3

Following OnlyOffice's help center's instructions leads to the creation of security certificate declared as invalid by browsers, as it is self-signed.

The intention is to use OnlyOffice's server on Docker for NextCloud, which runs properly already on another server.

Currently, the certificates have been created in the directory suggested by the instructions:

/app/onlyoffice/DocumentServer/data/certs# ls
dhparam.pem  onlyoffice.crt  onlyoffice.csr  onlyoffice.key

I have followed all the given steps, and it does not work.

Is there a way to use LetsEncrypt instead of self-signed certificates?

I am not an IT management person, I am a simple developer trying to use OSS to not use Google Docs etc. Take this into consideration when providing guidance, as what you may take for granted, I may not.

jansensan
  • 633
  • 1
  • 8
  • 23

2 Answers2

0

Please restart the container, the DocumentServer will switch to https config. Open the address of the DocumentServer in your browser. If that is available, it can be connected to your NextCloud instance.

ibnpetr
  • 472
  • 2
  • 5
  • 1
    I have done that already, and HTTPS still doesn't work. Going to the IP with only HTTP shows the server running, but when using the IP with HTTPS, an error is thrown by the browser, as mentioned in the issue description. Here are the details of the error: `[IP] uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name [IP].` – jansensan Jun 09 '18 at 16:44
0

The problem that you are having is that a self-signed certificate is not trusted by anyone (anything).

You can create your own certificate using Let's Encrypt. You will either need to create a special file on your server or create a TXT record on your domain's DNS server.

Certbot Download

The following is for Linux. If you are running on Windows, try using ManuaLE (more info below)

Go to let's encrypt and download certbot. Then from the command line:

certbot certonly --manual --preferred-challenges dns -d mydomain.com

This command will prompt you to create a TXT record on your DNS server. After creating the record wait a few minutes before pressing ENTER to continue.

After your SSL certificate is created, copy and rename them to your desired location listed in your question.

Instructions for ManuaLE for Windows.

ManuaLE Download

manuale authorize mydomain.com
manuale issue mydomain.com

After your SSL certificate is created, copy and rename them to your desired location listed in your question.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • This solution worked, in combination with [Dreamhost's instructions](https://help.dreamhost.com/hc/en-us/articles/215414867-How-do-I-add-custom-DNS-records-) as I am hosting the domain elsewhere. As far as I remember, LetsEncrypt's certifications need to be renewed often, does this certbot automate this? – jansensan Jun 10 '18 at 19:37
  • Also, when copying the created certificates from `/etc/letsencrypt/live/[domain]` to `/app/onlyoffice/DocumentServer/data/certs/`, which file between `cert.pem`, `chain.pem`, and `fullchain.pem` becomes `onlyoffice.crt`? – jansensan Jun 10 '18 at 20:48
  • 1
    1) cert.pem is onlyoffice's onlyoffice.crt - This is your SSL certificate. 2) privkey.pem is onlyoffice.key - This is your Private Key. 3) You can usually ignore the other files as they are intermediate certificates. – John Hanley Jun 10 '18 at 22:49
  • Certbot cannot automate this for you as you have manually created the certificate and then copied the files to onlyoffice. You will have to either purchase an SSL certificate good for up to 27 months or set a calendar reminder to manually run certbot again to renew the certificate. Include your step by step instructions so that you won't have to remember how in three months. – John Hanley Jun 10 '18 at 22:53
  • If your browser complains about problems with certificate verification paths (or similar type of message) try fullchain.pem for onlyoffice.crt. The difference between cert.pem and fullchain.pem is that chain.pem is included (the intermediate certificate - the one higher up the food chain that verifies your cert.pem). – John Hanley Jun 10 '18 at 22:57