Rename cert & key files (#245)
* New cert files default names * Add certs travis test * Add certificate generation * Fix certs test * Fix cert gen * Fix directory mapping * Fix https healthcheck * Add test for old cert path * Fix script & test * Fix port number * Code refactoring * Fix old cert test * Code refactoring * Fix certs test names * Remove unnecessary test
This commit is contained in:
parent
ab5637a11f
commit
f6b5017b4a
20
.travis.yml
20
.travis.yml
|
@ -3,6 +3,26 @@ language: generic
|
||||||
dist: trusty
|
dist: trusty
|
||||||
|
|
||||||
env:
|
env:
|
||||||
|
# certificates (default tls if onlyoffice not exists)
|
||||||
|
- config: certs.yml
|
||||||
|
ssl: true
|
||||||
|
|
||||||
|
# certificates (default onlyoffice if exists)
|
||||||
|
- config: certs.yml
|
||||||
|
ssl: true
|
||||||
|
private_key: onlyoffice.key
|
||||||
|
certificate_request: onlyoffice.csr
|
||||||
|
certificate: onlyoffice.crt
|
||||||
|
|
||||||
|
# custom certificates
|
||||||
|
- config: certs-customized.yml
|
||||||
|
ssl: true
|
||||||
|
private_key: mycert.key
|
||||||
|
certificate_request: mycert.csr
|
||||||
|
certificate: mycert.crt
|
||||||
|
SSL_CERTIFICATE_PATH: /var/www/onlyoffice/Data/certs/mycert.crt
|
||||||
|
SSL_KEY_PATH: /var/www/onlyoffice/Data/certs/mycert.key
|
||||||
|
|
||||||
# postgresql
|
# postgresql
|
||||||
- config: postgres.yml
|
- config: postgres.yml
|
||||||
|
|
||||||
|
|
24
README.md
24
README.md
|
@ -96,8 +96,8 @@ To secure the application via SSL basically two things are needed:
|
||||||
|
|
||||||
So you need to create and install the following files:
|
So you need to create and install the following files:
|
||||||
|
|
||||||
/app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
|
/app/onlyoffice/DocumentServer/data/certs/tls.key
|
||||||
/app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
|
/app/onlyoffice/DocumentServer/data/certs/tls.crt
|
||||||
|
|
||||||
When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip the following section if you are have CA certified SSL certificates.
|
When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip the following section if you are have CA certified SSL certificates.
|
||||||
|
|
||||||
|
@ -108,19 +108,19 @@ Generation of self-signed SSL certificates involves a simple 3 step procedure.
|
||||||
**STEP 1**: Create the server private key
|
**STEP 1**: Create the server private key
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
openssl genrsa -out onlyoffice.key 2048
|
openssl genrsa -out tls.key 2048
|
||||||
```
|
```
|
||||||
|
|
||||||
**STEP 2**: Create the certificate signing request (CSR)
|
**STEP 2**: Create the certificate signing request (CSR)
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
openssl req -new -key onlyoffice.key -out onlyoffice.csr
|
openssl req -new -key tls.key -out tls.csr
|
||||||
```
|
```
|
||||||
|
|
||||||
**STEP 3**: Sign the certificate using the private key and CSR
|
**STEP 3**: Sign the certificate using the private key and CSR
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
openssl x509 -req -days 365 -in onlyoffice.csr -signkey onlyoffice.key -out onlyoffice.crt
|
openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt
|
||||||
```
|
```
|
||||||
|
|
||||||
You have now generated an SSL certificate that's valid for 365 days.
|
You have now generated an SSL certificate that's valid for 365 days.
|
||||||
|
@ -136,18 +136,18 @@ openssl dhparam -out dhparam.pem 2048
|
||||||
|
|
||||||
#### Installation of the SSL Certificates
|
#### Installation of the SSL Certificates
|
||||||
|
|
||||||
Out of the four files generated above, you need to install the `onlyoffice.key`, `onlyoffice.crt` and `dhparam.pem` files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).
|
Out of the four files generated above, you need to install the `tls.key`, `tls.crt` and `dhparam.pem` files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).
|
||||||
|
|
||||||
The default path that the onlyoffice application is configured to look for the SSL certificates is at `/var/www/onlyoffice/Data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options.
