Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SELV OpenLMIS optionally uses SSL and requires a an accompanying SSL certificate. Within the context of SELV, this file is currently a wildcard certificate associated with the *.villagereach.org domain (and set of subdomains).  This certificate can expire or otherwise will eventually expire, after which it will need to be updatedreplaced.  There are a number of places it needs to get updated atwould have to be replaced:

  1. selv.villagereach.org
  2. selv-training.villagereach.org
  3. Putty instances used for the SELV data edit tool.

Updating the selv.villagereach.org 

Original Instructions from Mike:

The process for updating the SELV certificate is straight-forward yet tedious.

...

These keys are copied to /etc/httpd/conf.d/ssl on selv.villagereach.org.  The appropriate configuration file is int he conf.d directory.

New Instructions from Ben:

The original instructions above aren't wrong per-se, and they're definitely worth referencing. They purport to be "tedious," though, and indeed seem more convoluted than need be. The following instructions are thus intended as an alternative.

  1. Purchase a new SSL certificate. This can be done from a variety of places, and we chose gandi.net. Whomever you buy the certificate from should provide detailed instructions. They'll likely tell you how to generate a CSR (Certificate Signing Request) file using a tool like OpenSSL. After creating it, you upload the CSR file to their site as a formal means of requesting a new SSL certificate. 

  2. It may take several hours for your certificate provider to prepare a new certificate. When they notify you that it's ready, simply download it.

  3. Update OpenLMIS with the cert downloaded in step 2. This can be done via Chef, Puppet, or any other means. The manual-method is the most fundamental, however, and is thus what's described here. Specifically, assuming a CentOS host, navigate to /etc/httpd/conf.d/ssl. Look for a file called "openlmis.crt," or something similar. Rename your new .crt file such that it matches the original one's name, and replace old one with the new one within /etc/httpd/conf.d/ssl.

  4. Restart Apache by running:
    /sbin/service httpd restart && sleep 1
    /sbin/service httpd reload && sleep 1

NOTE: Steps 3 and 4 may be different for our Docker-based installations of OpenLMIS, which exclusively use Tomcat. 

Updating selv-training.villagereach.org

...