OpenLMIS optionally uses SSL and an accompanying SSL certificate. Within the context of SELV, this file is currently a wildcard certificate associated with the *.villagereach.org domain (and set of subdomains). This certificate will eventually expire, after which it will need to be replaced. There are a number of places it would have to be replaced:
- selv.villagereach.org
- selv-training.villagereach.org
- Putty instances used for the SELV data edit tool.
Updating the selv.villagereach.org
Original Instructions from Mike:
The process for updating the SELV certificate is straight-forward yet tedious.
Below is the contents of the readme.txt notes created when it was updated last:
This SSL configuration is setup for the gandi.net certification provider.
The certificate is a SHA2 certificate which needs a chain file created that contains both the intermediate certificate and the cross-signed certificate into a single bundle stored in a PEM file.
The file villagereach-chain.pem is simply the GandiStandardSSLCA2.pem concatinated with the USERTrustRSAAddTrustCA.pem file. NOTE: These two files are this directory, but only for reference. Their contents are duplicated in the villagereach-chain.pem file.
Then, in the Apache configuration file, you must use the SSLCertificateChainFile directive to specify the chain file.
See: http://wiki.gandi.net/en/ssl/intermediate#sha2_intermediate_certificates
These keys are copied to /etc/httpd/conf.d/ssl on selv.villagereach.org. The appropriate configuration file is int he conf.d directory.
New Instructions from Ben:
The original instructions above aren't wrong per-se, and they're definitely worth referencing. They purport to be "tedious," though, and indeed seem more convoluted than need be. The following instructions are thus intended as an alternative.
- Purchase a new SSL certificate. This can be done from a variety of places, and we chose gandi.net. Whomever you buy the certificate from should provide detailed instructions. They'll likely tell you how to generate a CSR (Certificate Signing Request) file using a tool like OpenSSL. After creating it, you upload the CSR file to their site as a formal means of requesting a new SSL certificate.
- It may take several hours for your certificate provider to prepare a new certificate. When they notify you that it's ready, simply download it.
- Update OpenLMIS with the cert downloaded in step 2. This can be done via Chef, Puppet, or any other means. The manual-method is the most fundamental, however, and is thus what's described here. Specifically, assuming a CentOS host, navigate to /etc/httpd/conf.d/ssl. Look for a file called "openlmis.crt," or something similar. Rename your new .crt file such that it matches the original one's name, and replace old one with the new one within /etc/httpd/conf.d/ssl.
- Restart Apache by running:
/sbin/service httpd restart && sleep 1
/sbin/service httpd reload && sleep 1
NOTE: Steps 3 and 4 may be different for our Docker-based installations of OpenLMIS, which exclusively use Tomcat.
Updating selv-training.villagereach.org
selv-training is hosted in the docker instance. The same certificates created above need to be configured within the appropriate configuration there.
These keys are copied to /etc/httpd/conf.d/ssl on docker instance. The appropriate configuration file is in the selv-training conf file in the conf.d directory.