Service build fails with not trusted/expired cert from

I'm building ODK Central version 1.5.1 on an AWS EC2 instance using Ansible. It worked fine a couple weeks ago, but I just tried a clean deploy this week and now it's failing when building the service container. Ansible reports that the problem is in the RUN command at line 5 of service.dockerfile:

RUN echo "deb stretch-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list; \
  wget --quiet -O - | apt-key add -; \
  apt-get update; \
  apt-get install -y cron gettext postgresql-client-9.6

I removed --quiet from the wget command and got the following errors when I tried to build just that service with docker-compose build service:

deb stretch-pgdg main
--2021-10-06 14:26:37--
Resolving (,,, ...
Connecting to (||:443... connected.
Warning: apt-key output should not be parsed (stdout is not a terminal)
ERROR: The certificate of '' is not trusted.
ERROR: The certificate of '' has expired.
gpg: no valid OpenPGP data found.
W: GPG error: stretch-pgdg InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FCC7D46ACCC4CF8
W: The repository ' stretch-pgdg InRelease' is not signed.

Is anyone else experiencing this?
Is the cert from really expired or is there a network issue or something else on my side causing this problem?

Can you clarify which version of Central? We just released 1.3.1 but haven't gotten to 1.5.1 yet :sweat_smile:

That said, we also ran into this postgres cert issue when trying a fresh install of Central 1.2 a few days ago. Please try the latest version of Central, which uses a different node docker image.

1 Like

Oops, sorry about that bad version number, I was looking at the version of the getodk/pyxform-http image. I downloaded zip files early last month, so it must be a version of 1.2. Is there a way to get the version number from the code?

Is this caused by a bad cert from
So in 1.3 you pull posgresql differently so this isn't an issue?

This is not caused by a bad cert from Rather the ISRG Root X1 cert in the Node container Central v1.2 uses has expired and so the container cannot securely connect to Upgrading to Central v1.3 is the easiest and safest solution because the Node container we use in v1.3 has root certs that are not expired.

Ah, thanks for the explanation! I'll look into moving us to 1.3 as suggested.

Actually, I'm getting errors importing our database with v1.3. It worked with v1.2. Is there a working version of v1.2 that I can try? I tried the latest v1.2 releases from GitHub, but they have the same build error mentioned above.