OpenEMR Standard: SSL Rotation Required

So I just noticed that a user couldn’t launch AWS Standard because the new RDS instance from Amazon wanted an SSL certificate newer than the one I’m providing. Oops.

I’ll have new versions in Amazon’s queue for approval this evening, but it does occur to me that everybody could use some notes on how to rotate the certificate in OpenEMR because sooner or later everyone’s going to need to do that or your app won’t connect to RDS at all. Also oops.

Here’s how to make that happen:

  • Log on to your instance in EC2.
  • Identify the Docker container to connect to with docker ps.
  • Connect a shell to the container with docker exec -it <instance> /bin/sh
  • From the work directory, cd sites/default/documents/certificates/
  • ls and you should observe the instance of a “mysql-ca” file. If you don’t see it, you’re in the wrong place. Confirm you’re in “/var/www/localhost/htdocs/openemr/sites/default/documents/certificates” before proceeding.
  • Grab the new AWS certs with wget
  • Delete the existing mysql-ca with rm mysql-ca and move in the new one with mv global-bundle.pem mysql-ca
  • Exit the shell and reboot the RDS instance.

Rebooting the RDS instance is (probably) necessary because OpenEMR’s almost certainly tripped the bad-connection flood protection and you can’t fix that from the host that caused the problem. This solution will work for both instances that have Suddenly Failed because the cert’s finally aged out, as well as new launches that want a newer cert than I’m getting them.


Alright, 7.0.2-1 is up at AWS and should work now.