OpenLMIS optionally uses SSL and an accompanying SSL certificate. Within the context of SELV, this file is currently a wildcard certificate associated with the *.villagereach.org domain (and set of subdomains). This certificate will eventually expire, after which it will need to be replaced. There are a number of places it would have to be replaced:
- selv.villagereach.org
- selv-training.villagereach.org
- Putty instances used for the SELV data edit tool.
Updating the selv.villagereach.org
Original Instructions from Mike:
The process for updating the SELV certificate is straight-forward yet tedious.
Below is the contents of the readme.txt notes created when it was updated last:
This SSL configuration is setup for the gandi.net certification provider.
The certificate is a SHA2 certificate which needs a chain file created that contains both the intermediate certificate and the cross-signed certificate into a single bundle stored in a PEM file.
The file villagereach-chain.pem is simply the GandiStandardSSLCA2.pem concatinated with the USERTrustRSAAddTrustCA.pem file. NOTE: These two files are this directory, but only for reference. Their contents are duplicated in the villagereach-chain.pem file.
Then, in the Apache configuration file, you must use the SSLCertificateChainFile directive to specify the chain file.
See: http://wiki.gandi.net/en/ssl/intermediate#sha2_intermediate_certificates
These keys are copied to /etc/httpd/conf.d/ssl on selv.villagereach.org. The appropriate configuration file is int he conf.d directory.
New Instructions from Ben:
The original instructions above aren't wrong per-se, and they're definitely worth referencing. They purport to be "tedious," though, and indeed seem more convoluted than need be. The following instructions are thus intended as an alternative.
...
Updating selv-training.villagereach.org
selv-training is hosted in the docker instance. The same certificates created above need to be configured within the appropriate configuration there.
These keys are copied to /etc/httpd/conf.d/ssl on docker instance. The appropriate configuration file is in the selv-training conf file in the conf.d directory.
SELV's SSL configuration parallels that of SIIL's. Please see this page for details.