Installing own ssl certificate on Kobo


I have tried to install kobotoolbox on my server but get an error 499 whenever I select to use https. I have therefore opted to install using http and install my own certificates. I have placed the certificates in the nginx/secrets folder and restarted the containers but still can’t access the server using https. What other configurations do I need to change to make the server accessible over https?

Hello derricknyakiba,

From the readme.

  1. HTTPS certificates must be installed on a Reverse Proxy. KoBoInstall can install one and use Let's Encrypt to generate certificates thanks to nginx-certbot project

So nginx-certbot containers should handle certificates for you. You don’t have to create them on your own. Be sure to have ports 80 and 443 opened. If it doesn’t work, there may be an issue with your settings.

If you do want to use your own certificates, you need to choose Advanced options when running KoBoInstall setup. (python --setup). Then, choose

  • Do you want to use HTTPS: 1
  • Auto-install HTTP certificaes with Let’s Encrypt? 2
Do you want to use HTTPS?
	1) Yes
	2) No
[2]: 1
β•‘ Please note that certificates must be installed on a reverse-proxy β•‘
β•‘ or a load balancer.                                                β•‘
β•‘ KoBoInstall can install one, if needed.                            β•‘
Auto-install HTTPS certificates with Let's Encrypt?
	1) Yes
	2) No - Use my own reserve-proxy/load-balancer
[2]: 2
Internal port used by reverse proxy is 8080.

On your reverse proxy server, be sure to use port 8080 for the KoBo-docker proxied server.

Internet <-> (80,443) <-> Proxy <-> (8080) <-> KoBo Nginx

Also, you need to set X-Forwarded-Proto header to https
e.g with NGINX:
proxy_set_header X-Forwarded-Proto https;

Don’t try to add your certificates to nginx/secrets.
The NGINX container of kobo-docker doesn’t handle HTTPS certifcates anymore in favor of the Let's Encrypt solution provided by nginx-certbot project.
The folder should be removed soon.
Sorry for the confusion.

1 Like

Hi there,

I would like to follow up on that question, while we’re facing the same question.
From the beginning: We were running an instance installed by using kobo-install and set up https via Let’s Encrypt. After a while we got blocked by Let’s Encrypt due to too many certificate renewal requests and we can’t figure out which element of Kobo has caused that problem.

Since we have own certificates that we would like to use instead of Let’s Encrypt.
Our IT now has tried to set up the installation according to @nolive 's instructions but it won’t work.
Out of this I have one question and one issue to report:

Question: Where to put the certificates on the reverse proxy, so kobo may find it?
Issue: Having set up the latest version (details see below) with kobo-install while denying to use Let’s Encrypt, the containers won’t start at all. Any thoughts on this?

Current config:

kobotoolbox/nginx                          latest 
kobotoolbox/kobocat                        2.019.52-final-shared-database
kobotoolbox/enketo-express-extra-widgets   1.77.0-jnm-grunt-workaround  
kobotoolbox/kpi                            2.019.52-final-shared-database
mongo                                      3.4    
mdillon/postgis                            9.5   
redis                                      3.2

Thanks in advance

Hi @DSimon,

NGINX (from kobo-docker container) does not need to know where the certificates are located because all the internal requests are made with HTTP. (Inside docker network).
When a request is made to external endpoint (such as: https://kc.yourdomain.tld, https://kf.yourdomain.tld or https://ee.yourdomain.tld), it calls the reverse proxy (which redirects the traffic on HTTP behind the scene to the NGINX - kobo-docker- container.
So the certificate must installed on the reverse proxy.

You can have a look at this thread, an user pasted is config file for a reverse proxy with Apache.

As I said before, certbot container should renew the certificate for you. If it doesn’t, it means there is an issue. To narrow down the problem, can you confirm you have ports 80 and 443 opened on your server?