|
The default path that the onlyoffice application is configured to look for the SSL certificates is at `/var/www/onlyoffice/Data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options.
|
||||||
|
|
||||||
The `/var/www/onlyoffice/Data/` path is the path of the data store, which means that you have to create a folder named certs inside `/app/onlyoffice/DocumentServer/data/` and copy the files into it and as a measure of security you will update the permission on the `onlyoffice.key` file to only be readable by the owner.
|
The `/var/www/onlyoffice/Data/` path is the path of the data store, which means that you have to create a folder named certs inside `/app/onlyoffice/DocumentServer/data/` and copy the files into it and as a measure of security you will update the permission on the `tls.key` file to only be readable by the owner.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
mkdir -p /app/onlyoffice/DocumentServer/data/certs
|
mkdir -p /app/onlyoffice/DocumentServer/data/certs
|
||||||
cp onlyoffice.key /app/onlyoffice/DocumentServer/data/certs/
|
cp tls.key /app/onlyoffice/DocumentServer/data/certs/
|
||||||
cp onlyoffice.crt /app/onlyoffice/DocumentServer/data/certs/
|
cp tls.crt /app/onlyoffice/DocumentServer/data/certs/
|
||||||
cp dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
|
cp dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
|
||||||
chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
|
chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key
|
||||||
```
|
```
|
||||||
|
|
||||||
You are now just one step away from having our application secured.
|
You are now just one step away from having our application secured.
|
||||||
|
@ -160,8 +160,8 @@ Below is the complete list of parameters that can be set using environment varia
|
||||||
|
|
||||||
- **ONLYOFFICE_HTTPS_HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`.
|
- **ONLYOFFICE_HTTPS_HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`.
|
||||||
- **ONLYOFFICE_HTTPS_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the onlyoffice nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`.
|
- **ONLYOFFICE_HTTPS_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the onlyoffice nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`.
|
||||||
- **SSL_CERTIFICATE_PATH**: The path to the SSL certificate to use. Defaults to `/var/www/onlyoffice/Data/certs/onlyoffice.crt`.
|
- **SSL_CERTIFICATE_PATH**: The path to the SSL certificate to use. Defaults to `/var/www/onlyoffice/Data/certs/tls.crt`.
|
||||||
- **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/onlyoffice.key`.
|
- **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/tls.key`.
|
||||||
- **SSL_DHPARAM_PATH**: The path to the Diffie-Hellman parameter. Defaults to `/var/www/onlyoffice/Data/certs/dhparam.pem`.
|
- **SSL_DHPARAM_PATH**: The path to the Diffie-Hellman parameter. Defaults to `/var/www/onlyoffice/Data/certs/dhparam.pem`.
|
||||||
- **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `CA_CERTIFICATES_PATH` file. Defaults to `false`
|
- **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `CA_CERTIFICATES_PATH` file. Defaults to `false`
|
||||||
- **DB_TYPE**: The database type. Supported values are `postgres`, `mariadb` or `mysql`. Defaults to `postgres`.
|
- **DB_TYPE**: The database type. Supported values are `postgres`, `mariadb` or `mysql`. Defaults to `postgres`.
|
||||||
|
|
|
@ -16,8 +16,16 @@ ONLYOFFICE_DATA_CONTAINER_HOST=${ONLYOFFICE_DATA_CONTAINER_HOST:-localhost}
|
||||||
ONLYOFFICE_DATA_CONTAINER_PORT=80
|
ONLYOFFICE_DATA_CONTAINER_PORT=80
|
||||||
|
|
||||||
SSL_CERTIFICATES_DIR="${DATA_DIR}/certs"
|
SSL_CERTIFICATES_DIR="${DATA_DIR}/certs"
|
||||||
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/onlyoffice.crt}
|
if [[ -z $SSL_CERTIFICATE_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/onlyoffice.crt ]]; then
|
||||||
SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/onlyoffice.key}
|
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATES_DIR}/onlyoffice.crt
|
||||||
|
else
|
||||||
|
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/tls.crt}
|
||||||
|
fi
|
||||||
|
if [[ -z $SSL_KEY_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/onlyoffice.key ]]; then
|
||||||
|
SSL_KEY_PATH=${SSL_CERTIFICATES_DIR}/onlyoffice.key
|
||||||
|
else
|
||||||
|
SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/tls.key}
|
||||||
|
fi
|
||||||
CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-${SSL_CERTIFICATES_DIR}/ca-certificates.pem}
|
CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-${SSL_CERTIFICATES_DIR}/ca-certificates.pem}
|
||||||
SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem}
|
SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem}
|
||||||
SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}
|
SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}
|
||||||
|
|
18
tests/certs-customized.yml
Normal file
18
tests/certs-customized.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
version: '2.1'
|
||||||
|
services:
|
||||||
|
onlyoffice-documentserver:
|
||||||
|
container_name: onlyoffice-documentserver
|
||||||
|
build:
|
||||||
|
context: ../.
