These Instructions are for an ubuntu installation with nginx as the server. This method enables a user to get (free) certificates from an opensource provider and requires the website name to be publicly accessible. These instructions may not be applicable in other environments. Follow all applicable certificate policies when installing.
Before obtaining the certificates ensure that there are two DNS A record for the website name (i.e. demonodepublicdns).
Getting the Certificates (letsencrypt example):
Certification Example
root@ubuntu:~# sudo apt-get update
root@ubuntu:~# sudo apt-get -y install nginx
root@ubuntu:~# wget https://dl.eff.org/certbot-auto
root@ubuntu:~# chmod a+x certbot-auto
root@ubuntu:~# ./certbot-auto
root@ubuntu:~# ./certbot-auto certonly --webroot -w /usr/share/nginx/html -d demonodepublicdns
┌────────────────────────────┐
│ Enter email address (used │
│ for urgent notices and │
│ lost key recovery) │
│ ┌────────────────────────┐ │
│ │xxxx@xxxx.xx │ │
│ └────────────────────────┘ │
├────────────────────────────┤
│ < OK > <Cancel> │
└────────────────────────────┘
┌───────────────────────────────────────────────────────────────────┐
│ Please read the Terms of Service at │
│ https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. │
│ You must agree in order to register with the ACME server at │
│ https://acme-v01.api.letsencrypt.org/directory │
├───────────────────────────────────────────────────────────────────┤
│ <Agree > <Cancel> │
└───────────────────────────────────────────────────────────────────┘
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/demonodepublicdns/fullchain.pem. Your cert
will expire on 2016-09-29. To obtain a new or tweaked version of
this certificate in the future, simply run letsencrypt-auto again.
To non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@ubuntu:/opt/letsencrypt# ls /etc/letsencrypt/live/demonodepublicdns/
cert.pem chain.pem fullchain.pem privkey.pem
Renewing the Certificates:
Renewing the Certificates on a DATIM Global
Renew the certificates on global server
Renewing certificates on Globalmaurya@test3:~$ chmod a+x certbot-auto maurya@test3:~$ wget https://dl.eff.org/certbot-auto maurya@test3:~$ sudo ./certbot-auto --config /etc/letsencrypt/configs/test3.global.ohie.datim.org.conf certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: http-01 challenge for test3.global.ohie.datim.org Using the webroot path /usr/share/nginx/html for all unmatched domains. Waiting for verification... Cleaning up challenges Unable to clean up challenge directory /usr/share/nginx/html/.well-known/acme-challenge Generating key (4096 bits): /etc/letsencrypt/keys/0001_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/test3.global.ohie.datim.org/fullchain.pem. Your cert will expire on 2017-05-14. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le maurya@test3:~$ sudo vim nginx.conf maurya@test3:~$ sudo vim /etc/nginx/nginx.conf maurya@test3:~$ sudo vim /etc/nginx/sites-available/openhim-console maurya@test3:~$ sudo service nginx restart * Restarting nginx nginx [ OK ] maurya@test3:~$ sudo restart openhim-core openhim-core start/running, process 963
- Replace these with the certificates in OpenHIM Certificates tab
- Replace these with the certificates in OpenHIM clients
Renewing the Certificates on a DATIM node
Renew the certificates on node server
Renew Certificate for nodemaurya@ls:~$ wget https://dl.eff.org/certbot-auto --2017-02-14 15:54:52-- https://dl.eff.org/certbot-auto Resolving dl.eff.org (dl.eff.org)... 173.239.79.196 Connecting to dl.eff.org (dl.eff.org)|173.239.79.196|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 46789 (46K) [application/octet-stream] Saving to: ‘certbot-auto’ 100%[===========================================================================================================>] 46,789 30.5KB/s in 1.5s 2017-02-14 15:55:05 (30.5 KB/s) - ‘certbot-auto’ saved [46789/46789] maurya@ls:~$ chmod a+x certbot-auto maurya@ls:~$ sudo ./certbot-auto --config /etc/letsencrypt/configs/ls.datim4u.org.conf certonly Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: http-01 challenge for ls.datim4u.org Using the webroot path /usr/share/nginx/html for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (4096 bits): /etc/letsencrypt/keys/0001_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/ls.datim4u.org/fullchain.pem. Your cert will expire on 2017-05-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le maurya@ls:~$ sudo vim /etc/nginx/sites-available/datim maurya@ls:~$ sudo service nginx restart * Restarting nginx nginx [ OK ] maurya@ls:~$ sudo service openhim-core restart openhim-core stop/waiting openhim-core start/running, process 25326 maurya@ls:~$ sudo service nginx restart
- Replace these with the certificates in OpenHIM Certificates tab
- Replace these with the certificates in OpenHIM global
- Select the newly added certificate in global OpenHIM to the client for the node
- Update the new certificate and key in the sync-mediator in the node OpenHIM
Restart the mediator
Restarting the mediatormaurya@ls:~$ sudo restart openhim-mediator-openinfoman-dhis2-sync openhim-mediator-openinfoman-dhis2-sync start/running, process 4508
Automatic Certificate Renewal:
Automatic certificate renewal uses a cronjob to run the update command twice a day.
1. Ensure the following command returns successfully. It will not make any changes. It will be used in the cronjob to update the certificate if it is in need of renewal.
Testing Automatic Update Command
user@ls:/var/www# sudo ./certbot-auto --config /etc/letsencrypt/configs/ls.datim4u.org.conf certonly --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log Cert not due for renewal, but simulating renewal for dry run Renewing an existing certificate Performing the following challenges: http-01 challenge for cert.test2.ohie.org Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (4096 bits): /etc/letsencrypt/keys/0009_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0009_csr-certbot.pem IMPORTANT NOTES: - The dry run was successful.
2. Create a bash script to run when a certificate is updated, updating the certificates recorded in the OpenHIM system.
- Store this script under `/etc/certbot_renewal/update_OpenHIM.sh`.
- Ensure it is executable by running `chmod +x /etc/certbot_renewal/update_OpenHIM.sh`.
update_OpenHIM.sh
In Progress
3. Create a bash script which will be run by a cronjob.
- Store this script under `/etc/certbot_renewal/renewal_cronjob.sh.
- Ensure it is executable by running `chmod +x /etc/certbot_renewal/renewal_cronjob.sh`.
renewal_cronjob.sh
#!/bin/bash ## navigate to directory with ./certbot-auto cd /path/to/certbot-auto ## check if the certificate is expiring soon and renew it if needed sudo ./certbot-auto --config /etc/letsencrypt/configs/ls.datim4u.org.conf certonly --renew-hook "/etc/certbot_renewal/update_OpenHIM.sh" -n # -n ensures a noninteractive session # --renew-hook command only fires if a certificate is renewed exit 0
4. Create a cronjob to run twice a day, once at 1:00 AM and once at 1:00 PM.
- Run `crontab -e`. Add the following contents:
chrontab -e contents
0 1,13 * * * /etc/certbot_renewal/renewal_cronjob.sh