Openbis docker quickstart installation certification expired

Installation & maintenance
1

Hi,

I wish to install a test openBIS instance on an empty Ubuntu 24.04.4 LTS instance. When I visit the openBIS website it returns a 503 error. I strongly suspect that this is due to an expired certificate, so my question is how to use a self-signed certificate (preferred solution) instead of the one provided in the container, or skip the certificate check (probably not a good idea, since I’ll probably have to use a certificate in a production deployment anyway).

Error Summary

I’ve followed all the installation steps under: openbis/openbis-app - Docker Image under the “Quickstart” section (see next section “setup” for more details). When I run

curl -vk https://localhost.openbis.net/openbis/webapp/eln-lims/version.txt

Output:

* Host localhost.openbis.net:443 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:443...
* Connected to localhost.openbis.net (::1) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=localhost.openbis.net 
*  start date: Dec  2 10:11:34 2025 GMT
*  expire date: Mar  2 10:11:33 2026 GMT # <================================
*  issuer: C=US; O=Let's Encrypt; CN=E8
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://localhost.openbis.net/openbis/webapp/eln-lims/version.txt
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: localhost.openbis.net]
* [HTTP/2] [1] [:path: /openbis/webapp/eln-lims/version.txt]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: */*]
> GET /openbis/webapp/eln-lims/version.txt HTTP/2
> Host: localhost.openbis.net
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/2 503 
< cache-control: must-revalidate,no-cache,no-store
< content-type: text/html;charset=iso-8859-1
< content-length: 509
< server: Jetty(9.4.44.v20210927)
< 
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 503 Service Unavailable</title>
</head>
<body><h2>HTTP ERROR 503 Service Unavailable</h2>
<table>
<tr><th>URI:</th><td>/openbis/webapp/eln-lims/version.txt</td></tr>
<tr><th>STATUS:</th><td>503</td></tr>
<tr><th>MESSAGE:</th><td>Service Unavailable</td></tr>
<tr><th>SERVLET:</th><td>-</td></tr>
</table>
<hr/><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.44.v20210927</a><hr/>

</body>
</html>

I’ve placed a comment arrow “<======” where the cert has expired on 2 Mar 2026.

Setup

  • Ubuntu 24.04.4 LTS
  • Deployment: Docker (official openbis/openbis-app:20.10.12 image)
  • Network: ports 8080, 8081 and 8085 exposed
  • OPENBIS_FQDN set to hostname of my VM

regards,
don

2

Dear Don,
all the quickstart is intented to provide an example of simple production environment with intention of development as localhost on the same machine. I will explain here several things I hope to provide more clarification.

  1. You do not need to change OPENBIS_FQDN from localhost.openbis.net to your hostname VM because it is already hostname of your local machine.

    $ host localhost.openbis.net
    localhost.openbis.net has address 127.0.0.1
    localhost.openbis.net has IPv6 address ::1

  2. That certificate is intentionally provided as expired to provocate a necessity to provide own one. We occasionally renew it but it does not matter much. As long as you know what you are doing on your browser and where are you connecting to it is safe to add it as an exception (skip the certificate check) an continue evaluation or development on your local openBIS instance.

  3. The HTTP ERROR 503 Service Unavailable is not because the certificate. It is becasue the backend does not response correctly. Please check the logs of openbis-app container and check http://localhost:8080 and http://127.0.0.1:8080 on your local system as well as
    curl -vk http://localhost:8080/openbis/webapp/eln-lims/version.txt
    You should have openbis-app running correcty to be able to connect from frontend openbis-local conainer.

    Capto_Capture 2026-04-14_11-41-14_AM
    Capto_Capture 2026-04-14_11-41-14_AM507×325 25.9 KB

3

Hi Artur,

Thanks for your quick reply.

I resolved this with our IT person: we got it to work by setting the FQDN to the hostname + some other network domain names attached, not just the hostname, although from a previous post here I thought the hostname was sufficient (and as you’ve mentioned, not even necessary for installing a test instance of openbis). Our NFS shared drives exhibit this behaviour as well and we have no idea why. Might be something at the DNS level, or just the way our desktops are set up.

Thanks for your help,

Don