Getting certificate verification error while deploying to CHT instance

iesmail · August 10, 2020, 10:27am

We have setup and hosted our own CHT instance and added SSL certs properly by following instructions posted here

However, when deploying to the instance we are getting the following error:

ERROR RequestError: Error: unable to verify the first certificate
    at new RequestError (C:\Users\D-tree\AppData\Roaming\npm\node_modules\medic-conf\node_modules\request-promise-core\lib\errors.js:14:15)
    at Request.plumbing.callback (C:\Users\D-tree\AppData\Roaming\npm\node_modules\medic-conf\node_modules\request-promise-core\lib\plumbing.js:87:29)
    at Request.RP$callback [as _callback] (C:\Users\D-tree\AppData\Roaming\npm\node_modules\medic-conf\node_modules\request-promise-core\lib\plumbing.js:46:31)
    at self.callback (C:\Users\D-tree\AppData\Roaming\npm\node_modules\medic-conf\node_modules\request\request.js:185:22)
    at Request.emit (events.js:315:20)
    at Request.onRequestError (C:\Users\D-tree\AppData\Roaming\npm\node_modules\medic-conf\node_modules\request\request.js:877:8)
    at ClientRequest.emit (events.js:315:20)
    at TLSSocket.socketErrorListener (_http_client.js:426:9)
    at TLSSocket.emit (events.js:315:20)
    at emitErrorNT (internal/streams/destroy.js:92:8)

URL: cht-dev.d-tree.org

henok · August 10, 2020, 10:55am

Welcome to the CHT forum @iesmail! It sounds like medic-conf couldn’t verify your certificate. Are you using a self signed certificate?

nyika · August 10, 2020, 11:10am

Welcome to the CHT Forum @iesmail! From the error stack trace here, It looks like there’s nothing listening on the ssl port 443. Two questions

Did you forward traffic from the api port 5988 to your docker host ?
Are any of the http(s) ports (80/443) reachable ?

iesmail · August 10, 2020, 12:01pm

Yes to both of your answers.

iesmail · August 10, 2020, 12:02pm

I am using Let’s Encrypt SSL and I have verified that they are active and you can check it on the chrome browser: https://cht-dev.d-tree.org/

nyika · August 10, 2020, 1:01pm

I am now able to reach your url. Qualys also says the site now has valid ssl albeit with a B rating and an incomplete certificate chain. It seems you did not chain one of your certificates or you chained them in the wrong order. This is the right chain you should be using for your crt. You can use this url to get the right ssl chain you should be using.