So I just noticed that a user couldn’t launch AWS Standard because the new RDS instance from Amazon wanted an SSL certificate newer than the one I’m providing. Oops.
I’ll have new versions in Amazon’s queue for approval this evening, but it does occur to me that everybody could use some notes on how to rotate the certificate in OpenEMR because sooner or later everyone’s going to need to do that or your app won’t connect to RDS at all. Also oops.
Here’s how to make that happen:
- Log on to your instance in EC2.
- Identify the Docker container to connect to with
docker ps. - Connect a shell to the container with
docker exec -it <instance> /bin/sh - From the work directory,
cd sites/default/documents/certificates/ -
lsand you should observe the instance of a “mysql-ca” file. If you don’t see it, you’re in the wrong place. Confirm you’re in “/var/www/localhost/htdocs/openemr/sites/default/documents/certificates” before proceeding. - Grab the new AWS certs with
wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem - Delete the existing mysql-ca with
rm mysql-caand move in the new one withmv global-bundle.pem mysql-ca - Exit the shell and reboot the RDS instance.
Rebooting the RDS instance is (probably) necessary because OpenEMR’s almost certainly tripped the bad-connection flood protection and you can’t fix that from the host that caused the problem. This solution will work for both instances that have Suddenly Failed because the cert’s finally aged out, as well as new launches that want a newer cert than I’m getting them.