Cloud SSL Certs - openmrs/openmrs-contrib-itsmresources GitHub Wiki

We are using Letsencrypt for all services. Ansible is setup to run Lets Encrypt in two modes either "webroot" (the default) or "acmedns" (using our ACME DNS server). "webroot" mode uses standard HTTP-01 challenges which require access via HTTP to /.well-known/acme-challenge for all host names being served. "acmedns" mode uses DNS-01 challenges.

Certificate renewals should be handled automatically in either mode with no additional effort, but setting up a server in acmedns requires two run throughs first to register the hostnames with our ACME DNS server and the second to actual run the DNS-01 challenge. To register the hostnames, run ansible-playbook with -e acme_dns_register=true. A step will run called "Show the CNAME targets to paste into Terraform". This will have the UUIDs that need to be registered in Terraform. Basially the output will look something like this:

"# _acme-challenge CNAME targets for bonga.openmrs.org (bonga.openmrs.org, modules-refapp.openmrs.org).",
"# The fulldomain already ends in the acme-dns zone - paste verbatim into the Terraform",
"# repo (acme_challenge_cnames for openmrs.org names, manual-dns per-zone otherwise).",
"_acme-challenge.bonga.openmrs.org CNAME d754e519-a38f-408e-adf7-e7517b9f7e9b.acme.openmrs.org",
"_acme-challenge.modules-refapp.openmrs.org CNAME 4ddc5d84-b289-4c89-a15c-21b47fa77ad8.acme.openmrs.org"

The lines of interest are the ones like this _acme-challenge.<host> CNAME <UUID>.acme.openmrs.org for each we need the <host> and <UUID>. In the Terraform variables for a stack add the "acme_challenge_cnames" variable like this:

variable "acme_challenge_cnames" {
  default = {
    "bonga"          = "d754e519-a38f-408e-adf7-e7517b9f7e9b.acme.openmrs.org"
    "modules-refapp" = "4ddc5d84-b289-4c89-a15c-21b47fa77ad8.acme.openmrs.org"
  }
}

Where the left is the <host> short name and the right is the <UUID>. Run Terraform on the stack to generate the DNS records. This should be a one-time thing, but the same process needs to be done for any new CNAMES.

This process should mostly be used for cases where the server is being proxied by something like Cloudflare or CloudFront as these tend to serve traffic over HTTPS and HTTP-01 runs over HTTP, not HTTPS.

Read this before updating this wiki.

⚠️ **GitHub.com Fallback** ⚠️