Installing ODK Central: https fails

ceebeelee · October 8, 2021, 3:05pm

Hello!
I've gone through the wonderfully-simple steps to install ODK Central on an Ubuntu 21.04 machine with a recently-assigned Internet name/address.
Everything seems fine, including:

$ sudo docker-compose ps
            Name                          Command                  State                                       Ports                                 
-----------------------------------------------------------------------------------------------------------------------------------------------------
central_enketo_1               docker-entrypoint.sh /bin/ ...   Up             8005/tcp                                                              
central_enketo_redis_cache_1   docker-entrypoint.sh redis ...   Up             6379/tcp                                                              
central_enketo_redis_main_1    docker-entrypoint.sh redis ...   Up             6379/tcp                                                              
central_mail_1                 /bin/entrypoint.sh exim -b ...   Up             25/tcp                                                                
central_nginx_1                /bin/bash /scripts/odk-set ...   Up (healthy)   0.0.0.0:443->443/tcp,:::443->443/tcp, 0.0.0.0:80->80/tcp,:::80->80/tcp
central_postgres_1             docker-entrypoint.sh postgres    Up             5432/tcp                                                              
central_pyxform_1              gunicorn --bind 0.0.0.0:80 ...   Up                                                                                   
central_secrets_1              docker-entrypoint.sh ./gen ...   Exit 0                                                                               
central_service_1              docker-entrypoint.sh ./wai ...   Up             8383/tcp

However, visiting the server through a browser gives

Secure Connection Failed

An error occurred during a connection to localhost. PR_END_OF_FILE_ERROR
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

It seems http is strictly redirecting to https. I get the same problem browsing to localhost from the machine itself.

I assume the setup got letsencrypt certificates set up. I've no idea how to check, or what else to look for.

Thank you for ideas and help!

yanokwa · October 8, 2021, 3:38pm

Run docker-compose logs nginx and see what the logs say. My guess is that your domain name to IP mapping is broken or hasn't had enough time to propagate to your DNS.

ceebeelee · October 8, 2021, 3:46pm

Thank you!
I get:

$ sudo  docker-compose logs nginx 
Attaching to central_nginx_1
nginx_1               | WARNING: no logs are available with the 'local' log driver

even after I've tried browsing https://localhost/ again.

Oh, weird. Even though the DNS name works from nearby (e.g. for ssh), I actualy get a "connection refused" from, e.g. links myodkdomain.net

I'm happy to wait another 12 hours or so but not sure why localhost doesn't work. Or maybe https never works for localhost, since the certificate is not for localhost!?

In that case my symptom is the refusal to connect, since my server does seem to have the DNS for its own FQDN.

yanokwa · October 8, 2021, 4:18pm

I'm assuming you have a recent version of Docker (e.g., 20.10.x), but it sounds like you may not have a recent version of docker-compose.

We have this information in the upgrade docs, but not in the install docs. I'll update the docs in a moment, but for now, follow these steps.

sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose;
sudo chmod +x /usr/local/bin/docker-compose;
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose;

Then re-run the build.

docker-compose build && docker-compose stop && docker-compose up -d;

Now look at the logs again...

docker-compose logs nginx;

ceebeelee · October 8, 2021, 4:22pm

Thank you! Okay, before I interfere with apt, can I confirm you think this is not new enough?

$ sudo apt policy docker-compose docker
docker-compose:
  Installed: 1.25.0-1
  Candidate: 1.25.0-1
  Version table:
 *** 1.25.0-1 500
        500 http://ca.archive.ubuntu.com/ubuntu hirsute/universe amd64 Packages
        500 http://ca.archive.ubuntu.com/ubuntu hirsute/universe i386 Packages
        100 /var/lib/dpkg/status
docker:
  Installed: 1.5-2
  Candidate: 1.5-2
  Version table:
 *** 1.5-2 500
        500 http://ca.archive.ubuntu.com/ubuntu hirsute/universe amd64 Packages
        500 http://ca.archive.ubuntu.com/ubuntu hirsute/universe i386 Packages
        100 /var/lib/dpkg/status

yanokwa · October 8, 2021, 4:32pm

Docker 1.5 is from 2015! It might work, but I'd be very surprised if it did.

