Is it possible to add a custom Certificate Authority to the list that OnlyOffice/NodeJS trust?

[jerrac]

Hey all,

My first exploration of OnlyOffice has been a bit rocky. Mostly because I've been working in my test environment where I have https configured via a custom Certificate Authority. (I'm running step-ca if you've heard of it.)

Here's my setup:

* Local DNS is provided by an instance of DNSMasq.
* HAProxy in front of OwnCloud and OnlyOffice.
* SSL certs provided by my Step-CA instance are handled by HAProxy. SSL is terminated by HAProxy.
* OwnCloud and OnlyOffice are in docker-compose based containers.
* OwnCloud is running the owncloud/server:10.7 image.
* OnlyOffice is running the onlyoffice/documentserver:latest image.

My normal route to getting my CA trusted is to update the image/OS with the intermediate and root certs. When that didn't work, I did some searching. It seems that NodeJS has its own trusted cert store, rather than use what the OS provides. The Stack Overflow answer that info is from is kinda old, so I'm not 100% sure on this...

I was initially only looking at the owncloud/onlyoffice docker project's readme. So I ended up spinning my wheels a bit until I finally was pointed at the official docker image readme. https://github.com/ONLYOFFICE/Docker-DocumentServer Once I read that, I figured out how to get my set up working by setting these environment variables on the OnlyOffice container:

Code: Select all

SSL_VERIFY_CLIENT=false
JWT_ENABLED=true
USE_UNAUTHORIZED_STORAGE=true
JWT_SECRET=secret

I did see the SSL_CERTIFICATE_PATH variable in the readme. But if I'm reading the run-document-server.sh script correctly, that's only used to configure https on the OnlyOffice container itself. Which doesn't help me when my https is configured by HAProxy.

Ultimately, I should be able to turn USE_UNAUTHORIZED_STORAGE to false in production when I'm using Lets Encrypt. Right?

(Um, is the client the SSL_VERIFY_CLIENT references the OwnCloud server, or the user's browser? Since it defaults to false, I'm guessing I don't need to set that, but I'm wondering if I should want to set it to true in production...)

But I'd still rather have as few differences between test and production as I can.

So is there a way to add my custom CA to the list that OnlyOffice trusts?

This also would be needed by any organization that runs their own CA for internal apps so that they can limit outside access as much as possible.

Thanks in advance.

[Carl]

Hello jerrac,

Ultimately, I should be able to turn USE_UNAUTHORIZED_STORAGE to false in production when I'm using Lets Encrypt. Right?

Yes, this is right. USE _UNAUTHORIZED_STORAGE=false will disable certificate verification by the Document Server.

As for adding custom CA to NodeJS bundle, it is impossible because NodeJS uses its own hardcoded and manually compiled CA bundle. But you can switch to OpenSSL's CA bundle:

1. Copy your certificate to the folder /usr/local/share/ca-certificates/ inside the Document Server container.
2. Run update-ca-certificates
3. Make sure the certificated was added to the bundle in /etc/ssl/certs/
4. Add NODE_OPTIONS=--use-openssl-ca into enviroment parameter of both /etc/supervisor/conf.d/ds-converter.conf and /etc/supervisor/conf.d/ds-docservice.conf so they look like this:

Code: Select all

....
user=ds
environment=NODE_ENV=production-linux,NODE_OPTIONS=--use-openssl-ca,NODE_CONFIG_DIR=/etc/onlyoffice/documentserver.....
....

5. Run service supervisor restart and supervisorctl restart all.