OpenEMR Docker SSL HTTPS Setup Question

KyleNave · July 24, 2019, 2:51am

I’ve been managing and customizing an OpenEMR site for years and I have the opportunity to start over with a new site.

One of my main goals is to stay plugged in with current releases and actually start contributing back as well so I don’t end up diverging again if possible.

I have the site up and running on Docker now but not with ssl which is bad for production.

I understand in the docker-compose.yaml file I need to set the hostname and email but I’m not sure what to use for hostname…

The docker container is running on a linode server… I can get a name set up for the server itself no problem…but how do I determine and configure the hostname for the container so that it works with letsencrypt?

Are there instructions somewhere already that I’m missing?
Thanks,
Kyle

stephenwaite · July 24, 2019, 8:47pm

hi @KyleNave, you’ll want to configure the domain name or public facing ip address of the server

KyleNave · July 24, 2019, 10:44pm

I already have a dns entry for the server itself. I can access using the name - let’s call it “atlas” … so atlas.com get’s me to the server.

Now I need to set the ServerName in the Docker-compose file (I think) so that the letsencrypt ssl “works” … and I put that in quotes because I think I saw this is supposed to be automated as long as ServerName and email are filled in.

Is this as simple as putting the ip address of the docker container?

Thank you for the help.

brady.miller · July 25, 2019, 7:42am

Hi @KyleNave ,

In your case, since you already have the DNS set up, then it should be just as simple as setting the DOMAIN to your public facing atlas.com . fyi, here is where the magic happens in the docker:
openemr-devops/autoconfig.sh at master · openemr/openemr-devops · GitHub

btw, do note that the docker will set up a self-signed certs if above isn’t set which can then be manually changed to signed certs:

github.com

openemr/openemr-devops/blob/master/docker/openemr/5.0.1/autoconfig.sh#L11-L22


# ensure a self-signed cert has been generated and is referenced
if ! [ -f /etc/ssl/private/selfsigned.key.pem ]; then
openssl req -x509 -newkey rsa:4096 \
-keyout /etc/ssl/private/selfsigned.key.pem \
-out /etc/ssl/certs/selfsigned.cert.pem \
-days 365 -nodes \
-subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=localhost"
fi
rm -f /etc/ssl/certs/webserver.cert.pem
rm -f /etc/ssl/private/webserver.key.pem
ln -s /etc/ssl/certs/selfsigned.cert.pem /etc/ssl/certs/webserver.cert.pem
ln -s /etc/ssl/private/selfsigned.key.pem /etc/ssl/private/webserver.key.pem

KyleNave · July 25, 2019, 2:01pm

Thanks Brady…just to make sure I understand. Since I have the site up and running already and I had not set the DOMAIN and EMAIL at the time I launched it, I have to make some changes manually that would have occurred automatically?

I did try setting those env variables and did a docker-compose down and up … it seemed to iterate several times and would fail on the communication with letsencrypt. I backed out the change and got it back up so I was not interfering with users but I will capture the error message and post later today if that’s useful.

juggernautsei · January 13, 2023, 9:11pm

@brady.miller I have been spinning my wheels on how to install an SSL certificate on Docker.
I am stuck at getting in the docker container.

I found these instructions for setting up certbot in a docker.

Can someone give me step-by-step instructions on how to do this with an OpenEMR container?

Also, I need to upgrade the container. Where can I find upgrade instructions?

stephenwaite · January 13, 2023, 9:27pm

What kind of docker, like an AWS install?

if you’re using a production docker like the one for v7 then you’ll find certbot installed

can verify after exec’ing into the docker and typing
which certbot

then you can manually install the certificate with a certbot certonly and either edit /etc/apache2/conf.d/openemr.conf or cp the lets encrypt files to where openemr.conf is looking

and restart the openemr docker

juggernautsei · January 14, 2023, 11:49am

The docker is the AWS standard edition is what I was told.
They launched v6.1.0 with no patches.
I only know of one certbot. On my installs, I install certbot and then run sudo certbot --apache. Then follow the prompts.

I read the instructions at the bottom of the Docker page but it is more of a statement rather than instructions on how to upgrade. The auto upgrade has not happened for their installation. What do we do in this case?

I have looked through this thread
OpenEMR Official Docker has been released! - #39 by Nishant_Pathak.

But it is not a lot of help. I remember to go to the command prompt and type

 sudo docker ps

This gets me the docker container ID. But I don’t remember what to do after that to get into the container. I ran

 sudo docker --help

This gave me a list of commands to run. I see cp command to copy files between the local file system and the container.

I see the exec which says to run a command in a running container. Then I ended up here:

In my opinion, there should be a warning label to not launch the docker container unless there is a cluster the user is about to build. Otherwise don’t launch a docker. There is no good reason I can see for a standalone docker.

Only because I have not taken the time to learn to use it. LOL

sophisticated_acquis · January 26, 2023, 3:42am

for docker, especially if you have a specific domain name you want to use, I find that it is better to use the route 53 method with elastic load balancer. AWS will give you a free certificate to be applied to your domain/subdomain.

tatakai · April 6, 2024, 10:57pm

This helped.

I used SSH. For AWS you can use putty and the key pair along with the URL shown in the SSH client instructions under “Connect to instance” on AWS.

Some help with putty Connect to your Linux instance from Windows with PuTTY - Amazon Elastic Compute Cloud

Then you need to get into the docker container for openEMR.

“sudo docker ps” should show running containers. Get the ID for the openemr container here.

“sudo docker exec -it [container ID] sh” got me into the docker container command line. You should see “/var/www/localhost/htdocs/openemr #”.

certbot makes it easy and it’s already installed.

“certbot cert-only” starts the process. The added “-standalone” you might see online at the end of the command didn’t work for me. you will get the option of choosing 1 or 2. 2 worked. 1 is the same as using “standalone” I think. Didn’t work because port 80 was being used by the server. “Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.” - was the error.

After getting past that I had this error : “The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.”

because I had disabled HTTP in AWS for the instance.

AFter getting past that the certificates were created and saved in:

/etc/letsencrypt/live/[domain name]/fullchain.pem
/etc/letsencrypt/live/[domain name]/privkey.pem

I felt that copying the files as suggested might lead to hassles when its time to renew so I chose to edit openemr.conf instead.

typed

“cd /etc/apache2/conf.d”

then

“vi openemr.conf”

Then changed the paths at the end of the file to this:

"SSLCertificateFile /etc/letsencrypt/live/ [domain name]/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ [domain name]/privkey.pem
"
press “ESC” type “:x” press “ENTER” to save and exit the editor.
restarted the instance and it was working.

Think that’s everything.