Transitioning an existing Aggregate installation to SSL

I have an existing ODK Aggregate instance (on Tomcat) running over HTTP that I'd like to transition to HTTPS. Is this change doable without just reinstalling aggregate? I'm comfortable configuring Tomcat with my SSL certificate, but I'm not sure how to change Aggregate's settings to work with the new configuration.

I took a glance inside the security-properties file in the ODKAggregate-settings jar file when I was editing the server's hostname a little while ago and it seemed like there were some settings in there that might be related, but I wasn't sure whether editing those would be sufficient to make this change).

Thanks!

Please note that Aggregate is no longer being updated. We recommend you use Central instead. You can even migrate your data over if you need to keep the old data.

Before proceeding, make sure you have a verified working backup and a way to rollback to said backup.

Depending on the version of Aggregate you have, you should be able to install a newer version over the top and it'll keep your old data. That to me is the simplest way to proceed.

If you really want to proceed with transitioning to SSL without installing over the top, the rough steps are...

  1. Find ODKAggregate-settings.jar, unjar it, find security.properties and set the following. Don't change security.server.realm.realmString because it'll invalidate your passwords.

    security.server.hostname=example.com
    security.server.secureChannelType=REQUIRES_SECURE_CHANNEL
    security.server.channelType=REQUIRES_SECURE_CHANNEL
    

    Now, rejar ODKAggregate-settings.jar. Changing Aggregate IP to URL has a Bash script that does some of this. The tricky part is making sure the security.properties are in the right place when you rejar.

  2. Then you'll need to edit your Tomcat's server.xml to redirect 80 to 443. It'll look something like this.

     <Connector port="80" protocol="HTTP/1.1"
                connectionTimeout="20000"
                URIEncoding="UTF-8" 
                redirectPort="443" />
     <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
                 SSLCertificateFile="/etc/acme.sh/example.com/cert.pem"
                 SSLCertificateKeyFile="/etc/acme.sh/example.com/key.pem"
                 SSLCertificateChainFile="/etc/acme.sh/example.com/fullchain.pem"
                 URIEncoding="UTF-8" />
    

Again, it's been a long time since I did this and I'm certainly not recommending you do it. I'm just providing the information.

1 Like

Perfect, thanks so much! I'll give this a shot.

Worked like a charm!

1 Like