reference links: https://www.digicert.com/csr-ssl-installation/nginx-openssl.htm https://docs.opendatakit.org/odk-x/sync-endpoint/#https https://forum.opendatakit.org/t/odk-x-sync-endpoint-https-and-nonstandard-ports/20178 https://wikispaces.psu.edu/pages/viewpage.action?pageId=358598295 cd /etc/ssl/certs sudo openssl genrsa -out l2odk2.key 2048 sudo openssl req -out l2odk2.csr -new -key l2odk2.key DATA: CN = L2ODK2.vmhost.psu.edu O = The Pennsylvania State University OU = College of the Liberal Arts L = University Park S = Pennsylvania C = US pass=xxx cp l2odk2.csr /home/rsd19/l2odk2.csr on web site I had to request a new domain: l2odk2.vmhost.psu.edu Then I submitted the request successfully after the domain approval. I used the web server as other, 2 year, and incommon SHA2. winscp connect to L2ODK2 copy the new cert and the intermediates with root certs to the server. l2odk2_vmhost_psu_edu_interm.crt l2odk2_vmhost_psu_edu_cert.crt sudo -i cd /etc/ssl/private ls cp /etc/ssl/certs/l2odk2.key /etc/ssl/private/l2odk2.key rm /etc/ssl/certs/l2odk2.key cp /home/rsd19/l2odk2_vmhost_psu_edu_cert.crt /etc/ssl/certs/l2odk2_vmhost_psu_edu_cert.crt cp /home/rsd19/l2odk2_vmhost_psu_edu_interm.crt /etc/ssl/certs/l2odk2_vmhost_psu_edu_interm.crt cat l2odk2_vmhost_psu_edu_cert.crt l2odk2_vmhost_psu_edu_interm.crt >> bundle.crt c_rehash /etc/ssl/certs testing the ssl hashes openssl x509 -noout -in l2odk2_vmhost_psu_edu_cert.crt -text openssl x509 -noout -in bundle.crt -text openssl x509 -noout -in l2odk2_vmhost_psu_edu_cert.crt -modulus | openssl md5 openssl rsa -noout -in ../private/l2odk2.key -modulus | openssl md5 docker config create l2odk2.vmhost.psu.edu.fullchain.pem /etc/ssl/certs/bundle.crt yba80vpan0z066rfa4ls7e13i docker secret create l2odk2.vmhost.psu.edu.privkey.pem /etc/ssl/private/l2odk2.key h4zwd7kj0dl83m1yzowmi4fz8 edit the /odkx/sync-endpoint-default-setup/docker-compose.yml file for these sections: nginx: image: nginx:latest networks: - sync-network ports: - "80:80" - "443:443" configs: - source: com.nginx.sync-endpoint.conf # target: ./config/nginx/sync-endpoint-https.conf target: /etc/nginx/conf.d/default.conf - source: com.nginx.proxy_buffer.conf target: /etc/nginx/conf.d/proxy_buffer.conf # uncomment these after uncommenting the ones below in the root level( we uncommented the below 3 lines) - com.nginx.ssl_certificate secrets: - com.nginx.ssl_certificate_key configs: # uncomment this to import a CA certificate into the Sync service # org.opendatakit.sync.ldapcert: # external: true # uncomment this to override logging configuration # org.opendatakit.aggregate.logging.properties: # file: ./logging.properties org.opendatakit.sync-web-ui.application.properties: file: ./config/web-ui/application.properties com.nginx.sync-endpoint.conf: # (we added an s to the http.conf file name on the line below) file: ./config/nginx/sync-endpoint-https.conf com.nginx.proxy_buffer.conf: file: ./config/nginx/proxy_buffer.conf com.nginx.ssl_certificate: external: name: l2odk2.vmhost.psu.edu.fullchain.pem secrets: org.opendatakit.aggregate.security.properties: file: ./config/sync-endpoint/security.properties org.opendatakit.aggregate.jdbc.properties: file: ./config/sync-endpoint/jdbc.properties com.nginx.ssl_certificate_key: external: name: l2odk2.vmhost.psu.edu.privkey.pem