OpenCRVS
v1.4
v1.4
  • 👋Welcome!
  • CRVS Systems
    • Understanding CRVS
    • Effective digital CRVS systems
    • OpenCRVS within a government systems architecture
    • OpenCRVS Value Proposition
  • Product Specifications
    • Functional Architecture
    • Workflow management
    • Status Flow Diagram
    • Users
      • Examples
    • Core functions
      • 1. Notify event
      • 2. Declare event
      • 3. Validate event
      • 4. Register event
      • 5. Print certificate
      • 6. Issue certificate
      • 7. Search for a record
      • 8. View record
      • 9. Correct record
      • 10. Verify record
      • 11. Archive record
      • 12. Vital statistics export
    • Support functions
      • 13. Login
      • 14. Audit
      • 15. Deduplication
      • 16. Performance management
      • 17. Payment
      • 18. Learning
      • 19. User support
      • 20. User onboarding
    • Admin functions
      • 21. User management
      • 22. Comms management
      • 23. Content management
      • 24. Config management
    • Data functions
      • 25. Legacy data import
      • 26. Legacy paper import
  • Technology
    • Architecture
      • Performance tests
    • Standards
      • FHIR Documents
        • Event Composition
        • Person
        • Registration Task
        • Event Observations
        • Locations
    • Security
    • Interoperability
      • Create a client
      • Authenticate a client
      • Event Notification clients
      • Record Search clients
      • Webhook clients
      • National ID client
      • FHIR Location REST API
      • Other ways to interoperate
  • Default configuration
    • Intro to Farajaland
    • Civil registration in Farajaland
    • OpenCRVS configuration in Farajaland
      • Application settings
      • User / role mapping
      • Declaration forms
      • Certificate templates
    • Business process flows in Farajaland
  • Setup
    • 1. Planning an OpenCRVS Implementation
    • 2. Establish project and team
    • 3. Gather requirements
      • 3.1 Mapping business processes
      • 3.2 Mapping offices and user types
      • 3.3 Define your application settings
      • 3.4 Designing event declaration forms
      • 3.5 Designing a certificate template
    • 4. Installation
      • 4.1 Set-up a local development environment
        • 4.1.1 Install the required dependencies
        • 4.1.2 Install OpenCRVS locally
        • 4.1.3 Starting and stopping OpenCRVS
        • 4.1.4 Log in to OpenCRVS locally
        • 4.1.5 Tooling
          • 4.1.5.1 WSL support
      • 4.2 Set-up your own, local, country configuration
        • 4.2.1 Fork your own country configuration repository
        • 4.2.2 Set up administrative address divisions
          • 4.2.2.1 Prepare source file for administrative structure
          • 4.2.2.2 Prepare source file for statistics
        • 4.2.3 Set up CR offices and Health facilities
          • 4.2.3.1 Prepare source file for CRVS Office facilities
          • 4.2.3.2 Prepare source file for health facilities
        • 4.2.4 Set up employees & roles for testing or production
          • 4.2.3.1 Prepare source file for employees
          • 4.2.3.2 Configure role titles
        • 4.2.5 Set up application settings
          • 4.2.5.1 Managing language content
            • 4.2.5.1.1 Informant and staff notifications
          • 4.2.5.2 Configuring Metabase Dashboards
        • 4.2.6 Configure certificate templates
        • 4.2.7 Configure declaration forms
          • 4.2.7.1 Configuring an event form
        • 4.2.8 Seeding & clearing your local databases
        • 4.2.9 Countryconfig API endpoints explained
      • 4.3 Set-up a server-hosted environment
        • 4.3.1 Verify servers & create a "provision" user
        • 4.3.2 HTTPS & Networking
        • 4.3.3 Create a Github environment
          • 4.3.3.1 Environment secrets and variables explained
        • 4.3.4 Provision environments
          • 4.3.4.1 Building, pushing & releasing your countryconfig code
        • 4.3.5 Deploy
    • 5. Functional configuration
      • 5.1 Configure application settings
      • 5.2 Configure registration periods and fees
      • 5.3 Managing system users
    • 6. Quality assurance testing
    • 7. Go-live
      • 7.1 Pre-Deployment Checklist
    • 8. Operational Support
    • 9. Monitoring
      • 9.1 Application logs
      • 9.2 Infrastructure health
      • 9.3 Routine monitoring checklist
      • 9.4 Setting up alerts
      • 9.5 Managing a Docker Swarm
  • General
    • Community
    • Contributing
    • Releases
      • v1.4.1: Release notes
      • v1.4.0 to v1.4.1 Migration notes
      • v1.4.0 Release notes
      • v1.3.* to v1.4.* Migration notes
      • v1.3.5: Release notes
      • v1.3.4: Release notes
      • v1.3.3: Release notes
      • v1.3.1: Release notes
      • v1.3.* to v1.3.* Migration notes
      • v1.3.0: Release notes
      • v1.2.* to v1.3.* Migration notes
        • v1.2 to v1.3: Form migration
      • v1.2.1: Release notes
      • Patch: Elasticsearch 7.10.2
      • v1.2.0: Release notes
      • v1.1.* to v1.2.* Migration notes
      • v.1.1.2: Release notes
      • v.1.1.1: Release notes
      • v1.1.0: Release notes
    • Interoperability roadmap
    • Product roadmap
Powered by GitBook
On this page
  • Domain A records
  • LetsEncrypt HTTPS Challenge
  • LetsEncrypt DNS Challenge
  • Pre-existing TLS certificates
  1. Setup
  2. 4. Installation
  3. 4.3 Set-up a server-hosted environment

4.3.2 HTTPS & Networking

Previous4.3.1 Verify servers & create a "provision" userNext4.3.3 Create a Github environment

Last updated 1 year ago

Watch the videos above to understand the OpenCRVS network and how TLS is configured in OpenCRVS servers

Domain A records

Using your domain management system, A records will need to be created for all the services which are publicly exposed.

