Nginx not running after SSL certificate update

joykimmel · February 8, 2023, 4:20am

I’m setting up a new 3.x server on self-hosted AWS; I’m able to successfully start docker. However, when I create a ssl using certbot, after I change the nginx.conf file to point to the new .pem files, nothing works (like it normally does in our other running instance).

Package 'horticulturalist':
  Service 'horticulturalist':
    Status: Up
    Up: 2832 seconds, Restarts: 0
    Attributes: watched, running, expected
    Service PID: 360, Supervisor PID: 344

Package 'medic-api':
  Service 'medic-api':
    Status: Up
    Up: 2832 seconds, Restarts: 0
    Attributes: watched, running, expected
    Service PID: 405, Supervisor PID: 387

Package 'medic-core':
  Service 'couchdb':
    Status: Up
    Up: 2832 seconds, Restarts: 0
    Attributes: watched, running, expected
    Service PID: 435, Supervisor PID: 426
  Service 'nginx':
    Status: Failure
    Up: 72008 seconds, Restarts: 0
    Attributes: watched, expected
    Service PID: None, Supervisor PID: 405
  Service 'openssh':
    Status: Up
    Up: 2832 seconds, Restarts: 0
    Attributes: watched, running, expected
    Service PID: 542, Supervisor PID: 527

If I try to restart nginx it doesn’t work.

root@ip-10-2-3-212:/home/ubuntu# docker exec -it medic-os /boot/svc-restart medic-core nginx
Warning: Service 'medic-core/nginx' is not currently running
Fatal: Failed to restart service 'medic-core/nginx'

All I did was try to get the new ssl certs from certbot, and then update the nginx.conf file to point to the new .pem files and not the default ones; but now it won’t even connect at all; and the connection is still not secure.

mrjones · February 8, 2023, 4:48am

@joykimmel - Thanks for letting us know about your cert issue! That sounds frustrating.

I would recommend not changing the nginx config and instead just copying in the cert files to the correct location. Let’s try this:

revert your nginx config to be what it was before. Here’s the default values for the cert file paths:

ssl_certificate             /srv/settings/medic-core/nginx/private/default.crt;
ssl_certificate_key         /srv/settings/medic-core/nginx/private/default.key;

2 restart all the containers and ensure CHT is running correctly
3. copy in your cert files per the instructions. Be sure to check for correct file names and file contents. default.crt should have all your public certs concatenated into it. default.key should be just your private key
4. restart nginx (docker exec -it medic-os /boot/svc-restart medic-core nginx )

joykimmel · February 8, 2023, 6:08am

Thank you!! This worked. I have another non-related question which is previously we set up medic on Ubuntu 18 but now there is Ubuntu 20 is it okay to upgrade to Ubuntu 20? Or should I set it up directly on Ubuntu 20 (and start over?) or is Ubuntu 18 still okay?

mrjones · February 8, 2023, 8:26am

@joykimmel - That’s great news that it solve your problem! Thanks for reporting back.

Given that the medic-os container runs in Docker, CHT is not too picky about what version of Ubuntu you run on the host OS. 18 has one more year of support, so you’re fine to stay on it for a bit more. As well, you’re fine to upgrade to 20.04 or 22.04.

sanjay · August 5, 2024, 9:54am

@mrjones we have updated the default file and its still not working. cc @gaarimasharma @Raghav_Raj_Karkee

sanjay · August 5, 2024, 9:57am

here is the response we got it

Warning: Service ‘medic-core/nginx’ is not currently running

Fatal: Failed to restart service ‘medic-core/nginx’

@Philip_Mwago here is the status as we discussed.

sanjay · August 5, 2024, 2:39pm

we have been able to figure out with the steps given as we copied default configurations from backup instances. Thank you all it would be better if we can manage to point out the default value resources link too as the default config.