OpenEMR Standard on AWS can't see database server


(Todd Saskiw) #1

Situation
Installed Standard on AWS (twice). Both times when I visit the pubic IP address I get “Check that you can ping the server xxxxxxxxxxxx.ca-central-1.rds.amazonaws.com

I can ssh into the EC2 server, then, from there, see the database server. I can login via the mysql client using “openemr” and the password I initially set.

I’m at a complete loss.

Help

OpenEMR Version
I’m using OpenEMR version 5.0.2

Browser:
I’m using: Chrome

Operating System
I’m using: Mac OS

Logs
Did you check the logs? Was there anything pertinent in them? Paste them here (surround with three backticks (```) for readability


(Asher Densmore-Lynn) #2

Will try to duplicate later tonight.


(Asher Densmore-Lynn) #3

@brady.miller , I may need help on this one. Error duplicated as user described.

Stack internal networking confirmed OK, 3306 is open within and without the container.

mysql -h s...f.us-east-1.rds.amazonaws.com -u openemr -p... --ssl : SSL connection OK

All of the logs look good – container setup, container configuration, and initial network configuration.

Generating a RSA private key
.++++
...........++++
writing new private key to '/etc/ssl/private/selfsigned.key.pem'
-----
Running quick setup!
<b>Configuration:</b><br/>
driver = <b>mysqli_mod</b>,<br/>
host = <b>s...f.us-east-1.rds.amazonaws.com</b>,<br/>
user = <b>openemr</b>,<br/>
database = <b>openemr</b>,<br/>
table prefix = <b>gacl_</b>Testing database connection...<br/>
<font color="green"><b>Success!</b></font> Connected to &quot;<b>mysqli_mod</b>&quot; database on &quot;<b>s...f.us-east-1.rds.amazonaws.com</b>&quot;.<br/>
Testing database type...<br/>
<font color="green"><b>Success!</b></font> Compatible database type "<b>mysqli_mod</b>" detected!<br/>
Making sure database "<b>openemr</b>" exists...<br/>
<font color="green"><b>Success!</b></font> Good, database "<b>openemr</b>" already exists!<br/>
<font color="green"><b>Success!</b></font>
First Step of Access Control Installation Successful!!!<br><br/>
<html>
<head>
<title>OpenEMR ACL Setup</title>
<link rel=STYLESHEET href="interface/themes/style_blue.css">
</head>
<body>
<b>OpenEMR ACL Setup</b>
<br>
All done configuring and installing access controls (php-GACL)!
</body>
</html>

OpenEMR configured.
Setup Complete!
Setting user 'www' as owner of openemr/ and setting file/dir permissions to 400/500
Default file permissions and ownership set, allowing writing to specific directories
Removing remaining setup scripts
Setup scripts removed, we should be ready to go now!

Love OpenEMR? You can now support the project via the open collective:
 > https://opencollective.com/openemr/donate

Starting cron daemon!
Starting apache!
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.18.0.2. Set the 'ServerName' directive globally to suppress this message

There is just one problem I can find. Despite SSL apparently working (per mysql client test), it looks like something might be askew for PHP.

/var/log/apache2 # tail -f error.log
[Fri Sep 13 03:26:31.898579 2019] [php7:warn] [pid 87] [client ...:57072] PHP Warning:  failed loading cafile stream: `/var/www/localhost/htdocs/openemr/sites/default/documents/certificates/mysql-ca' in /var/www/localhost/htdocs/openemr/library/ADODB_mysqli_log.php on line 188
[Fri Sep 13 03:26:31.898624 2019] [php7:warn] [pid 87] [client ...:57072] PHP Warning:  mysqli_real_connect(): Cannot connect to MySQL by using SSL in /var/www/localhost/htdocs/openemr/library/ADODB_mysqli_log.php on line 188
[Fri Sep 13 03:26:31.898636 2019] [php7:warn] [pid 87] [client ...:57072] PHP Warning:  mysqli_real_connect(): [2002]  (trying to connect via (null)) in /var/www/localhost/htdocs/openemr/library/ADODB_mysqli_log.php on line 188
[Fri Sep 13 03:26:31.898645 2019] [php7:warn] [pid 87] [client ...:57072] PHP Warning:  mysqli_real_connect(): (HY000/2002):  in /var/www/localhost/htdocs/openemr/library/ADODB_mysqli_log.php on line 188
[Fri Sep 13 03:26:31.900941 2019] [php7:notice] [pid 87] [client ...:57072] PHP custom error: from openemr library/sql.inc  - Unable to set up UTF8 encoding with mysql database:
[Fri Sep 13 03:26:31.900967 2019] [php7:notice] [pid 87] [client ...:57072] Unable to set strict sql setting:

I guess at this point I have to ask about how we configured MySQL SSL – for this particular application, it should not be necessary for us to supply a special CA file, although we can do so if it’ll get this user up and going. (How did the initial configuration succeed?)


(Asher Densmore-Lynn) #4

Got it. It IS necessary to supply the CA.

Todd, the following should work for you to fix this deployment until we straighten out what’s going wrong here. SSH to the instance (you’ll need to add your IP to the appropriate EC2 security group), and execute…

sudo bash
# connect to the docker container
docker exec -it $(docker ps | grep _openemr | cut -f 1 -d " ") /bin/sh  
cd /var/www/localhost/htdocs/openemr/sites/default/documents/certificates
wget https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem -O mysql-ca

Sorry for the trouble!

(Edit: Actually, it might be simpler yet – chown the already existing certificate file to 1000 (apache) instead of 100 and you might be able to zoom along with that alone.)


(Asher Densmore-Lynn) #5

I think the certificate updated.


(Asher Densmore-Lynn) #6

No, I found it. The underlying container changed structure and a hardcoded uid failed.

  # I'm not convinced this is stable
  chown 100 /mnt/docker/volumes/standard_sitevolume/_data/default/documents/certificates/mysql-ca

Spoilers: It was not. I’m not 100% sure I can change how it works, though, so this might recur in future updates, boo. I’ll start the process of getting a new version to Amazon tomorrow.


(Todd Saskiw) #7

Installed 5.0.1-6b. No problems.


(Todd Saskiw) #8

Hmmm. Didn’t seem to work for me. New certificate installs just fine, but get the same error when accesing via the browser.


(Asher Densmore-Lynn) #9

Try chown 1000 mysql-ca and see if that doesn’t do the trick.


(Asher Densmore-Lynn) #10

A new AMI with the corrected ownerships has been tested and will enter the Marketplace pipeline tonight.


(Todd Saskiw) #11

worked! fantastic! thank you so much!


(Todd Saskiw) #12

now when i install, i get the apache index webpage rather than openemr login page.


(Todd Saskiw) #13

Nope, it’s good. Sorry.