3. Secure Apache httpd

The SSL protocol provides for a secure channel of communication between the user’s browser and the Open OnDemand portal. It is recommended that you secure your Apache server by adding these configurations.


Open OnDemand expects secure (https) traffic by default. If you do not add SSL to your Apache server you will have to follow FIXME-LINK-NEEDED to enable some (if not most) functionality.

This is not recommended as someone on your network could see your traffic in plain text, including passwords.


  • A server name that points to the Open OnDemand server (ondemand.my_center.edu). I.e., nslookup ondemand.my_center.edu resolves to your instance.

  • signed SSL certificates with possible intermediate certificates


Let’s Encrypt is a great option to obtain a free SSL certificate. You can read more about it in their Getting Started documentation.

In this example we assume the following certificates are provided:

Public certificate


Private key


Intermediate certificate


1. Edit the Open OnDemand Portal ood_portal.yml file

/etc/ood/config/ood_portal.yml as such:

# /etc/ood/config/ood_portal.yml

# ...

servername: ondemand.my_center.edu
  - 'SSLCertificateFile "/etc/pki/tls/certs/ondemand.my_center.edu.crt"'
  - 'SSLCertificateKeyFile "/etc/pki/tls/private/ondemand.my_center.edu.key"'
  - 'SSLCertificateChainFile "/etc/pki/tls/certs/ondemand.my_center.edu-interm.crt"'


For documentation on SSL directives please see: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

2. Update CA (Dex Users only)

Dex users may encounter issues with SSL certificates like:

remote error: tls: unknown certificate authority

If this is the case, you need to ensure that their certificate authority (CA) is in the system trust store and that your CA certificates are up to date.

First, try updating your CA certificates. This could especially happen when you have a Let’s Encrypt and your machine does not know about that certificate authority.

sudo yum update ca-certificates

If you’re still having issues, copy your certificate authority (examples could be fullchain.pem) to your trust store. replace CA CERT location with the actual certificate authority you’re using and run these commands to copy it to the appropriate place.

sudo cp <CA CERT location> /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

3. Restart the Apache service for the changes take effect.

Restart the Apache service for the changes take effect.

Now when you browse to your OnDemand portal at:


it should redirect you to the HTTP over SSL protocol deployment:


where depending on your browser, should display a green lock of some kind to indicate that the site is secure.