DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’» is a community of 966,904 amazing developers

We're a place where coders share, stay up-to-date and grow their careers.

Create account Log in
Florian Wallner
Florian Wallner

Posted on • Originally published at blog.wallner.dev

Setup ONLYOFFICE Document Server with Let's Encrypt

I am running an ONLYOFFICE document server inside a docker container. The documentation for docker installation covers only the setup with a self signed certificate. In this post I describe the whole process for the setup with an SSL certificate from Let's Encrypt.

I am assuming that docker is installed and no other service is running on port 80 or 443.

Setup Let's Encrypt

To secure the application via SSL, get a certificate from Let's Encrypt using the Certbot ACME client. Follow the instructions to install certbot. After the installation we use the standalone mode to get a certificate (because no webserver is running on port 80).

certbot certonly --standalone

InstallingΒ Document Server for Docker

With the following command we create and run a Document Server container.

docker run -i -t -d -p 443:443 --restart=always \
    -v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice  \
    -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data  \
    -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice \
    -v /app/onlyoffice/DocumentServer/db:/var/lib/postgresql \
    --env JWT_ENABLED=true \
    --env JWT_SECRET=secret \
    --name onlyoffice-ds \
onlyoffice/documentserver

Port 443 for https is exposed with the -p option.

It is recommended that you store the data outside the Docker container on the host machine as it allows you to easily update Document Server once the new version is released without losing your data. Therefore we mount the volumes with the -v option.

I recommend setting the JWT_ENABLED and JWT_SECRET environment variables, so that the Document Server can be accessed only with the secret.

Putting it together

The default path that the document server is configured to look for the SSL certificate is /var/www/onlyoffice/Data/certs/onlyoffice.crt and for the SSL certificate private key is /var/www/onlyoffice/Data/certs/onlyoffice.key. This could be changed by using the SSL_KEY_PATH and SSL_CERTIFICATE_PATH environment variables but we use the default paths.

Therefore we copy the files into the folder and as a measure of security we will update the permission on the onlyoffice.key file to only be readable by the owner. Replace example.com with your domain.

cp /etc/letsencrypt/live/example.com/privkey.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
cp /etc/letsencrypt/live/example.com/fullchain.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key

And restart the docker container docker restart onlyoffice-ds

The files need to be copied after each renewal. To automate we use a Post Hook by creating a shell script /etc/letsencrypt/renewal-hooks/post/onlyoffice.sh. Replace example.com with your domain.

#!/bin/sh

cp /etc/letsencrypt/live/example.com/privkey.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key

cp /etc/letsencrypt/live/example.com/fullchain.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt

Top comments (2)

Collapse
 
rallisf1 profile image
John Rallis

You don't need any certbot post-script. Just use symlinks

ln -s /etc/letsencrypt/live/example.com/privkey.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
ln -s /etc/letsencrypt/live/example.com/fullchain.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
Enter fullscreen mode Exit fullscreen mode
Collapse
 
alexanderhorl profile image
Alexander HΓΆrl • Edited on

Can I expose a different port on my host machine while still using HTTPS? For example with the p flag set like this 4149:443?
I've tried doing so but It doesn't seem to work.

Also when running the document server behind a nginx virtual host for binding it to a domain, do I need to specify the certificates with the document server or can I just use them with the virtual host, leaving the document server running on port 80.

Take a look at this:

Settings

Go to your customization settings to nudge your home feed to show content more relevant to your developer experience level. πŸ›