Obtaining and Installing a proper SSL certificate for the AWS Standard Hosted Solution

I am unable to install an SSL certificate for my openEMR Standard instance. Thus my communication with the instance is “insecure.”
I’m using OpenEMR version 5.0.1 Standard (subscribed) AWS hosted.
OS: Ubuntu 16.04.4 LTS - Release: 16.04 Codename: xenial
I expected to find an /etc/apache2/ or similar directory with a conf file to add my certificate to, but I did not. Where should I put my SSL certificates? Sorry if I’m asking really stupid questions about this.
–RBL

Hello, Ralf.

The instance uses a Docker-containerized webserver – see openemr-devops/packages/lightsail at master · openemr/openemr-devops · GitHub for general notes about interacting with containers. You’ll want to copy (docker cp) the certificates into the container, and then acquire a shell (docker exec) inside the container and move the files to where they’re going and make any further changes to Apache you need to.

1 Like

Thank you! I will check out the links you provided.
–RBL

I installed the commercial SSL certificate at /etc/ssl/certs and key file /etc/ssl/private . I modified the openemr.conf and ssl.conf files under /etc/apache2/conf.d/ in docker as appropriate … I checked the ssl_error.log file and there is no new error. However, I’m still unable to use SSL. If I “force” HTTPS by modifying the virtualhost _default_:80 block, I get a Forbidden error … I don’t have access to /

I do have one question about restarting the apache server in the docker … I cannot figure out how to do it directly (all the usual tools for this type of thing do not seem to be installed and I don’t want to randomly install apache utilities unless it’s required) . Killing processes also looks unattractive because there seem to be several apache httpd’s running. I simply reboot the entire Amazon EC2 instance and that seems to work … there might be a better way, however.

docker restart <container id>

Looked at the error.log:
[Mon Jul 01 01:40:51.371637 2019] [core:warn] [pid 16] (99)Address not available: AH00056: connect to listener on [::]:80
[Mon Jul 01 01:40:52.372905 2019] [core:warn] [pid 16] (99)Address not available: AH00056: connect to listener on [::]:80
[Mon Jul 01 01:42:16.665531 2019] [core:warn] [pid 14] AH00098: pid file /run/apache2/httpd.pid overwritten – Unclean shutdown of previous Apache run?
[Mon Jul 01 01:42:16.667975 2019] [mpm_prefork:notice] [pid 14] AH00163: Apache/2.4.33 (Unix) LibreSSL/2.6.3 configured – resuming normal operations
[Mon Jul 01 01:42:16.667999 2019] [core:notice] [pid 14] AH00094: Command line: ‘/usr/sbin/httpd -D FOREGROUND’
[Mon Jul 01 01:48:10.033103 2019] [core:warn] [pid 14] (99)Address not available: AH00056: connect to listener on [::]:80
[Mon Jul 01 01:48:11.034313 2019] [core:warn] [pid 14] (99)Address not available: AH00056: connect to listener on [::]:80

The access.log is also huge … I copied it to a zip file …

/var/www/localhost/htdocs/openemr # ls -l /var/log/apache2/
total 4841396
-rw-r–r-- 1 root wheel 4739026332 Jul 1 02:15 access.log
-rw-r–r-- 1 root wheel 218543712 Jul 1 01:57 error.log
-rw-r–r-- 1 root wheel 0 Mar 19 22:47 php_errors.log
-rw-r–r-- 1 root wheel 0 Jun 3 2018 ssl_access.log
-rw-r–r-- 1 root wheel 7222 Jun 30 23:24 ssl_error.log
-rw-r–r-- 1 root wheel 0 Jun 3 2018 ssl_request.log

I figured out one very convoluted but effective way on how to get HTTPS working on Amazon AWS.

  • Use Amazon Route 53 to host a domain. Then use GoDaddy as the certificate authority to generate the certificates. Why Amazon cannot do this all, I have no clue. There might be a way to get GoDaddy hosted domain certificates to work as well.
  • copy the certificates both to the instance /etc/ssl/certs and to the respective docker (so it doesn’t matter where apache gets them … they are there and they are identical).
  • modify the ssl.conf and openemr.conf file to point at the SSL certificates … who knows which one is really used …
  • I also used an .htaccess file to make sure that http is forced to https.
  • Configure all the SSL stuff in OpenEMR Administration (look for relevant fields in security etc.)
    Feel free to ask me more details. I’m sure a much cleaner way to do this will evolve now that I have been able to get this to work at all … whew … I’m sure the above is not yet easy to reproduce, but I’m willing to help others out in this.
    –Ralf

Hi there. I’m pretty much in the same boat as you are but am not in a position to move our domain from GoDaddy to Amazon’s Route 53. Any update on how to get GoDaddy hosted domain certificates to work as well?