This also enables the Traefik SSL cert to be successfully generated by LetsEncrypt when using HTTPS or DNS challenge.

Either use a wildcard or create individual A records for your chosen domain name, with a TTL of 1 hour that forwards the URL to your manager server node's external IP address.

The easiest approach is to use a wildcard. For example: *.<your_domain> although this is not as secure in production.

Option 1: Wildcard required A Records:

2 A Records are required for this option

<your_domain>

*.<your_domain>

Option 2: Individual A Records:

16 A Records are required for this option

<your_domain>

auth.<your_domain>

config.<your_domain>

countryconfig.<your_domain>

documents.<your_domain>

metabase.<your_domain>

minio.<your_domain>

minio-console.<your_domain>

ui-kit.<your_domain>

gateway.<your_domain>

kibana.<your_domain>

login.<your_domain>

openhim-api.<your_domain>

openhim.<your_domain>

register.<your_domain>

webhooks.<your_domain>

If using our Wireguard VPN:

vpn.<your_domain>

LetsEncrypt HTTPS Challenge

- --certificatesresolvers.certResolver.acme.email=<your email address>
- --certificatesresolvers.certResolver.acme.storage=acme.json
- --certificatesresolvers.certResolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
- --certificatesresolvers.certResolver.acme.httpchallenge.entrypoint=web
- --certificatesresolvers.certResolver.acme.httpchallenge=true

LetsEncrypt DNS Challenge

Traefik config is required to be edited in your docker-compose files for your environment in order to configure the LetsEncrypt DNS challenge mechanism for SSL cert generation in production or staging environments. LetsEncrypt supports APIs for the following providers:

In this example, Google Domains is the configured provider. The environment variable GOOGLE_DOMAINS_ACCESS_TOKEN is manually added to the Github environment as a secret.

environment:
 - GOOGLE_DOMAINS_ACCESS_TOKEN=${GOOGLE_DOMAINS_ACCESS_TOKEN}
command:
 - --certificatesresolvers.certResolver.acme.dnschallenge=true
 - --certificatesresolvers.certResolver.acme.dnschallenge.provider=googledomains
 - --certificatesresolvers.certResolver.acme.email=<your email address>
 - --certificatesresolvers.certResolver.acme.storage=acme.json

Pre-existing TLS certificates

Traefik config is required to be edited in your docker-compose files for your environment in order to use pre-existing TLS certificates.

  1. Once your environment is provisioned, manually add your certificate files into the /data/traefik/certs directory on your server so that they are picked up.

  2. Create a file named certs.yaml in the infrastructure/traefik folder like this: 

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/certs/<your combined leaf, intermediate & root, certfile>.crt
        keyFile: /etc/certs/<your cert private key file>.key
  certificates:
    - certFile: /etc/certs/<your combined leaf, intermediate & root, certfile>.crt
      keyFile: /etc/certs/<your cert private key file>.key
      stores:
        - default

  1. Use the Traefik config below to access the cert.yaml file, remove any lines that start with "--certificatesresolvers.certResolver.acme" :

volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /data/traefik/certs:/certs
      - /opt/opencrvs/infrastructure/traefik/certs.yaml:/etc/traefik/certs.yaml
    command:
      - --providers.file.directory=/etc/traefik
      - --providers.file.watch=true

  1. If the certificate is different for each environment, you will have to edit the "Provision" Github Actions to write the contents of the .crt & .key files in the /data/traefik/certs directory on your server from new Github environment secrets you will manually have to create. In the file infrastructure/server-setup/tasks/traefik.yml, add these lines at the end of the file:

- name: Create crt file with variable content
  copy:
    dest: "/data/traefik/certs/cert.crt"
    content: |
      {{ssl_crt}}
    owner: root
    group: application
    mode: 0644
  when: ssl_crt is defined and ssl_crt | length > 0

- name: Create key file with variable content
  copy:
    dest: "/data/traefik/certs/cert.key"
    content: |
      {{ssl_key}}
    owner: root
    group: application
    mode: 0600
  when: ssl_key is defined and ssl_key | length > 0

  1. Add these 2 new Github environment secrets SSL_CRT & SSL_KEY to the "Set variables for ansible in production environments" step in the file .github/workflows/provision.yml

ssl_crt: ${{ secrets.SSL_CRT }}
ssl_key: ${{ secrets.SSL_KEY }}

Our Wireguard VPN is not designed for use at scale. The Wireguard VPN Admin interface hosted at vpn.<your-domain> uses . OpenCRVS accepts no responsibility for the penetration testing or security of the Wireguard VPN or WG Easy. Use at your own risk.

If you are enabling , you will also need this A record for it: api.<your_domain> but be careful to only add this domain if you understand the whitelisting Traefik steps required. Refer to the docker-compose files to see comments regarding how to whitelist OpenHIM.

Traefik config is required to be edited in your docker-compose files for your environment listed , in order to configure the LetsEncrypt HTTPS challenge mechanism for SSL cert generation in development or qa environments:

wg-easy
external interoperability access directly to OpenHIM
here
Traefik Let's Encrypt Documentation - Traefik
Logo