...
Renew the certificates on node server
Code Block language bash firstline 1 title Renew Certificate for node maurya@ls:~$ wget https://dl.eff.org/certbot-auto --2017-02-14 15:54:52-- https://dl.eff.org/certbot-auto Resolving dl.eff.org (dl.eff.org)... 173.239.79.196 Connecting to dl.eff.org (dl.eff.org)|173.239.79.196|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 46789 (46K) [application/octet-stream] Saving to: ‘certbot-auto’ 100%[===========================================================================================================>] 46,789 30.5KB/s in 1.5s 2017-02-14 15:55:05 (30.5 KB/s) - ‘certbot-auto’ saved [46789/46789] maurya@ls:~$ chmod a+x certbot-auto maurya@ls:~$ sudo ./certbot-auto --config /etc/letsencrypt/configs/ls.datim4u.org.conf certonly Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: http-01 challenge for ls.datim4u.org Using the webroot path /usr/share/nginx/html for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (4096 bits): /etc/letsencrypt/keys/0001_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/ls.datim4u.org/fullchain.pem. Your cert will expire on 2017-05-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le maurya@ls:~$ sudo vim /etc/nginx/sites-available/datim maurya@ls:~$ sudo service nginx restart * Restarting nginx nginx [ OK ] maurya@ls:~$ sudo service openhim-core restart openhim-core stop/waiting openhim-core start/running, process 25326 maurya@ls:~$ sudo service nginx restart
- Replace these with the certificates in OpenHIM Certificates tab
- Replace these with the certificates in OpenHIM global
- Select the newly added certificate in global OpenHIM to the client for the node
- Update the new certificate and key in the sync-mediator in the node OpenHIM
Restart the mediator
Code Block language bash title Restarting the mediator maurya@ls:~$ sudo restart openhim-mediator-openinfoman-dhis2-sync openhim-mediator-openinfoman-dhis2-sync start/running, process 4508
Automatic Certificate Renewal:
Automatic certificate renewal uses a cronjob to run the update command twice a day.
...
2. Create a bash script to run when a certificate is updated, updating the certificates recorded in the OpenHIM system.
- Store this script under `/bin/certbot_renewal/update_OpenHIM.sh`.
...
- Ensure it is executable by running `sudo chmod +x /bin/certbot_renewal/update_OpenHIM.sh`.
Code Block | ||||
---|---|---|---|---|
| ||||
In Progress |
3. Create a bash script which will be run by a cronjob.
- Store this script under `/bin/certbot_renewal/renewal_cronjob.sh.
- Ensure it is executable by running `sudo chmod +x /bin/certbot_renewal/renewal_cronjob.sh`.
Code Block | ||||
---|---|---|---|---|
| ||||
#!/bin/bash ## navigate to directory with ./certbot-auto cd /path/to/certbot-auto ## check if the certificate is expiring soon and renew it if needed sudo ./certbot-auto --config /etc/letsencrypt/configs/cert.test2.ohie.org certonly --renew-hook "/bin/certbot_renewal/update_OpenHIM.sh" -n # -n ensures a noninteractive session # --renew-hook command only fires if a certificate is renewed exit 0 |
4. Create a cronjob to run twice a day, once at 1AM at 1:00 AM and once at 1PM1:00 PM.
- Run `crontab -e`.
...
- Add the following contents:
Code Block | ||||
---|---|---|---|---|
| ||||
crontab -e --------------- 0 1,13 * * * /bin/certbot_renewal/renewal_cronjob.sh |