Preparing/Updating the Docker certificates

Creating a new OpenLMIS instance requires the creation of appropriate docker certificates. They can be created on the basis of the documentation contained on the docker page. For OpenLMIS instances, certificates are created when the instance is started using Terraform.

When creating a new certificate, you can easily specify the number of days the certificate is valid thanks to the `-days` parameter. In the OpenLMIS project, the validity of the certificate is determined by the docker_tls_expiry_days parameter. Usually, this number is set to 365 days, but you can increase it to e.g. 1095 days - it's 3 years. Certificates are responsible for security, so remember to set it carefully (it should not be too large).

When the certificate loses its validity, it is necessary to generate a new certificate. For instances created using Terraform, you need to destroy the docker module and recreate it.

At the beginning remember to import the appropriate modules at the beginning, If you update certificates using terraform:

1 2 3 4 terraform init terraform import module.<Name OF SETUP> <ID OF INSTANCE> terraform import module.<NAME OF SETUP>.aws_elb.elb <NAME OF ELB> terraform import module.<NAME OF SETUP>.aws_db_instance.rds <NAME OF RDS INSTANCE>

Use the following commands to set the Terraform variables:

1 2 export TF_VAR_aws_access_key_id=$AWS_ACCESS_KEY_ID export TF_VAR_aws_secret_access_key=$AWS_SECRET_ACCESS_KEY

And add the right key to SSH-Agent, e.g. :

1 ssh-add ~/.ssh/TestEnvDockerHost.pem

Next, destroy the docker module and recreate it by running the following commands. Remember about setting docker_tls_force_recreate parameter to true before you start.

1 2 3 4 5 terraform init terraform plan -destroy -target module.<Name OF SETUP>.null_resource.deploy-docker terraform destroy -target module.<Name OF SETUP>.null_resource.deploy-docker terraform plan terraform apply

And then, from the instance:

1 2 sudo update-ca-certificates sudo service docker restart

Finally, remember to replace certificates on Jenkins (step 6 from this instruction).


Regenerating manually created certificates

  1. Create docker with docker machine from your machine as described in Step 3 of Provision swarm With Elastic - OpenLMIS Deployment

    1. if domain is in use --generic-ip-address should be set to this domain

  2. Copy certificates as described here Prepare the Docker certificates to the server

  3. If server is used by Jenkins, create zip archive and update relevant Jenkins credentials

    1. To make build use new credentials, it’s workspace should be cleared

If the certificates are additionally stored on S3 on AWS or on the GitHub repository then you should also update them in these places.

If after regenerating certs, the deploy job is still failing with x509: certificate signed by unknown authority, try clearing workspace on Jenkins.