I have looked for the apache2 folder and cant find it in the server. The website launches when I go to the URL but when I ssh into the server to look for the files associated with the website I cant find them under the normal location /var/www/html/. Does anyone know where the files sit when you do the Standard Edition install with AWS?
Thanks
After logging into the host, did you enter the container?
docker exec -it $(docker ps | grep _openemr | cut -f 1 -d " ") /bin/sh
No but thanks for the heads up. I tried it and was able to see the files. How can I view them? I tried using Nano but that didnt work.
you’ll have to install the other utilities on alpine linux, only vi is loaded by default
Thanks Stephen,
I was able to install Nano in Alpine linux. I am totally new to Docker, is there a easier way to access the container like I do the AWS instance? Also I tried to be able to access the RDS db and made it public but still cant seem to get it to connect, it continues to time out. I made changes to open it up but still not working. Any ideas or something to point me in the right direction? Ive been looking at youtube videos and read a bunch of other sites that all say the same thing but for some reason it doesnt work. do I need to ask about assigning a public IP to that RDS instance to be able to access it? Thank you for any all help you or anyone can provide.
hi @Eric_Muniz, only have terminal access to docker to keep it lightweight
for db access you can run a phpmyadmin separately and secure it with the letsencrypt keys you created for openemr like this:
docker cp <openemr container id>:/etc/letsencrypt/archive/<your hostname>/cert1.pem certs/cert.pem
docker cp <openemr container id>:/etc/letsencrypt/archive/<your hostname>/privkey1.pem certs/privkey.pem
docker cp <openemr container id>:/etc/letsencrypt/archive/<your hostname>/chain1.pem certs/fullchain.pem
Dockerfile
FROM phpmyadmin/phpmyadmin
RUN a2enmod ssl
RUN sed -ri -e 's,80,443,' /etc/apache2/sites-available/000-default.conf
RUN sed -i -e '/^<\/VirtualHost>/i SSLEngine on' /etc/apache2/sites-available/000-default.conf
RUN sed -i -e '/^<\/VirtualHost>/i SSLCertificateFile /certs/cert.pem' /etc/apache2/sites-available/000-default.conf
RUN sed -i -e '/^<\/VirtualHost>/i SSLCertificateKeyFile /certs/privkey.pem' /etc/apache2/sites-available/000-default.conf
RUN sed -i -e '/^<\/VirtualHost>/i SSLCertificateChainFile /certs/fullchain.pem' /etc/apache2/sites-available/000-default.conf
EXPOSE 443
docker build --file ./Dockerfile -t my_pma_ssl_image .
docker run -d -p 8080:443 -e PMA_HOST='crazy_host_name_rds.amazonaws.com' -e UPLOAD_LIMIT=16G -v /home/username/certs:/cert:ro my_pma_ssl_image
log in to phpmyadmin at port 8080 of your public ip with openemr and the aws password created from the standard template
Hi, Eric.
Everything Stephen suggested is great and probably how you should proceed, but I have some extra notes.
In AWS Standard, your webserver is public and your database is private, which is proper. I do /not/ recommend making the database public. That said, if you chose to do so, you’ll also have to change the networking security groups attached to the RDS instance to enable remote access; that’s what I suspect you didn’t do. (If you must do this, at least confine the keyhole to your current IP.)
However, there are two other perfectly serviceable methods to get access to a private RDS instance as long as you’ve got a public shell in the same VPC. You can shell in to the instance with ssh and use the mysql command-line client, with the RDS instance hostname and the username and password you assigned the server during CloudFormation configuration, or you can use ssh tunneling to bounce a connection from your desktop MySQL client through to the remote RDS instance via that same web server. (The specifics of how to arrange this are not difficult to Google.)
One last method I’ll mention for completeness sake is configuring a VPN, which is normally overkill but might be more appropriate for a Standard user than an Express user.
with the phpmyadmin spun up on the openemr instance the database can remain private as well
Ok I got everything situated with accessing the database instance. I have been searching high and low on how to get letsencrypt ssl cert. I didnt insert the variable domain.com or email address because this was the first time Ive ever touched this application. I ran the certbot renew and such but is there a way to run the basic commands for it setup? like snap install --classic certbot or ln -s /snap/bin/certbot /usr/bin/certbot. I really do not want to rebuild the whole stack again and lose the Patients we already loaded. Thank for all of your help everyone.
If you’ve got the domain records set up to point to the instance, what I’d recommend you do is shell into the OpenEMR container and operate certbot directly.
@jesdynf I have been trying to do that exactly. But I cant find info to make it work. I was able to see the version of certbot and such but what commands do I run to make it work. The Ubuntu commands dont work and I was able to get another server running with certbot but it was Ubuntu.
Thanks,
I get this when I try to run certbot:
/opt/certbot # certbot certonly -d emr.mycovidhealth.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for emr.mycovidhealth.net
Performing the following challenges:
http-01 challenge for emr.mycovidhealth.net
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
Hmm. While Apache’s up you won’t be able to spin up a personal webserver, no. You’ll want to consider a different authentication plugin. https://certbot.eff.org/docs/using.html#getting-certificates-and-choosing-plugins or use the already present webroot path.
I was able to get the cert by running:
certbot certonly -d emr.mycovidhealth.net
select option 2 which hits the webroot then it ask for the directory
/var/www/localhost/htdocs/openemr
I then went to add the cert directory
/etc/letsencrypt/live/emr.mycovidhealth.net/fullchain.pem
/etc/letsencrypt/live/emr.mycovidhealth.net/privkey.pem
to the openemr.conf file and ssl.conf file in /etc/apache2/conf.d
I cant figure out how to get the apache2 server to restrart
I tried /etc/init.d/apache2 restart and it fails.
So much trial and error here. lol
and also
The container doesn’t use the init scripts, it launches the Apache httpd directly – docker-compose launched the container, so you’ll want to interfere with Docker directly. https://docs.docker.com/engine/reference/commandline/restart/ for what you’re after.
Do you think restarting the apache service will get the certs to pull thru? I made the changes but it still has shown secure on the website.
Yes, Apache has no interest in the cert files until a reload or restart picks them up.
@jesdynf Thank you for helping me by pointing me any and all info. I am going to post the steps below to help anyone that might need help in the future.
Let’s Encrypt certbot commands for AWS OpenEMR Standard Stack Install
run
docker exec -it $(docker ps | grep _openemr | cut -f 1 -d " ") /bin/sh
cd /opt/certbot/
certbot certonly -d domain.com
option 2
/var/www/localhost/htdocs/openemr
Point to SSL files in /etc/apache2/conf.d/openemr.conf and ssl.conf
/etc/letsencrypt/live/domain.com/fullchain.pem
/etc/letsencrypt/live/domain.com/privkey.pem
after you do that you will need to exit to the main SSH screen to the EC2 instance
and run docker ps to get the container id
then run docker restart container id
Glad to know it holds up!