HSTS and self-signed certificates

Issues during installation and related to database
Post Reply
mmccarn
Posts: 2
Joined: Tue Nov 19, 2019 11:29 am

HSTS and self-signed certificates

Post by mmccarn » Tue Nov 19, 2019 11:37 am

Problem:
- Recent updates to Firefox and Chrome seem to block access to onlyoffice community server with SSL enabled using a self-signed certificate
- The onlyoffice help center provides a list of runtime options, one of which can be used to disable HSTS (ONLYOFFICE_HTTPS_HSTS_ENABLED=false)
- The automatic installation script provided for easy installation, configuration, and updating of openoffice (opensource-install.sh / search for "wget"), does not provide any documented method for using custom docker parameters.

Solutions:
1) Manual install
Presumably (untested) I could switch from managing and updating my onlyoffice using opensource-install.sh to doing it manually, then add the setting for HSTS in my docker run command:
https://github.com/ONLYOFFICE/Docker-CommunityServer#installing-community-server wrote:sudo docker run --net onlyoffice -i -t -d --restart=always --name onlyoffice-community-server -p 80:80 -p 443:443 -p 5222:5222 \
-e MYSQL_SERVER_ROOT_PASSWORD=my-secret-pw \
-e MYSQL_SERVER_DB_NAME=onlyoffice \
-e MYSQL_SERVER_HOST=onlyoffice-mysql-server \
-e MYSQL_SERVER_USER=onlyoffice_user \
-e MYSQL_SERVER_PASS=onlyoffice_pass \
-e ONLYOFFICE_HTTPS_HSTS_ENABLED=false \
-v /app/onlyoffice/CommunityServer/data:/var/www/onlyoffice/Data \
-v /app/onlyoffice/CommunityServer/logs:/var/log/onlyoffice \
onlyoffice/communityserver
2) Using opensource-install.sh
I found I could disable HSTS by adding the new setting to /etc/environment (ubuntu 18.04) and rebooting the server
(I *also* had to clear my recent firefox browser history before the change was recognized.)

Code: Select all

sudo echo ONLYOFFICE_HTTPS_HSTS_ENABLED=false>> /etc/environment
sudo reboot

Carl
Posts: 221
Joined: Thu Apr 12, 2018 10:00 am

Re: HSTS and self-signed certificates

Post by Carl » Tue Nov 26, 2019 9:13 am

Hello,

Thank you for the information.

Please note that we strongly recommend to avoid using self-signed certificates. The better option is to obtain free Let's Encrypt certificates.

mmccarn
Posts: 2
Joined: Tue Nov 19, 2019 11:29 am

Re: HSTS and self-signed certificates

Post by mmccarn » Tue Nov 26, 2019 11:05 am

Thanks; yes - a "real" certificate would be better.

In my defense, public access to my onlyoffice server is protected by a separate apache proxy server that does, indeed, have a valid letsencrypt certificate. OnlyOffice worked perfectly (for me) before a recent Firefox update - as long as I was not at home. Overriding HSTS was simpler for my daily routine, with my particular network configuration, than switching from Firefox to Safari, tethering my laptop to my cell phone for my daily operational tests, developing a script to pass the letsencrypt cert from the proxy server to onlyoffice, or updating the port forwarding settings on my firewall every 90 days to let me update a letsencrypt cert on the onlyoffice server directly.

Post Reply