Test own Certificate

[mrjones-plip]

User: Admin Site: local/docker Platform: MacOs, Linux, Windows / Chrome, Firefox Test Steps: Steps for test

1. Check if there is documentation for this > for all OS we support 2. Check that it works Expected Result: User should have comprehensive documentation. No error during installation and/or update

[mrjones-plip]

AT passes

Setup is to wget latest files:

wget  https://staging.dev.medicmobile.org/_couch/builds/medic:medic:master/docker-compose/cht-couchdb.yml
wget https://staging.dev.medicmobile.org/_couch/builds/medic:medic:master/docker-compose/cht-core.yml
wget https://raw.githubusercontent.com/medic/cht-upgrade-service/main/docker-compose.yml

Preload the wildcard local-ip.co cert into SSL_VOLUME_MOUNT_PATH=/etc/nginx/private/ volume by creating a compose file called docker-compose_load-certs.yml with this contents (not volume is hard coded to test3-cht-ssl:

version: '3.9'

services:
  cht-load-local-ip-cert:
    image: alpine
    command: sh -c "
        mkdir -p ${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/}
        &&rm -f ${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/}server.pem 
        && rm -f ${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/}chain.pem  
        && rm -f ${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/}key.pem
        && wget -P ${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/}  http://local-ip.co/cert/server.pem
        && wget -P ${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/} http://local-ip.co/cert/chain.pem
        && cat  ${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/}server.pem ${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/}chain.pem > ${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/}cert.pem
        && wget -P ${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/} http://local-ip.co/cert/server.key
        && mv ${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/}server.key ${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/}key.pem
        && rm -f ${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/}server.pem ${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/}chain.pem
        && sleep 2600 "
    volumes:
      - test3-cht-ssl:${SSL_VOLUME_MOUNT_PATH:-/root/.acme.sh/}

volumes:
        test3-cht-ssl:

Then populate the volume with: SSL_VOLUME_MOUNT_PATH=/etc/nginx/private/ docker-compose -f docker-compose_load-certs.yml up

Then do AT:

• no full public docs on the docs site, but we have a decent readme
• this command uses explicit use of own certs, and it works: SSL_VOLUME_MOUNT_PATH=/etc/nginx/private/ CHT_COMPOSE_PROJECT_NAME=test3 COUCHDB_SECRET=foo DOCKER_CONFIG_PATH=./ COUCHDB_DATA=./couchd CHT_COMPOSE_PATH=./ COUCHDB_USER=medic COUCHDB_PASSWORD=password CERTIFICATE_MODE=OWN_CERT docker-compose up
• validation that "it works" was done with curl like this:

  curl --silent -v -I https://127-0-0-1.my.local-ip.co 2>&1 |egrep 'SSL connection|subject:'
  * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA
  *  subject: CN=*.my.local-ip.co

• As well the browser showed a valid let's encrypt cert

• logs for the nginx container showed:

  docker logs test3_nginx_1|egrep -i 'CERT|self|ssl|generat|exist'|grep -v entrypoi
  
  Running SSL certificate checks
  SSL certificate exists.
  Launching Nginx
  CERTIFICATE MODE = OWN_CERT

• finally, upgrading to branch 4.0.0-7778-bulk-delete-redesign worked as expected

[mrjones-plip]

cc @medic/quality-assurance