Creating a new OpenLMIS instance requires the creation of appropriate docker certificates. They can be created on the basis of the documentation contained on the docker page. For OpenLMIS instances, certificates are created when the instance is started using Terraform.
When creating a new certificate, you can easily specify the number of days the certificate is valid thanks to the `-days` parameter. In the OpenLMIS project, the validity of the certificate is determined by the docker_tls_expiry_days parameter. Usually, this number is set to 365 days, but you can increase it to e.g. 1095 days - it's 3 years. Certificates are responsible for security, so remember to set it carefully (it should not be too large).
When the certificate loses its validity, it is necessary to generate a new certificate. For instances created using Terraform, you need to destroy the docker module and recreate it.
At the beginning remember to import the appropriate modules at the beginning, If you update certificates using terraform:
terraform init terraform import module.<Name OF SETUP>.aws_instance.app <ID OF INSTANCE> terraform import module.<NAME OF SETUP>.aws_elb.elb <NAME OF ELB> terraform import module.<NAME OF SETUP>.aws_db_instance.rds <NAME OF RDS INSTANCE>
Use the following commands to set the Terraform variables:
export TF_VAR_aws_access_key_id=$AWS_ACCESS_KEY_ID export TF_VAR_aws_secret_access_key=$AWS_SECRET_ACCESS_KEY
And add the right key to SSH-Agent, e.g. :
ssh-add ~/.ssh/TestEnvDockerHost.pem
Next, destroy the docker module and recreate it by running the following commands. Remember about setting docker_tls_force_recreate parameter to true before you start.
terraform init terraform plan -destroy -target module.<Name OF SETUP>.null_resource.deploy-docker terraform destroy -target module.<Name OF SETUP>.null_resource.deploy-docker terraform plan terraform apply
And then, from the instance:
sudo update-ca-certificates sudo service docker restart
Finally, remember to replace certificates on Jenkins (step 6 from this instruction).
The easiest way to regenerate certificates if the instance was created manually is to run the following command on your local machine (step 3 from this instruction):
docker-machine create --driver generic --generic-ip-address=*.*.*.* --generic-ssh-key ~/.ssh/id_rsa --generic-ssh-user ubuntu name1
If the certificates are additionally stored on S3 on AWS or on the GitHub repository then you should also update them in these places.
If after regenerating certs, the deploy job is still failing with x509: certificate signed by unknown authority, try clearing workspace on Jenkins.