I have had several weeks trying out letsencrypt to set ssl on dhis2 instance but all has not worked. Lastly, I have procured SSL, verified domains with CNAME record yet, unable to server the dhis2 instance over an ssl.
Kindly note that, I have both database server as well app server with a different on different subnets with public IP for the main domain
Please could anyone share his notes with on how to set up this activity.
It is also a bit confusing your explanation about the IPs. You only need one certificate which will be used to encrypt the HTTP connections. Therefore only the webserver (nginx / Apache) needs to be setup with a certificate.
I don’t think you have followed the steps correctly. You are missing the redirection HTTP->HTTPS However, I am not sure how Apache works as I am more used to work with nginx. Maybe @bobj or someone else from the CoP can provide some help here.
I have followed all the steps to the best of my ability. The issue is ssl is successfully deployed. I am able to access the default apache page with https.
in the default-ssl.conf, DocumentRoot /var/www/html
When I change the documentRoot to /home/dhis/tomcat-dhis/webapps/ROOT I received the error below:
forbidden you don’t have permission to access this resource. apache/2.4.29 (ubuntu) server at xx.com port 443
From your pictures it seems you have properly set up DHIS2 (meaning your Tomcat is listening in the port 80). I am assuming that port considering that you put that URL in the browser without any port and the DHIS2 is presented.
You don’t have to replace the documentRoot to that specific directory in your Apache config. You are setting Apache as a web proxy, that means telling Apache to receive the HTTP(s) connections and forward them to Tomcat.
So, your missing (probably) steps are:
Setting the SSL certificates. This seems you have it right
Telling Apache to forward your HTTP connections to HTTPS this I cannot guess from the pictures
Telling Apache to forward your incoming HTTPS connections to Tomcat (search for example configurations with ProxyPass)