Getting certificate verification error while deploying to CHT instance

We have setup and hosted our own CHT instance and added SSL certs properly by following instructions posted here

However, when deploying to the instance we are getting the following error:

ERROR RequestError: Error: unable to verify the first certificate
    at new RequestError (C:\Users\D-tree\AppData\Roaming\npm\node_modules\medic-conf\node_modules\request-promise-core\lib\errors.js:14:15)
    at (C:\Users\D-tree\AppData\Roaming\npm\node_modules\medic-conf\node_modules\request-promise-core\lib\plumbing.js:87:29)
    at Request.RP$callback [as _callback] (C:\Users\D-tree\AppData\Roaming\npm\node_modules\medic-conf\node_modules\request-promise-core\lib\plumbing.js:46:31)
    at self.callback (C:\Users\D-tree\AppData\Roaming\npm\node_modules\medic-conf\node_modules\request\request.js:185:22)
    at Request.emit (events.js:315:20)
    at Request.onRequestError (C:\Users\D-tree\AppData\Roaming\npm\node_modules\medic-conf\node_modules\request\request.js:877:8)
    at ClientRequest.emit (events.js:315:20)
    at TLSSocket.socketErrorListener (_http_client.js:426:9)
    at TLSSocket.emit (events.js:315:20)
    at emitErrorNT (internal/streams/destroy.js:92:8) 


1 Like

Welcome to the CHT forum @iesmail! It sounds like medic-conf couldn’t verify your certificate. Are you using a self signed certificate?

Welcome to the CHT Forum @iesmail! From the error stack trace here, It looks like there’s nothing listening on the ssl port 443. Two questions

  1. Did you forward traffic from the api port 5988 to your docker host ?
  2. Are any of the http(s) ports (80/443) reachable ?

Yes to both of your answers.

I am using Let’s Encrypt SSL and I have verified that they are active and you can check it on the chrome browser:

I am now able to reach your url. Qualys also says the site now has valid ssl albeit with a B rating and an incomplete certificate chain. It seems you did not chain one of your certificates or you chained them in the wrong order. This is the right chain you should be using for your crt. You can use this url to get the right ssl chain you should be using.