It took about 12 hours (and second clean installation) on AWS before SLL certificates were successfully installed on OpenEMR 7.0.3
OpenEMR Express Plus on AWS 7.0.3
Installed as a subdomain of an insisting domain with existing SSL certificates.
First, I will summarize some pitfalls (and things I didn’t understand as a newbie).
Second, I will post step-by-step instructions with command prompts.
SECTION ONE - Thoughts & Preparation
1.1 Installing as a clinical research database, we needed to meet HIPAA compliance. As a very small research group, we did NOT need multiple instances of virtual machines (cloud servers).
– while there are plenty of descriptions about using AWS components to upload your SSL certificate in AWS Certificate Manager, tying together 2 or more instances (in different subregion) in a target group, in the same security group and governed by Elastic Load Bearer, it’s too much.
1.2 To comply with HIPAA, you have to install in N. Virginia (us-east-1) or Oregon (us-west-2). Don’t forget to sign your BAA.
1.3 Have access to your wildcard domain SSL certificates (be able to copy and paste).
1.4 Have access to DNS panel of the root domain to create the proper A record.
SECTION TWO - Conceptual Description of the Installation
2.1 Preparing AWS for Installation
Sign-up for AWS (free or paid) - don’t forget to save your EC2 key. Make sure to choose your region wisely.
Cloud Formation builds your platform. Following the top directions from openemr-devops/packages/express_plus at master · openemr/openemr-devops · GitHub was simple. Use the link in the article to automatically launch on Cloud Formation. This takes you through the installation and results in a IP4 address that your instance of OpenEMR is running on a virtual machine (EC2).
You should be able to sign-in, but only HTTP, not HTTPS because SSL is missing.
2.2 Set up DNS A record
Sign-in to your DNS panel.
Because I’m wanting a subdomain to point to an IP address different than my root domain, create an A record – med.xxx.org points to the public IP4 address of your EC2 instance.
2.3 Installing SSL certificates (public, private and CAB) needs to be added to on the Linux folders AND within the Docker
This is done by Connecting to the Linux instance directly from AWS. (Go ahead with standard user ubuntu)
– the name of the docker is different for OpenEMR Standard than OpenEMR Express Plus.
I’ve read that the docker name is standard-openemr-1 for OpenEMR Standard. The docker name is lightsail-openemr-1 for OpenEMR Cloud Express.
2.4 Once the proper SSL certificates have been created and copied in, the Apache2 server (docker) config file needs to be adjusted and the Apache2 server (docker) restarted
This should get you HTTPS. There is NO setting from GUI (logging in via admin account) that can accomplish this. The setting in Admin / Config / Security is for CLENTSIDE SSL. We don’t want that - we want the usual SSL (server-side).
SECTION THREE - Command Prompts matching 2.3 and 2.4
(the hardest part of the job)
Anything behind # is a comment (not a Linux command) and should NOT be typed … everything must be typed out precisely
2.3 #Launch and connect to the Linux VM #copy certificates into docker
sudo su #to be super user
sudo pwd #to see your folder path
cd /etc/ssl/certs/ #folder to save your .crt and .pem certificates
sudo touch XXX.crt #create a blank public .crt file
sudo nano XXX.crt #paste in your public .crt content and save with .crt extension; ^+O to save; ^+X to exit;
sudo chown root:root XXX.crt #ownership
sudo chmod o-rw XXX.crt #modify so others cannot readwrite
sudo chmod g-rw XXX.crt #modify so group cannot readwrite
sudo touch ZZZ.pem #create CAB .pem file
sudo nano ZZZ.pem # edit CAB file; paste in CAB and save as .pem (see above)
sudo chown root:root ZZZ.pem
sudo chmod o-rw ZZZ.pem
sudo chmod g-rw ZZZ.pem
sudo docker ps #checks running docker and its name (should be lightsail-openemr-1)
sudo docker cp XXX.crt lightsail-openemr-1:/etc/ssl/certs/XXX.crt
sudo docker cp XXX.crt lightsail-openemr-1:/etc/ssl/apache2/XXX.crt
sudo docker cp ZZZ.pem lightsail-openemr-1:/etc/ssl/certs/ZZZ.pem
sudo docker cp ZZZ.pem lightsail-openemr-1:/etc/ssl/apache2/ZZZ.pem
copies over XXX.crt and ZZZ.pem to within the Apache docker
cd /etc/ssl/private/ #change folder and create YYY.key private key
sudo touch YYY.key
sudo nano YYY.key
sudo chown root:root YYY.key
sudo chmod o-rw YYY.key
sudo chmod g-rw YYY.key
#copy into the docker
sudo docker cp YYY.key lightsail-openemr-1:/etc/ssl/private/YYY.key
sudo docker cp YYY.key lightsail-openemr-1:/etc/ssl/apache2/YYY.key
2.4 #Copy out openemr.conf from the docker, edit it at root and upload it back into the docker
cd #repeat until you get out to the root
sudo docker cp lightsail-openemr-1:/etc/apache2/conf.d/openemr.conf openemr-old.conf #copy out of docker to root openemr.conf and save it as old version
sudo cp openemr-old.conf openemr.conf #make a copy to edit
sudo nano openemr.conf #editing the profile now
#now editing openemr.conf using nano
#scroll down towards the bottom until you see the entry for SSL certificates in
#edit the following two lines to be
SSLCertificateFile /etc/ssl/certs/XXX.crt
SSLCertificateKeyFile /etc/ssl/private/YYY.key
add the following line
SSLCACertificateFile /etc/ssl/certs/ZZZ.pem
^+O to save; enter to confirm name to openemr.conf; ^+X to exit
#copying config file into the docker
sudo docker cp openemr.conf lightsail-openemr-1:/etc/apache2/conf.d/openemr.conf
#restart Apache docker
sudo docker restart lightsail-openemr-1
#check that the Apache docker has restarted
sudo docker ps
exit #repeat until logged out / close connection
This SHOULD have SSL certificates installed properly and connecting via HTTPS