Follow the instructions at https://docs.docker.com/engine/install/ubuntu/ and https://docs.docker.com/compose/install/ and it'll get you the same versions we use and recommend (Docker version 20.10.x and docker-compose version 1.29.x). And those instructions also work with apt so your upgrades will be seamless.

ceebeelee · October 8, 2021, 5:09pm

Thank you!!

I'm getting a bit confused about something. I thought the preferred installation OS for the instructions I used was Ubuntu. [Edit: I take that back; the instructions were more for Digital Ocean]. I'm running fresh updated install of Ubuntu 21.04.
Did I screw up at the beginning somewhere? I'm after a simple installation script as much as I am after a working Central server.

It also seems like the second of the links you just gave is not using apt.
In fact, after following those instructions it seems there are two version of docker-composed installed and in conflicting places.


$ docker-compose --version
docker-compose version 1.29.2, build 5becea4c
$ sudo apt policy docker-ce docker docker-compose
docker-ce:
  Installed: 5:20.10.9~3-0~ubuntu-hirsute
  Candidate: 5:20.10.9~3-0~ubuntu-hirsute
  Version table:
 *** 5:20.10.9~3-0~ubuntu-hirsute 500
        500 https://download.docker.com/linux/ubuntu hirsute/stable amd64 Packages
        100 /var/lib/dpkg/status
     5:20.10.8~3-0~ubuntu-hirsute 500
        500 https://download.docker.com/linux/ubuntu hirsute/stable amd64 Packages
     5:20.10.7~3-0~ubuntu-hirsute 500
        500 https://download.docker.com/linux/ubuntu hirsute/stable amd64 Packages
     5:20.10.6~3-0~ubuntu-hirsute 500
        500 https://download.docker.com/linux/ubuntu hirsute/stable amd64 Packages
docker:
  Installed: (none)
  Candidate: 1.5-2
  Version table:
     1.5-2 500
        500 http://ca.archive.ubuntu.com/ubuntu hirsute/universe amd64 Packages
        500 http://ca.archive.ubuntu.com/ubuntu hirsute/universe i386 Packages
docker-compose:
  Installed: 1.25.0-1
  Candidate: 1.25.0-1
  Version table:
 *** 1.25.0-1 500
        500 http://ca.archive.ubuntu.com/ubuntu hirsute/universe amd64 Packages
        500 http://ca.archive.ubuntu.com/ubuntu hirsute/universe i386 Packages
        100 /var/lib/dpkg/status
$ l  /usr/local/bin/docker-compose /usr/bin/docker-compose
-rwxr-xr-x 1 root root 420 Nov 22  2019 /usr/bin/docker-compose*
-rwxr-xr-x 1 root root 13M Oct  8 13:00 /usr/local/bin/docker-compose*

Maybe I just needed to apt remove docker-compose. That was not included in the suggested apt remove line

Is there a cleaner procedure for me to follow from a fresh OS install? Or are the instructions maybe for Ubuntu 21.10 beta? I used the desktop version of 21.04. though I think I've caught up with a apt install ubuntu-server.

yanokwa · October 8, 2021, 5:14pm

I personally start from Ubuntu Server 20, which is the most recent LTS.

Then I install Docker and docker-compose via https://docs.docker.com/engine/install/ubuntu https://docs.docker.com/compose/install.

docker-compose does not use apt as you've noticed, but that's fine because it's a very simple binary and those instructions symlink it so you don't have to remove anything.

ceebeelee · October 8, 2021, 5:26pm

Okay, thanks.

I should have used the LTS. In any case, I followed all those instructions, rebuilt, and have identical symptoms.

Whether I try IP address or name, I get:

Unable to connect

Firefox can’t establish a connection to the server at odk.research.mcgill.ca.

in my browser.