|
||||||
|
environment:
|
||||||
|
- SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-/var/www/onlyoffice/Data/certs/tls.crt}
|
||||||
|
- SSL_KEY_PATH=${SSL_KEY_PATH:-/var/www/onlyoffice/Data/certs/tls.key}
|
||||||
|
- CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-/var/www/onlyoffice/Data/certs/ca-certificates.pem}
|
||||||
|
- SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-/var/www/onlyoffice/Data/certs/dhparam.pem}
|
||||||
|
stdin_open: true
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- '80:80'
|
||||||
|
- '443:443'
|
||||||
|
volumes:
|
||||||
|
- ./data:/var/www/onlyoffice/Data
|
13
tests/certs.yml
Normal file
13
tests/certs.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
version: '2.1'
|
||||||
|
services:
|
||||||
|
onlyoffice-documentserver:
|
||||||
|
container_name: onlyoffice-documentserver
|
||||||
|
build:
|
||||||
|
context: ../.
|
||||||
|
stdin_open: true
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- '80:80'
|
||||||
|
- '443:443'
|
||||||
|
volumes:
|
||||||
|
- ./data:/var/www/onlyoffice/Data
|
|
@ -1,5 +1,32 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
ssl=${ssl:-false}
|
||||||
|
private_key=${private_key:-tls.key}
|
||||||
|
certificate_request=${certificate_request:-tls.csr}
|
||||||
|
certificate=${certificate:-tls.crt}
|
||||||
|
|
||||||
|
# Generate certificate
|
||||||
|
if [[ $ssl == "true" ]]; then
|
||||||
|
url=${url:-"https://localhost"}
|
||||||
|
|
||||||
|
mkdir -p data/certs
|
||||||
|
pushd data/certs
|
||||||
|
|
||||||
|
openssl genrsa -out ${private_key} 2048
|
||||||
|
openssl req \
|
||||||
|
-new \
|
||||||
|
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
|
||||||
|
-key ${private_key} \
|
||||||
|
-out ${certificate_request}
|
||||||
|
openssl x509 -req -days 365 -in ${certificate_request} -signkey ${private_key} -out ${certificate}
|
||||||
|
openssl dhparam -out dhparam.pem 2048
|
||||||
|
chmod 400 ${private_key}
|
||||||
|
|
||||||
|
popd
|
||||||
|
else
|
||||||
|
url=${url:-"http://localhost"}
|
||||||
|
fi
|
||||||
|
|
||||||
# Check if the yml exists
|
# Check if the yml exists
|
||||||
if [[ ! -f $config ]]; then
|
if [[ ! -f $config ]]; then
|
||||||
echo "File $config doesn't exist!"
|
echo "File $config doesn't exist!"
|
||||||
|
@ -14,7 +41,7 @@ wakeup_timeout=30
|
||||||
# Get documentserver healthcheck status
|
# Get documentserver healthcheck status
|
||||||
echo "Wait for service wake up"
|
echo "Wait for service wake up"
|
||||||
sleep $wakeup_timeout
|
sleep $wakeup_timeout
|
||||||
healthcheck_res=$(wget --no-check-certificate -qO - localhost/healthcheck)
|
healthcheck_res=$(wget --no-check-certificate -qO - ${url}/healthcheck)
|
||||||
|
|
||||||
# Fail if it isn't true
|
# Fail if it isn't true
|
||||||
if [[ $healthcheck_res == "true" ]]; then
|
if [[ $healthcheck_res == "true" ]]; then
|
||||||
|
|
Loading…
Reference in a new issue