Thanks for the info!
The installer packs all configuration files into a JAR file located at WEB-INF/lib/ODKAggregate-settings.jar. You can unzip that file to get the security.properties file. We need to check what values are defined int the keys:
security.server.deviceAuthentication
security.server.secureChannelType
security.server.channelType
security.server.forceHttpsLinks
Thanks. Here is the info from the security.properties file.
In addition the security.server.hostname= is blank
security.server.deviceAuthentication=digest
security.server.secureChannelType=ANY_CHANNEL
security.server.channelType=ANY_CHANNEL
security.server.forceHttpsLinks=false
Hi @Axlm!
The configuration you've shared is OK for your setup. You could change some settings to better fit your scenario, but the one you have is actually OK.
When security.server.hostname is empty, Aggregate detects a valid IP address automatically when starting, which works in most situations.
You could try to set a specific value in security.server.hostname, though. That would prevent issues in case Aggregate has detected an IP address different than the one users are using to access it, which would explain why changing passwords fails.
In order to do that, you can follow these steps:
WEB-INF/lib/ODKAggregate-settings.jar into WEB-INF/classes
WEB-INF/lib/ODKAggregate-settings.jar << this is important
WEB-INF/classes/security.properties and set security.server.hostname with the IP address or hostname that the users will be using to access AggregateHi @ggallo,
unfortunately it didn't work. I tried both with IP address and hostname, but with the same result. I am able to create a new user on the Site Admin page but I get the same message as before when I try the Change Password button. Anything else I could try?
Hi @ggalmazor,
A colleague found a previous post in the forum that had similar problem, but that was related to some port issues. We are running our solution on port 8443 and noticed when we changed to security.server.hostname to ip address and disabled the port 8080 connector (which redirected to 8443) in the server.xml we got an error message complaining about not able to find ipaddress:8080 when tried to Change Password. This seemed to indicate that even it was using port 8443 it tried to switch to port 8080 when pressing the Change Password button. We also notice that if we activate developer mode in the browser and as soon as we press Change Password to send the password we get a 404 on /ssl/user-manage_passwords. I hope that this might be of any help to clarify the problem.
Hi @Axlm!
In that case, you can solve it by setting both security.server.secureChannelType, and security.server.channelType keys to REQUIRES_SECURE_CHANNEL.
This page has more information of all the conf params: https://github.com/opendatakit/aggregate/blob/master/docs/aggregate-config.md
Hi @ggalmazor,
unfortunately this didn't help either but led us to a temporary solution and maybe the key to the problem. We used the developer tools in Chrome again and noticed we still got 404 message as soon as we pressed the Change Password button after entering the new passwords. I double clicked on the error message in the developer tools and it opened the 404 URL in a new window . There I saw that it tried to open the following URL https://odk.cmi.no:8443/ssl/user-manage-passwords?username=... but ODKAggregate was missing in the URL. However changing the URL to this: https://odk.cmi.no:8443/ODKAggregate/ssl/user-manage-passwords?username=.. enabled us to change the passwords. So there seems to be something like a base URL or something somewhere that is not correct. It works for now, but I don't know if this will affect other functionality of ODKAggregate as well.
Thank you for your help so far!
Did you, by any chance, install v2.0.0 before updating to v2.0.1? In that case, you might have a cached version of the javascript code that generates those URLs. You can test that by accessing Aggregate in incognito mode.
Yes, I did, and we experienced the same error as was reported and fixed in 2.0.1. I have tried two different browser in incognito mode, but still get the same error message
Thanks for the info! This commit was supposed to fix that issue, but apparently there's still something going on. I'm on it!
Updates:
Hopefully, we will be able to release a v2.0.2 patch release very soon
After trying the solutions in this post I'm, also still experiencing this issue on a fresh install of 2.01 on Windows Server 2016 / Tomcat 8.5 and Azure PostgreSQL.
[EDIT] Reading the post by @Axlm I will try to install ODKAggregate as ROOT application, then the url without 'ODKAggregate' would be correct (-:
{EDIT AGAIN}: @Axlm @ggalmazor This workaround works.
Heads up! Aggregate v2.0.2 has been released with a fix for this issue 
On the day I found the workaround (-: (-: (-:
Sorry, we'll try to work slower next time! 
Thank you for all your help!
We also managed to find a workaround, but will upgrade to 2.0.2 in the coming days for a permanent change.
Hey @ggalmazor..
I'm also facing the same issue of password change failed but on windows server 2008. It doesnt give me any error on windows 10 pro.
Still im upgrading my version to 2.0.2 on windows server. Lets see if it works. Ill give headsup once done.
Thanks
Hey @ggalmazor,
Cheers for successfully able to install v2.0.2 on windows server 2008 R2 without fail. It works like a charm with no error "JSON change-password request to /ssl/user-manage-passwords failed"
Even we are facing the same issues but there is no proper solution
Have you tried upgrading to v2.02?
Not yet, server is running on Ubuntu OS and already it is in production and it's associated with other server so as of now we would go with up-gradation then it would effect the production. so please let us know any alternate way to fix those issues. thanks