But now I get something for logs:


$ docker-compose --version
docker-compose version 1.29.2, build 5becea4c
$ docker --version
Docker version 20.10.9, build c2ea9bc
$ docker-compose logs nginx 
Traceback (most recent call last):
  File "urllib3/connectionpool.py", line 677, in urlopen
  File "urllib3/connectionpool.py", line 392, in _make_request
  File "http/client.py", line 1277, in request
  File "http/client.py", line 1323, in _send_request
  File "http/client.py", line 1272, in endheaders
  File "http/client.py", line 1032, in _send_output
  File "http/client.py", line 972, in send
  File "docker/transport/unixconn.py", line 43, in connect
PermissionError: [Errno 13] Permission denied

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "requests/adapters.py", line 449, in send
  File "urllib3/connectionpool.py", line 727, in urlopen
  File "urllib3/util/retry.py", line 410, in increment
  File "urllib3/packages/six.py", line 734, in reraise
  File "urllib3/connectionpool.py", line 677, in urlopen
  File "urllib3/connectionpool.py", line 392, in _make_request
  File "http/client.py", line 1277, in request
  File "http/client.py", line 1323, in _send_request
  File "http/client.py", line 1272, in endheaders
  File "http/client.py", line 1032, in _send_output
  File "http/client.py", line 972, in send
  File "docker/transport/unixconn.py", line 43, in connect
urllib3.exceptions.ProtocolError: ('Connection aborted.', PermissionError(13, 'Permission denied'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "docker/api/client.py", line 214, in _retrieve_server_version
  File "docker/api/daemon.py", line 181, in version
  File "docker/utils/decorators.py", line 46, in inner
  File "docker/api/client.py", line 237, in _get
  File "requests/sessions.py", line 543, in get
  File "requests/sessions.py", line 530, in request
  File "requests/sessions.py", line 643, in send
  File "requests/adapters.py", line 498, in send
requests.exceptions.ConnectionError: ('Connection aborted.', PermissionError(13, 'Permission denied'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "docker-compose", line 3, in <module>
  File "compose/cli/main.py", line 81, in main
  File "compose/cli/main.py", line 200, in perform_command
  File "compose/cli/command.py", line 70, in project_from_options
  File "compose/cli/command.py", line 153, in get_project
  File "compose/cli/docker_client.py", line 43, in get_client
  File "compose/cli/docker_client.py", line 170, in docker_client
  File "docker/api/client.py", line 197, in __init__
  File "docker/api/client.py", line 222, in _retrieve_server_version
docker.errors.DockerException: Error while fetching server API version: ('Connection aborted.', PermissionError(13, 'Permission denied'))
[38885] Failed to execute script docker-compose

I'm willing to start over with LTS etc tomorrow/later if that might help. But docker seems to think nginx is up.

ceebeelee · October 9, 2021, 5:51pm

I've just realized that my IP address does not seem to be accessible outside the university.
Maybe that also makes the LetsEncrypt installation break (silently??) I still don't see how that explains my troubles/symptoms, but I will wait for my university to assure that relevant ports are open.

yanokwa · October 9, 2021, 10:45pm

Yes, you need your domain and IP accessible via ports 80/443 from the public Internet.

The permissions issues you are running into, I'm not familiar with. It's like an issue with use (or non-use) of sudo or the version of Ubuntu you are using. I'd definitely try the LTS.

ceebeelee · October 15, 2021, 10:35pm

Still no luck. The ports are now all open.
I've (multiple times) installed Ubuntu Server LTS and ODK Central.
I still get SSL failure or can't connect: https://odk.research.mcgill.ca

Can I somehow check whether the letsencrypt installation succeeded?
There seems to be no mention of getting a certificate during the Central installation process.

ceebeelee · October 15, 2021, 10:42pm

Oh wait... I might have given up and posted 1 minute too soon: one more reboot might have helped.

ceebeelee · October 15, 2021, 11:13pm

So my main summary for this thread is that if you don't have your ports globally open yet, your certbot installation won't work so https will fail to connect.

I now have another problem: it seems if the server has no working smarthost relay or etc for email, then ODK makes it very difficult to adminstrate users' passwords. But that is not for this thread.

Thanks, Yaw!