Obtaining and Installing a proper SSL certificate for the AWS Standard Hosted Solution


(Ralf Lukner MD PhD) #1

I am unable to install an SSL certificate for my openEMR Standard instance. Thus my communication with the instance is “insecure.”
I’m using OpenEMR version 5.0.1 Standard (subscribed) AWS hosted.
OS: Ubuntu 16.04.4 LTS - Release: 16.04 Codename: xenial
I expected to find an /etc/apache2/ or similar directory with a conf file to add my certificate to, but I did not. Where should I put my SSL certificates? Sorry if I’m asking really stupid questions about this.

(Asher Densmore-Lynn) #2

Hello, Ralf.

The instance uses a Docker-containerized webserver – see openemr-devops/packages/lightsail at master · openemr/openemr-devops · GitHub for general notes about interacting with containers. You’ll want to copy (docker cp) the certificates into the container, and then acquire a shell (docker exec) inside the container and move the files to where they’re going and make any further changes to Apache you need to.

(Ralf Lukner MD PhD) #3

Thank you! I will check out the links you provided.

(Ralf Lukner MD PhD) #4

I installed the commercial SSL certificate at /etc/ssl/certs and key file /etc/ssl/private . I modified the openemr.conf and ssl.conf files under /etc/apache2/conf.d/ in docker as appropriate … I checked the ssl_error.log file and there is no new error. However, I’m still unable to use SSL. If I “force” HTTPS by modifying the virtualhost _default_:80 block, I get a Forbidden error … I don’t have access to /

I do have one question about restarting the apache server in the docker … I cannot figure out how to do it directly (all the usual tools for this type of thing do not seem to be installed and I don’t want to randomly install apache utilities unless it’s required) . Killing processes also looks unattractive because there seem to be several apache httpd’s running. I simply reboot the entire Amazon EC2 instance and that seems to work … there might be a better way, however.

(Stephen Waite) #5

docker restart <container id>

(Ralf Lukner MD PhD) #6

Looked at the error.log:
[Mon Jul 01 01:40:51.371637 2019] [core:warn] [pid 16] (99)Address not available: AH00056: connect to listener on [::]:80
[Mon Jul 01 01:40:52.372905 2019] [core:warn] [pid 16] (99)Address not available: AH00056: connect to listener on [::]:80
[Mon Jul 01 01:42:16.665531 2019] [core:warn] [pid 14] AH00098: pid file /run/apache2/httpd.pid overwritten – Unclean shutdown of previous Apache run?
[Mon Jul 01 01:42:16.667975 2019] [mpm_prefork:notice] [pid 14] AH00163: Apache/2.4.33 (Unix) LibreSSL/2.6.3 configured – resuming normal operations
[Mon Jul 01 01:42:16.667999 2019] [core:notice] [pid 14] AH00094: Command line: ‘/usr/sbin/httpd -D FOREGROUND’
[Mon Jul 01 01:48:10.033103 2019] [core:warn] [pid 14] (99)Address not available: AH00056: connect to listener on [::]:80
[Mon Jul 01 01:48:11.034313 2019] [core:warn] [pid 14] (99)Address not available: AH00056: connect to listener on [::]:80

(Ralf Lukner MD PhD) #7

The access.log is also huge … I copied it to a zip file …

/var/www/localhost/htdocs/openemr # ls -l /var/log/apache2/
total 4841396
-rw-r–r-- 1 root wheel 4739026332 Jul 1 02:15 access.log
-rw-r–r-- 1 root wheel 218543712 Jul 1 01:57 error.log
-rw-r–r-- 1 root wheel 0 Mar 19 22:47 php_errors.log
-rw-r–r-- 1 root wheel 0 Jun 3 2018 ssl_access.log
-rw-r–r-- 1 root wheel 7222 Jun 30 23:24 ssl_error.log
-rw-r–r-- 1 root wheel 0 Jun 3 2018 ssl_request.log

(Ralf Lukner MD PhD) #8

I figured out one very convoluted but effective way on how to get HTTPS working on Amazon AWS.

  • Use Amazon Route 53 to host a domain. Then use GoDaddy as the certificate authority to generate the certificates. Why Amazon cannot do this all, I have no clue. There might be a way to get GoDaddy hosted domain certificates to work as well.
  • copy the certificates both to the instance /etc/ssl/certs and to the respective docker (so it doesn’t matter where apache gets them … they are there and they are identical).
  • modify the ssl.conf and openemr.conf file to point at the SSL certificates … who knows which one is really used …
  • I also used an .htaccess file to make sure that http is forced to https.
  • Configure all the SSL stuff in OpenEMR Administration (look for relevant fields in security etc.)
    Feel free to ask me more details. I’m sure a much cleaner way to do this will evolve now that I have been able to get this to work at all … whew … I’m sure the above is not yet easy to reproduce, but I’m willing to help others out in this.