for your server doesn't include the full certificate chain? That is, the fullchain.pem file described in the docs is supposed to include the server's certificate, followed by any intermediate certificates that may separate the server and the root, followed by the root CA's certificate. Depending on what certificate authority you use, you may need to build this file yourself. If it's a public CA and you let us know which one, we may be able to provide more specific guidance.

This excellent Stackoverflow post has more details and also a way to get intermediate certificates without going back to your CA.

1 Like

We have two Central servers setup currently.
In answer to question from @dmenne
On the one still running 0.8 (@MatthewMac this is ODK-survey) App users work ok
On the one we upgraded to 0.9 and now 1.0 App-Users seem to work but Enketo doesnt work.

Will feedback on the preview / web-submission / public link features once we get through the certificate issue.

1 Like

@LN: I still have not been able to connect to Enketo with the private certificate that works with ODK Central. However, I have not put any research into it, because we have a much more serious problem with Enketo: uploading attachments to devices "behind the back", which works on ODK Collect with SSHelper, but I have no idea how to do it for Enketo.

1 Like

@LN Many thanks for the suggestion on the certificate. All is now working :slight_smile:

Turns out the openssl util was stripping out the root and intermediate certs. I just needed to stitch them together manually. I can see that although the browser was happy with just the domain cert, enketo needs the full chain.

1 Like

Can confirm Enketo now works for

  1. Preview

  2. Data Collector

  3. Public View

1 Like

A post was split to a new topic: Ideas and extensions for Central public links

Great to hear things are working, @MatthewMac! I've put in a PR to add some details to the docs in the hopes that it will help folks with troubleshooting: https://github.com/getodk/docs/pull/1246/files

Good to know. I don't believe Enketo allows self-signed certificates but haven't confirmed yet.

@chrissyhroberts Thanks so much for the feedback! I'm going to split off your post and give some more detailed responses.

1 Like

Just to be sure I get it: You concatenated root certificate and intermediate into one name fullchain.pem?

-----BEGIN CERTIFICATE-----
MIIG....
...6JBV
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEk
T..
-----END CERTIFICATE-----

@dmenne Yes, simply combine text files together and save as fullchain.pem
-----BEGIN CERTIFICATE-----
MIIH.... <server certificate> ...6JKX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIG.... <intermediate cert>...6JBV
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEk <root cert>T..
-----END CERTIFICATE-----

1 Like

Hello @LN I have a pfx file from go daddy and witnessing this issue with the fullchain.pem file I generated. Any way I can go about it?

@Francis_Opiyo can you please say more about what you've tried? Does your fullchain.pem look like what @MatthewMac outlined above? Did you include all intermediate certificates?

https://serverfault.com/questions/1080750/install-godaddy-ssl-certificate-on-nginx-pem-bundle-crt may have useful information for you (I don't have personal experience with Go Daddy certs).

Is there a particular reason you're not using Let's Encrypt? If you have questions about Let's Encrypt do let us know and we can provide more information. In general it's a really good certificate option.