SSL Certificates (or Certs) will help in securely transferring the data from client to the server. Web Applications use the SSL certificates to encrypt the traffic between client and server. If the application is not configured with a valid SSL Certificate, we will see a message "Your connection is not private" on the browser. Also, it will be much easier for others to break in to your data.
Let's Encrypt is a certificate authority which is free, open and automated. It provides a CLI tool to generate certificates by validating the domain in an automated fashion. The code is open sourced and can be found here. It has various modes/plugins in which it can operate. The details can be found here. We have used Standalone plugin to generate the certificate for Bahmni.
We need a valid domain before we start generation of certs. The process is outlined below:
Summary: Overall, the idea is that LetsEncrypt will create a certificate for your domains/sub-domains, only if it knows with certainty that you control those domains. For it to verify that you control the domains, you need to run the letsencrypt command line program from an IP address where the domains are mapped. This way, when the LetsEncrypt command contacts the LetsEncrypt servers, with your domain names, there is a handshake sent back by the server to the domain, which should be received back to the client (which is itself). This way, the client program knows that since the request for "X" domain, came back to itself, the client is being run by the person who controls the domain "X".
Access the droplet or Bahmni server using SSH, go to the /etc directory and and clone the letsencrypt git repo.
cd /etc sudo git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt
Run the following command from the cloned directory. It will ask for an email address at the time of certificate generation.
# Note that the first domain/subdomain passed as -d becomes the main folder structure / name in the certificate. So, good to give the topmost level as the first option ./letsencrypt-auto certonly --standalone -d dev.bahmnidev.org -d dot10.bahmnidev.org --debug
Configure these settings in the /etc/httpd/conf.d/ssl.conf of Apache httpd
SSLCertificateFile /etc/letsencrypt/live/dev.bahmnidev.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/dev.bahmnidev.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/dev.bahmnidev.org/chain.pem