Preparing/Updating the Docker certificates
Creating a new OpenLMIS instance requires the creation of appropriate docker certificates. They can be created on the basis of the documentation contained on the docker page. For OpenLMIS instances, certificates are created when the instance is started using Terraform.
When creating a new certificate, you can easily specify the number of days the certificate is valid thanks to the `-days` parameter. In the OpenLMIS project, the validity of the certificate is determined by the docker_tls_expiry_days parameter. Usually, this number is set to 365 days, but you can increase it to e.g. 1095 days - it's 3 years. Certificates are responsible for security, so remember to set it carefully (it should not be too large).
When the certificate loses its validity, it is necessary to generate a new certificate. For instances created using Terraform, you need to destroy the docker module and recreate it.
At the beginning remember to import the appropriate modules at the beginning, If you update certificates using terraform:
terraform init
terraform import module.<Name OF SETUP>.aws_instance.app <ID OF INSTANCE>
terraform import module.<NAME OF SETUP>.aws_elb.elb <NAME OF ELB>
terraform import module.<NAME OF SETUP>.aws_db_instance.rds <NAME OF RDS INSTANCE>
Use the following commands to set the Terraform variables:
export TF_VAR_aws_access_key_id=$AWS_ACCESS_KEY_ID
export TF_VAR_aws_secret_access_key=$AWS_SECRET_ACCESS_KEY
And add the right key to SSH-Agent, e.g. :
ssh-add ~/.ssh/TestEnvDockerHost.pem
Next, destroy the docker module and recreate it by running the following commands. Remember about setting docker_tls_force_recreate
parameter to true before you start.
And then, from the instance:
Finally, remember to replace certificates on Jenkins (step 6 from this instruction).
Regenerating manually created certificates
Create docker with docker machine from your machine as described in Step 3 of Provision swarm With Elastic - OpenLMIS Deployment
if domain is in use
--generic-ip-address
should be set to this domain
Copy certificates as described here Prepare the Docker certificates to the server
If server is used by Jenkins, create zip archive and update relevant Jenkins credentials
To make build use new credentials, it’s workspace should be cleared Jenkins administration tips & tricks
If the certificates are additionally stored on S3 on AWS or on the GitHub repository then you should also update them in these places.
If after regenerating certs, the deploy job is still failing with x509: certificate signed by unknown authority
, try clearing workspace on Jenkins.
OpenLMIS: the global initiative for powerful LMIS software