Unable to verify certificate error when previewing forms on self-hosted Central

Support
, ,
1

1. What is the issue? Please be detailed.

On a fresh ODK installation, we are unable to preview uploaded XLS forms. We get the error message "unable to verify the first certificate". Also, please note that we have installed ODK Central on a "Ubuntu 22.04.4 LTS server".

2. What steps can we take to reproduce this issue?
• Log into ODK central
• Navigate to projects
• Go to a created Form
• Click on preview
• The system will open a new page with the above mentioned error message.

3. What have you tried to fix the issue?

We moved the root certificates to the nginx container and Enketo service container and also updated the CA certificate, but the issue persists.

4. Upload any forms or screenshots you can share publicly below.

preview_error_message
preview_error_message1893×808 126 KB

2

Are your certs properly chained? You can confirm at https://www.sslshopper.com/ssl-checker.html. It should look like this: https://www.sslshopper.com/ssl-checker.html#hostname=demo.getodk.cloud

If the certs are properly chained, try deleting the nginx container and rebuilding.

docker compose stop;
docker compose rm nginx --volumes;
docker compose build;
docker compose up --detach;
3

Hi Yanokwa,

We checked whether the certs are properly chained, and below is the error message we got.

cert_error
cert_error1219×144 60.2 KB

Also, please find below the ssl certificate configurations in "odk.conf.template" file for your reference.
FYI: The fullchain.pem contains the certificate as the DigicertCA.pem is the intermediate

server {
listen 443 ssl;
server_name ${CNAME};

ssl_verify_client on;

ssl_certificate /etc/${SSL_TYPE}/live/${CNAME}/fullchain.pem;
ssl_certificate_key /etc/${SSL_TYPE}/live/${CNAME}/privkey.pem;
ssl_trusted_certificate /etc/${SSL_TYPE}/live/${CNAME}/DigiCertCA.pem;

We also deleted the nginx container and rebuilt it as recommended, but the issue is still there.

Kindly advise on how to proceed to have this issue sorted.

Thanks

4

We only support the custom ssl configuration in our docs.

It looks like you've made changes to odk.conf.template? My recommendation is revert any changes you've made, make sure fullchain.pem file which contains your cert followed by any necessary intermediate certs (e.g, DigiCertCA), delete the nginx container and rebuild.

If you wish to keep your changes, then we're limited in the support we can provide. Look through https://github.com/getodk/central/tree/master/files/nginx and https://github.com/JonasAlfredsson/docker-nginx-certbot for what might be going wrong.