Cannot start HTTPS web server after adding private signed certs

OS Version: Debian GNU/Linux 12 (bookworm) Node.js version: v18.20.3 Yarn version: 1.22.22

Server specs 2 CPU/8 GB

Issue Server will not start after adding configuration for HTTPS with private CA signed certs and key. Looks like something to do around cert passphrase input? Did it pass the date/time to the program as my private key passphrase?

My certs were made using EasyRSA if that matters.

Sorry I am not fairly new to all this. Let me know if there is any other info you require or if there is something I've obviously misconfigured. Thanks in advance.

Installation logfile Attach complete log as a file.

Here is my xo-install.cfg:

# Port number where xen-orchestra service is bound
# no effect to Xen Orchestra proxy
PORT="443"

# Base dir for installation and future updates
INSTALLDIR="/opt/xo"

# Script will update itself if there's a newer version available. This assumes that script inside a git directory and remote is ronivay/XenOrchestraInstallerUpdater
# options: true/false
SELFUPGRADE=true

# Xen Orchestra configuration file is stored in XOUSER's home directory ($HOME/.config/xo-server/config.toml) and by default will be overwritten with every update done by this script.
# You may disable this if you edit configuration by hand and don't want an update to overwrite it. Note that some of the options defined here won't be applied even if changed if this is s
et to false.
# options: true/false
# no effect to Xen Orchestra proxy
CONFIGUPDATE=true

# Location of Xen Orchestra repository where source code is fetched
REPOSITORY="https://github.com/vatesfr/xen-orchestra"

# Git branch, tag (append tags/ before the tag name) or individual commit where xen-orchestra sources are fetched.
BRANCH="master"

# Installation log path
# default: ./logs
#LOGPATH=

# Only one PLUGINS variable can be used at a time. Comment out the other one if you change these below. Comment out both if you don't want any plugins to be installed.

# Comma separated list of plugins to be installed, check README for more information. Note that 3rd party plugins defined below should be listed here as well with their name eq. repo1,rep
o2 etc.
#PLUGINS="xo-server-transport-email,xo-server-usage-report,xo-server-perf-alert"

# (default) all plugins will be installed, including possible 3rd-party plugins if defined.
PLUGINS="all"

# Additional 3rd-party plugins to fetch. Keep the .git suffix.
#ADDITIONAL_PLUGINS="https://github.com/user/repo.git,https://github.com/user/repo2.git"

# NodeJS and Yarn are automatically updated when running update/install. Can be disabled but not recommended (installation might fail because of too old node.js or yarn)
# Note that if nodejs is updated when script's update feature is used, it might not be possible to use rollback option anymore without manually downgrading nodejs version to previous one
# options: true/false
AUTOUPDATE="true"

# yarn cache can consume a lot of disk space over time. Setting this to true will clear cache after update.
# this can have a negative impact on how long update will take with slower internet connections
# options: true/false
#YARN_CACHE_CLEANUP="false"

# enable/disable OS check. Installation refuses to run on any other than supported OS versions if this is enabled. Can be disabled for experimental purposes.
# options: true/false
OS_CHECK="true"

# enable/disable architecture check. Installation refuses to run on any other than x86_64 if enabled. Can be disabled for experimental purposes.
# options: true/false
ARCH_CHECK="true"

# Define the number of previous successful installations you want to keep. Needs to be at least 1. Determines how far the rollback feature can be used.
PRESERVE="3"

# certificate settings have no effect to Xen Orchestra proxy, it'll generate it's own self-signed certificates always

# Location of pem certificate/key files. Installation will automatically configure HTTPS if these are defined. Remember to change PORT variable as well.
PATH_TO_HTTPS_CERT=$INSTALLDIR/xo.crt
PATH_TO_HTTPS_KEY=$INSTALLDIR/xo.key

# location of CA certificate file.
# define this if your host certificate is issued by a custom CA and you want XO to trust it.
# file can contain multiple certificates
PATH_TO_HOST_CA=$INSTALLDIR/ca.crt

# If set to true together with cert/key paths, defined pem key/certificate will be created if neither exists.
# options: true/false
#AUTOCERT="false"

# Enable automatic ACME (eq. Let's Encrypt) certificate creation.
# Setting this to true will configure HTTP and HTTPS listeners to ports 80/443 (overwrites PORT variable),
# enables autocert, sets certificate paths if missing and adds http to https redirect.
#ACME="false"

# ACME domain for which the certificate is generated.
# Domain needs to be pointed towards XO server public ip-address and ports 80 and 443 allowed.
#ACME_DOMAIN=""

# Optional email address to receive notifications related to certificate
#ACME_EMAIL=""

# Optional ACME CA to use. Will default to Let's Encrypt
# Available ones listed here: https://www.npmjs.com/package/acme-client#directory-urls
#ACME_CA="letsencrypt/production"

# If set to true, this will install the rpm/deb repositories necessary for the Xen Orchestra install.
# If set to false, these repositories will not be installed. Also automatic nodejs upgrade will be disabled.
# Note that installation will fail if all needed packages aren't available from configured repositories. See README for list of packages.
# options: true/false
# default: true
#INSTALL_REPOS="true"

# Send xo-server logs to remote syslog
# syntax is: <protocol>://<target-address>:<port>
# supported protocols are udp and tcp
# example: tcp://syslog.company.lan:514
#SYSLOG_TARGET=""

# Configurable network-timeout setting for yarn, in ms.
# default: 300000 = 300sec
#YARN_NETWORK_TIMEOUT="300000"

Here is the error I am getting.  Installation goes OK until web server tries to open port:

