Rename cert & key files (#245)

* New cert files default names

* Add certs travis test

* Add certificate generation

* Fix certs test

* Fix cert gen

* Fix directory mapping

* Fix https healthcheck

* Add test for old cert path

* Fix script & test

* Fix port number

* Code refactoring

* Fix old cert test

* Code refactoring

* Fix certs test names

* Remove unnecessary test
This commit is contained in:
Semyon Bezrukov 2020-04-29 19:48:33 +03:00 committed by GitHub
parent ab5637a11f
commit f6b5017b4a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 101 additions and 15 deletions

View file

@ -3,6 +3,26 @@ language: generic
dist: trusty
env:
# certificates (default tls if onlyoffice not exists)
- config: certs.yml
ssl: true
# certificates (default onlyoffice if exists)
- config: certs.yml
ssl: true
private_key: onlyoffice.key
certificate_request: onlyoffice.csr
certificate: onlyoffice.crt
# custom certificates
- config: certs-customized.yml
ssl: true
private_key: mycert.key
certificate_request: mycert.csr
certificate: mycert.crt
SSL_CERTIFICATE_PATH: /var/www/onlyoffice/Data/certs/mycert.crt
SSL_KEY_PATH: /var/www/onlyoffice/Data/certs/mycert.key
# postgresql
- config: postgres.yml

View file

@ -96,8 +96,8 @@ To secure the application via SSL basically two things are needed:
So you need to create and install the following files:
/app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
/app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
/app/onlyoffice/DocumentServer/data/certs/tls.key
/app/onlyoffice/DocumentServer/data/certs/tls.crt
When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip the following section if you are have CA certified SSL certificates.
@ -108,19 +108,19 @@ Generation of self-signed SSL certificates involves a simple 3 step procedure.
**STEP 1**: Create the server private key
```bash
openssl genrsa -out onlyoffice.key 2048
openssl genrsa -out tls.key 2048
```
**STEP 2**: Create the certificate signing request (CSR)
```bash
openssl req -new -key onlyoffice.key -out onlyoffice.csr
openssl req -new -key tls.key -out tls.csr
```
**STEP 3**: Sign the certificate using the private key and CSR
```bash
openssl x509 -req -days 365 -in onlyoffice.csr -signkey onlyoffice.key -out onlyoffice.crt
openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt
```
You have now generated an SSL certificate that's valid for 365 days.
@ -136,18 +136,18 @@ openssl dhparam -out dhparam.pem 2048
#### Installation of the SSL Certificates
Out of the four files generated above, you need to install the `onlyoffice.key`, `onlyoffice.crt` and `dhparam.pem` files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).
Out of the four files generated above, you need to install the `tls.key`, `tls.crt` and `dhparam.pem` files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).
The default path that the onlyoffice application is configured to look for the SSL certificates is at `/var/www/onlyoffice/Data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options.
The `/var/www/onlyoffice/Data/` path is the path of the data store, which means that you have to create a folder named certs inside `/app/onlyoffice/DocumentServer/data/` and copy the files into it and as a measure of security you will update the permission on the `onlyoffice.key` file to only be readable by the owner.
The `/var/www/onlyoffice/Data/` path is the path of the data store, which means that you have to create a folder named certs inside `/app/onlyoffice/DocumentServer/data/` and copy the files into it and as a measure of security you will update the permission on the `tls.key` file to only be readable by the owner.
```bash
mkdir -p /app/onlyoffice/DocumentServer/data/certs
cp onlyoffice.key /app/onlyoffice/DocumentServer/data/certs/
cp onlyoffice.crt /app/onlyoffice/DocumentServer/data/certs/
cp tls.key /app/onlyoffice/DocumentServer/data/certs/
cp tls.crt /app/onlyoffice/DocumentServer/data/certs/
cp dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key
```
You are now just one step away from having our application secured.
@ -160,8 +160,8 @@ Below is the complete list of parameters that can be set using environment varia
- **ONLYOFFICE_HTTPS_HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`.
- **ONLYOFFICE_HTTPS_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the onlyoffice nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`.
- **SSL_CERTIFICATE_PATH**: The path to the SSL certificate to use. Defaults to `/var/www/onlyoffice/Data/certs/onlyoffice.crt`.
- **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/onlyoffice.key`.
- **SSL_CERTIFICATE_PATH**: The path to the SSL certificate to use. Defaults to `/var/www/onlyoffice/Data/certs/tls.crt`.
- **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/tls.key`.
- **SSL_DHPARAM_PATH**: The path to the Diffie-Hellman parameter. Defaults to `/var/www/onlyoffice/Data/certs/dhparam.pem`.
- **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `CA_CERTIFICATES_PATH` file. Defaults to `false`
- **DB_TYPE**: The database type. Supported values are `postgres`, `mariadb` or `mysql`. Defaults to `postgres`.

View file

@ -16,8 +16,16 @@ ONLYOFFICE_DATA_CONTAINER_HOST=${ONLYOFFICE_DATA_CONTAINER_HOST:-localhost}
ONLYOFFICE_DATA_CONTAINER_PORT=80
SSL_CERTIFICATES_DIR="${DATA_DIR}/certs"
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/onlyoffice.crt}
SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/onlyoffice.key}
if [[ -z $SSL_CERTIFICATE_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/onlyoffice.crt ]]; then
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATES_DIR}/onlyoffice.crt
else
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/tls.crt}
fi
if [[ -z $SSL_KEY_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/onlyoffice.key ]]; then
SSL_KEY_PATH=${SSL_CERTIFICATES_DIR}/onlyoffice.key
else
SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/tls.key}
fi
CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-${SSL_CERTIFICATES_DIR}/ca-certificates.pem}
SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem}
SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}

View file

@ -0,0 +1,18 @@
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
build:
context: ../.
environment:
- SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-/var/www/onlyoffice/Data/certs/tls.crt}
- SSL_KEY_PATH=${SSL_KEY_PATH:-/var/www/onlyoffice/Data/certs/tls.key}
- CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-/var/www/onlyoffice/Data/certs/ca-certificates.pem}
- SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-/var/www/onlyoffice/Data/certs/dhparam.pem}
stdin_open: true
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- ./data:/var/www/onlyoffice/Data

13
tests/certs.yml Normal file
View file

@ -0,0 +1,13 @@
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
build:
context: ../.
stdin_open: true
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- ./data:/var/www/onlyoffice/Data

View file

@ -1,5 +1,32 @@
#!/bin/bash
ssl=${ssl:-false}
private_key=${private_key:-tls.key}
certificate_request=${certificate_request:-tls.csr}
certificate=${certificate:-tls.crt}
# Generate certificate
if [[ $ssl == "true" ]]; then
url=${url:-"https://localhost"}
mkdir -p data/certs
pushd data/certs
openssl genrsa -out ${private_key} 2048
openssl req \
-new \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-key ${private_key} \
-out ${certificate_request}
openssl x509 -req -days 365 -in ${certificate_request} -signkey ${private_key} -out ${certificate}
openssl dhparam -out dhparam.pem 2048
chmod 400 ${private_key}
popd
else
url=${url:-"http://localhost"}
fi
# Check if the yml exists
if [[ ! -f $config ]]; then
echo "File $config doesn't exist!"
@ -14,7 +41,7 @@ wakeup_timeout=30
# Get documentserver healthcheck status
echo "Wait for service wake up"
sleep $wakeup_timeout
healthcheck_res=$(wget --no-check-certificate -qO - localhost/healthcheck)
healthcheck_res=$(wget --no-check-certificate -qO - ${url}/healthcheck)
# Fail if it isn't true
if [[ $healthcheck_res == "true" ]]; then