Thanks,

Hakim

Yes. It’s a bit of a pain because the naming of the files or even the number of files needed is not standardized. For someone who does not work with this kind of task, it’s confusing and intimidating. Godaddy packages the files one way, and, when you go into the OpenEMR docker on AWS, you will find that this is not the way the SSL files are generally split and organized for other SSL connections. Since June of 2018, when I first posted this question, I have stopped using Route 53.

These instructions from GoDaddy were fairly helpful. I looked through the relevant files and tried to make sure everything made sense. After many tears and broken knuckles, I finally got the certificates to work.

https://www.godaddy.com/help/manually-install-an-ssl-certificate-on-my-apache-server-ubuntu-32078

Thank you, I appreciate your efforts.

I know that our GoDaddy certificates work on an in-house CentOS 6.10/Apache server, but I’ve been questioning the compatibility of GoDaddy certificates with other OS setups since their certs don’t look like what I would expect. Of course I’m told that Apache is Apache no matter where it’s installed so the question becomes what simple step(s) are we leaving out to get the server to show as secured?

Nothing with SSL/TLS is simple. Make sure you create images of your node and database so that you can restore from images if needed. The main problem, as I recall, is that GoDaddy combines two of the SSL files and throws in an optional one. Also, GoDaddy’s documentation is sparse but very helpful/ critical. What I would do, is to create your own “home-grown” “unofficial” SSL certificates that look the way you expect and then try to install those in the docket, because that process is well documented. The bowsers will let you connect with https://ip.add.ress.whatever securely but with many warnings that you will catch COVID-19, you will lose your citizenship, be thrown into the dark web, etc. Once you have that working (which may or may not involve tinkering with the SSL settings in the EMR administration menu subitem of a relevant name), you are ready to try again … but this time with official certificates from GoDaddy using the knowledge of what files need to be messed with and where certificates need to go and how they need to be CHOWNed etc. Once successful, you will be able to connect securely to https://mydomain.whatever and without browser warnings … and by incorporating the instructions from godaddy.

Okay, here is the updated and verified procedure for having a true “secure” certificate that doesn’t generate security warnings from browsers (like self-signed SSL certificates do). Note: if you’re happy with a self-signed certificate, skip this process altogether … self-signed SSL certificates are pre-installed with v6.0.0+.

Buy an SSL certificate from a commercial vendor of SSL certificates.  Other vendors may have slightly different files/installation instructions (but probably very similar).

Buy a domain name or use a domain name that you have. Set the DNS “a” entry (address) to your server. In my case, I am working with an AWS OpenEMR Cloud STANDARD implementation. Thus, I bought the domain with AWS Route 53 and then in the hosted zone area, I found the DNS entries and set the “a” address entry to my webserver instance (EC2) IP.

Create a certificate request file (replace “example” with your domain name). The command will be something like this:
openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout example.key -out example.csr

Open the certificate signing request (.csr) file with your favorite editor (vi or whatever you like). Copy the information (including the BEGIN and END markers with all dashes) and paste them into your initial or rekey request on your commercial SSL certificate vendors site. Make the initial or rekey request. Wait until you get an email that the SSL certificate is ready.

Download the signed Apache certificate ZIP file and move it to your EC2 instance file system (with a secure copy, ftp, etc.).

Install unzip: sudo apt install unzip

Unzip the certificate files: unzip example.zip. If desired rename the .pem file example.pem (where “example” is the name of your domain)

Set the permissions on the generated files so that only root can read or write to them: 
sudo chown root:root example.*
sudo chmod o-rw example.*
sudo chmod g-rw example.*

Copy the two certificate files to the appropriate directory for SSL certificate files in the docker container (under /etc/ssl/certs for the .pem file under /etc/ssl/private/ for the .key):
sudo docker cp example.pem standard_openemr_1:/etc/ssl/certs/
sudo docker cp example.key standard_openemr_1:/etc/ssl/private/

Enter the docker container shell sudo docker exec -it standard_openemr_1 sh.

Modify the /etc/apache2/conf.d/openemr.conf file around line 59 or so and replace the webserver.cert.pem with your example.pem. Replace the webserver.key.pem with your webserver.key file.

exit the docker container

restart the docker container:  sudo docker restart standard_openemr_1