SELV OpenLMIS optionally uses SSL and requires a an accompanying SSL certificate. Within the context of SELV, this file is currently a wildcard certificate associated with the *.villagereach.org domain (and set of subdomains). This certificate can expire or otherwise will eventually expire, after which it will need to be updatedreplaced. There are a number of places it needs to get updated atwould have to be replaced:
- selv.villagereach.org
- selv-training.villagereach.org
- Putty instances used for the SELV data edit tool.
Updating the selv.villagereach.org
Original Instructions from Mike:
The process for updating the SELV certificate is straight-forward yet tedious.
...
These keys are copied to /etc/httpd/conf.d/ssl on selv.villagereach.org. The appropriate configuration file is int he conf.d directory.
New Instructions from Ben:
The original instructions above aren't wrong per-se, and they're definitely worth referencing. They purport to be "tedious," though, and indeed seem more convoluted than need be. The following instructions are thus intended as an alternative.
- Purchase a new SSL certificate. This can be done from a variety of places, and we chose gandi.net. Whomever you buy the certificate from should provide detailed instructions. They'll likely tell you how to generate a CSR (Certificate Signing Request) file using a tool like OpenSSL. After creating it, you upload the CSR file to their site as a formal means of requesting a new SSL certificate.
- It may take several hours for your certificate provider to prepare a new certificate. When they notify you that it's ready, simply download it.
- Update OpenLMIS with the cert downloaded in step 2. This can be done via Chef, Puppet, or any other means. The manual-method is the most fundamental, however, and is thus what's described here. Specifically, assuming a CentOS host, navigate to /etc/httpd/conf.d/ssl. Look for a file called "openlmis.crt," or something similar. Rename your new .crt file such that it matches the original one's name, and replace old one with the new one within /etc/httpd/conf.d/ssl.
- Restart Apache by running:
/sbin/service httpd restart && sleep 1
/sbin/service httpd reload && sleep 1
NOTE: Steps 3 and 4 may be different for our Docker-based installations of OpenLMIS, which exclusively use Tomcat.
Updating selv-training.villagereach.org
...