+ /bin/systemctl start xo-server
+ journalctl --since '2024-05-25 12:27:34' -u xo-server | grep 'Web server listening on https\{0,1\}:\/\/.*:443'
+ journalctl --since '2024-05-25 12:27:34' -u xo-server | grep 'Web server listening on https\{0,1\}:\/\/.*:443'
+ journalctl --since '2024-05-25 12:27:34' -u xo-server | grep 'Web server listening on https\{0,1\}:\/\/.*:443'
+ journalctl --since '2024-05-25 12:27:34' -u xo-server | grep 'Web server listening on https\{0,1\}:\/\/.*:443'
+ journalctl --since '2024-05-25 12:27:34' -u xo-server | grep 'Web server listening on https\{0,1\}:\/\/.*:443'
+ journalctl --since '2024-05-25 12:27:34' -u xo-server | grep 'Web server listening on https\{0,1\}:\/\/.*:443'
+ journalctl --since '2024-05-25 12:27:34' -u xo-server | grep 'Web server listening on https\{0,1\}:\/\/.*:443'

Update failed

relevant section (i think) of xo-server service log:

+ journalctl --since '2024-05-25 12:27:34' -u xo-server >> /home/user/XenOrchestraInstallerUpdater/logs/xo-install.log-202405251227
May 25 12:30:19 XO systemd[1]: Stopping xo-server.service - XO Server...
May 25 12:30:19 XO xo-server[11760]: 2024-05-25T16:30:19.449Z xo:main INFO SIGTERM caught, closing…
May 25 12:30:19 XO xo-server[11760]: 2024-05-25T16:30:19.454Z xo:main INFO bye :-)
May 25 12:30:19 XO systemd[1]: xo-server.service: Deactivated successfully.
May 25 12:30:19 XO systemd[1]: Stopped xo-server.service - XO Server.
May 25 12:30:19 XO systemd[1]: xo-server.service: Consumed 10.227s CPU time.
May 25 12:30:34 XO systemd[1]: Started xo-server.service - XO Server.
May 25 12:30:37 XO xo-server[15476]: 2024-05-25T16:30:37.472Z xo:main INFO Configuration loaded.
May 25 12:30:37 XO xo-server[15476]: Encrypted key -----BEGIN ENCRYPTED PRIVATE KEY-----

May 25 12:30:37 XO xo-server[15476]: -----END ENCRYPTED PRIVATE KEY-----
May 25 12:30:37 XO xo-server[15476]: Enter pass phrase: 2024-05-25T16:30:37.511Z xo:main WARN Web server could not listen: {
May 25 12:30:37 XO xo-server[15476]:   error: TypeError: tty.setRawMode is not a function
May 25 12:30:37 XO xo-server[15476]:       at setRawMode (/opt/xo/xo-builds/xen-orchestra-202405251227/node_modules/pw/index.js:43:17)
May 25 12:30:37 XO xo-server[15476]:       at pw (/opt/xo/xo-builds/xen-orchestra-202405251227/node_modules/pw/index.js:48:9)
May 25 12:30:37 XO xo-server[15476]:       at opts.passphrase (file:///opt/xo/xo-builds/xen-orchestra-202405251227/packages/xo-server/src/index.mjs:497:15)
May 25 12:30:37 XO xo-server[15476]:       at Promise._execute (/opt/xo/xo-builds/xen-orchestra-202405251227/node_modules/bluebird/js/release/debuggability.js:384:9)
May 25 12:30:37 XO xo-server[15476]:       at Promise._resolveFromExecutor (/opt/xo/xo-builds/xen-orchestra-202405251227/node_modules/bluebird/js/release/promise.js:518:18)
May 25 12:30:37 XO xo-server[15476]:       at new Promise (/opt/xo/xo-builds/xen-orchestra-202405251227/node_modules/bluebird/js/release/promise.js:103:10)
May 25 12:30:37 XO xo-server[15476]:       at use (file:///opt/xo/xo-builds/xen-orchestra-202405251227/packages/xo-server/src/index.mjs:493:37)
May 25 12:30:37 XO xo-server[15476]:       at readCert (/opt/xo/xo-builds/xen-orchestra-202405251227/@xen-orchestra/self-signed/readCert.js:65:18)
May 25 12:30:37 XO xo-server[15476]:       at makeWebServerListen (file:///opt/xo/xo-builds/xen-orchestra-202405251227/packages/xo-server/src/index.mjs:487:21)
May 25 12:30:37 XO xo-server[15476]: }
May 25 12:30:38 XO xo-server[15476]: 2024-05-25T16:30:38.099Z xo:mixins:hooks WARN start failure {
May 25 12:30:38 XO xo-server[15476]:   error: Error: spawn xenstore-read ENOENT
May 25 12:30:38 XO xo-server[15476]:       at Process.ChildProcess._handle.onexit (node:internal/child_process:284:19)
May 25 12:30:38 XO xo-server[15476]:       at onErrorNT (node:internal/child_process:477:16)
May 25 12:30:38 XO xo-server[15476]:       at processTicksAndRejections (node:internal/process/task_queues:82:21) {
May 25 12:30:38 XO xo-server[15476]:     errno: -2,
May 25 12:30:38 XO xo-server[15476]:     code: 'ENOENT',
May 25 12:30:38 XO xo-server[15476]:     syscall: 'spawn xenstore-read',
May 25 12:30:38 XO xo-server[15476]:     path: 'xenstore-read',
May 25 12:30:38 XO xo-server[15476]:     spawnargs: [ 'vm' ],

ronivay / XenOrchestraInstallerUpdater

Cannot start HTTPS web server after adding private signed certs #239