My first exploration of OnlyOffice has been a bit rocky. Mostly because I've been working in my test environment where I have https configured via a custom Certificate Authority. (I'm running step-ca if you've heard of it.)
Here's my setup:
* Local DNS is provided by an instance of DNSMasq.
* HAProxy in front of OwnCloud and OnlyOffice.
* SSL certs provided by my Step-CA instance are handled by HAProxy. SSL is terminated by HAProxy.
* OwnCloud and OnlyOffice are in docker-compose based containers.
* OwnCloud is running the owncloud/server:10.7 image.
* OnlyOffice is running the onlyoffice/documentserver:latest image.
My normal route to getting my CA trusted is to update the image/OS with the intermediate and root certs. When that didn't work, I did some searching. It seems that NodeJS has its own trusted cert store, rather than use what the OS provides. The Stack Overflow answer that info is from is kinda old, so I'm not 100% sure on this...
I was initially only looking at the owncloud/onlyoffice docker project's readme. So I ended up spinning my wheels a bit until I finally was pointed at the official docker image readme. https://github.com/ONLYOFFICE/Docker-DocumentServer Once I read that, I figured out how to get my set up working by setting these environment variables on the OnlyOffice container:
Code: Select all
SSL_VERIFY_CLIENT=false JWT_ENABLED=true USE_UNAUTHORIZED_STORAGE=true JWT_SECRET=secret
Ultimately, I should be able to turn USE_UNAUTHORIZED_STORAGE to false in production when I'm using Lets Encrypt. Right?
(Um, is the client the SSL_VERIFY_CLIENT references the OwnCloud server, or the user's browser? Since it defaults to false, I'm guessing I don't need to set that, but I'm wondering if I should want to set it to true in production...)
But I'd still rather have as few differences between test and production as I can.
So is there a way to add my custom CA to the list that OnlyOffice trusts?
This also would be needed by any organization that runs their own CA for internal apps so that they can limit outside access as much as possible.
Thanks in advance.