Do you use or administer OpenEMR? Take the General Satisfaction Survey to help improve the product

Obtaining and Installing a proper SSL certificate for the AWS Standard Hosted Solution

I am unable to install an SSL certificate for my openEMR Standard instance. Thus my communication with the instance is “insecure.”
I’m using OpenEMR version 5.0.1 Standard (subscribed) AWS hosted.
OS: Ubuntu 16.04.4 LTS - Release: 16.04 Codename: xenial
I expected to find an /etc/apache2/ or similar directory with a conf file to add my certificate to, but I did not. Where should I put my SSL certificates? Sorry if I’m asking really stupid questions about this.

Hello, Ralf.

The instance uses a Docker-containerized webserver – see openemr-devops/packages/lightsail at master · openemr/openemr-devops · GitHub for general notes about interacting with containers. You’ll want to copy (docker cp) the certificates into the container, and then acquire a shell (docker exec) inside the container and move the files to where they’re going and make any further changes to Apache you need to.

1 Like

Thank you! I will check out the links you provided.

I installed the commercial SSL certificate at /etc/ssl/certs and key file /etc/ssl/private . I modified the openemr.conf and ssl.conf files under /etc/apache2/conf.d/ in docker as appropriate … I checked the ssl_error.log file and there is no new error. However, I’m still unable to use SSL. If I “force” HTTPS by modifying the virtualhost _default_:80 block, I get a Forbidden error … I don’t have access to /

I do have one question about restarting the apache server in the docker … I cannot figure out how to do it directly (all the usual tools for this type of thing do not seem to be installed and I don’t want to randomly install apache utilities unless it’s required) . Killing processes also looks unattractive because there seem to be several apache httpd’s running. I simply reboot the entire Amazon EC2 instance and that seems to work … there might be a better way, however.

docker restart <container id>

Looked at the error.log:
[Mon Jul 01 01:40:51.371637 2019] [core:warn] [pid 16] (99)Address not available: AH00056: connect to listener on [::]:80
[Mon Jul 01 01:40:52.372905 2019] [core:warn] [pid 16] (99)Address not available: AH00056: connect to listener on [::]:80
[Mon Jul 01 01:42:16.665531 2019] [core:warn] [pid 14] AH00098: pid file /run/apache2/ overwritten – Unclean shutdown of previous Apache run?
[Mon Jul 01 01:42:16.667975 2019] [mpm_prefork:notice] [pid 14] AH00163: Apache/2.4.33 (Unix) LibreSSL/2.6.3 configured – resuming normal operations
[Mon Jul 01 01:42:16.667999 2019] [core:notice] [pid 14] AH00094: Command line: ‘/usr/sbin/httpd -D FOREGROUND’
[Mon Jul 01 01:48:10.033103 2019] [core:warn] [pid 14] (99)Address not available: AH00056: connect to listener on [::]:80
[Mon Jul 01 01:48:11.034313 2019] [core:warn] [pid 14] (99)Address not available: AH00056: connect to listener on [::]:80

The access.log is also huge … I copied it to a zip file …

/var/www/localhost/htdocs/openemr # ls -l /var/log/apache2/
total 4841396
-rw-r–r-- 1 root wheel 4739026332 Jul 1 02:15 access.log
-rw-r–r-- 1 root wheel 218543712 Jul 1 01:57 error.log
-rw-r–r-- 1 root wheel 0 Mar 19 22:47 php_errors.log
-rw-r–r-- 1 root wheel 0 Jun 3 2018 ssl_access.log
-rw-r–r-- 1 root wheel 7222 Jun 30 23:24 ssl_error.log
-rw-r–r-- 1 root wheel 0 Jun 3 2018 ssl_request.log

I figured out one very convoluted but effective way on how to get HTTPS working on Amazon AWS.

  • Use Amazon Route 53 to host a domain. Then use GoDaddy as the certificate authority to generate the certificates. Why Amazon cannot do this all, I have no clue. There might be a way to get GoDaddy hosted domain certificates to work as well.
  • copy the certificates both to the instance /etc/ssl/certs and to the respective docker (so it doesn’t matter where apache gets them … they are there and they are identical).
  • modify the ssl.conf and openemr.conf file to point at the SSL certificates … who knows which one is really used …
  • I also used an .htaccess file to make sure that http is forced to https.
  • Configure all the SSL stuff in OpenEMR Administration (look for relevant fields in security etc.)
    Feel free to ask me more details. I’m sure a much cleaner way to do this will evolve now that I have been able to get this to work at all … whew … I’m sure the above is not yet easy to reproduce, but I’m willing to help others out in this.

Hi there. I’m pretty much in the same boat as you are but am not in a position to move our domain from GoDaddy to Amazon’s Route 53. Any update on how to get GoDaddy hosted domain certificates to work as well?



Yes. It’s a bit of a pain because the naming of the files or even the number of files needed is not standardized. For someone who does not work with this kind of task, it’s confusing and intimidating. Godaddy packages the files one way, and, when you go into the OpenEMR docker on AWS, you will find that this is not the way the SSL files are generally split and organized for other SSL connections. Since June of 2018, when I first posted this question, I have stopped using Route 53.

These instructions from GoDaddy were fairly helpful. I looked through the relevant files and tried to make sure everything made sense. After many tears and broken knuckles, I finally got the certificates to work.

Thank you, I appreciate your efforts.

I know that our GoDaddy certificates work on an in-house CentOS 6.10/Apache server, but I’ve been questioning the compatibility of GoDaddy certificates with other OS setups since their certs don’t look like what I would expect. Of course I’m told that Apache is Apache no matter where it’s installed so the question becomes what simple step(s) are we leaving out to get the server to show as secured?

Nothing with SSL/TLS is simple. Make sure you create images of your node and database so that you can restore from images if needed. The main problem, as I recall, is that GoDaddy combines two of the SSL files and throws in an optional one. Also, GoDaddy’s documentation is sparse but very helpful/ critical. What I would do, is to create your own “home-grown” “unofficial” SSL certificates that look the way you expect and then try to install those in the docket, because that process is well documented. The bowsers will let you connect with https://ip.add.ress.whatever securely but with many warnings that you will catch COVID-19, you will lose your citizenship, be thrown into the dark web, etc. Once you have that working (which may or may not involve tinkering with the SSL settings in the EMR administration menu subitem of a relevant name), you are ready to try again … but this time with official certificates from GoDaddy using the knowledge of what files need to be messed with and where certificates need to go and how they need to be CHOWNed etc. Once successful, you will be able to connect securely to https://mydomain.whatever and without browser warnings … and by incorporating the instructions from godaddy.