From f6b5017b4ab7771b81a14434be8218cf00d32b9c Mon Sep 17 00:00:00 2001 From: Semyon Bezrukov Date: Wed, 29 Apr 2020 19:48:33 +0300 Subject: [PATCH] Rename cert & key files (#245) * New cert files default names * Add certs travis test * Add certificate generation * Fix certs test * Fix cert gen * Fix directory mapping * Fix https healthcheck * Add test for old cert path * Fix script & test * Fix port number * Code refactoring * Fix old cert test * Code refactoring * Fix certs test names * Remove unnecessary test --- .travis.yml | 20 ++++++++++++++++++++ README.md | 24 ++++++++++++------------ run-document-server.sh | 12 ++++++++++-- tests/certs-customized.yml | 18 ++++++++++++++++++ tests/certs.yml | 13 +++++++++++++ tests/test.sh | 29 ++++++++++++++++++++++++++++- 6 files changed, 101 insertions(+), 15 deletions(-) create mode 100644 tests/certs-customized.yml create mode 100644 tests/certs.yml diff --git a/.travis.yml b/.travis.yml index 8c4f119..94a1ff0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,6 +3,26 @@ language: generic dist: trusty env: + # certificates (default tls if onlyoffice not exists) + - config: certs.yml + ssl: true + + # certificates (default onlyoffice if exists) + - config: certs.yml + ssl: true + private_key: onlyoffice.key + certificate_request: onlyoffice.csr + certificate: onlyoffice.crt + + # custom certificates + - config: certs-customized.yml + ssl: true + private_key: mycert.key + certificate_request: mycert.csr + certificate: mycert.crt + SSL_CERTIFICATE_PATH: /var/www/onlyoffice/Data/certs/mycert.crt + SSL_KEY_PATH: /var/www/onlyoffice/Data/certs/mycert.key + # postgresql - config: postgres.yml diff --git a/README.md b/README.md index 47840fe..e11f94c 100644 --- a/README.md +++ b/README.md @@ -96,8 +96,8 @@ To secure the application via SSL basically two things are needed: So you need to create and install the following files: - /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key - /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt + /app/onlyoffice/DocumentServer/data/certs/tls.key + /app/onlyoffice/DocumentServer/data/certs/tls.crt When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip the following section if you are have CA certified SSL certificates. @@ -108,19 +108,19 @@ Generation of self-signed SSL certificates involves a simple 3 step procedure. **STEP 1**: Create the server private key ```bash -openssl genrsa -out onlyoffice.key 2048 +openssl genrsa -out tls.key 2048 ``` **STEP 2**: Create the certificate signing request (CSR) ```bash -openssl req -new -key onlyoffice.key -out onlyoffice.csr +openssl req -new -key tls.key -out tls.csr ``` **STEP 3**: Sign the certificate using the private key and CSR ```bash -openssl x509 -req -days 365 -in onlyoffice.csr -signkey onlyoffice.key -out onlyoffice.crt +openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt ``` You have now generated an SSL certificate that's valid for 365 days. @@ -136,18 +136,18 @@ openssl dhparam -out dhparam.pem 2048 #### Installation of the SSL Certificates -Out of the four files generated above, you need to install the `onlyoffice.key`, `onlyoffice.crt` and `dhparam.pem` files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again). +Out of the four files generated above, you need to install the `tls.key`, `tls.crt` and `dhparam.pem` files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again). The default path that the onlyoffice application is configured to look for the SSL certificates is at `/var/www/onlyoffice/Data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options. -The `/var/www/onlyoffice/Data/` path is the path of the data store, which means that you have to create a folder named certs inside `/app/onlyoffice/DocumentServer/data/` and copy the files into it and as a measure of security you will update the permission on the `onlyoffice.key` file to only be readable by the owner. +The `/var/www/onlyoffice/Data/` path is the path of the data store, which means that you have to create a folder named certs inside `/app/onlyoffice/DocumentServer/data/` and copy the files into it and as a measure of security you will update the permission on the `tls.key` file to only be readable by the owner. ```bash mkdir -p /app/onlyoffice/DocumentServer/data/certs -cp onlyoffice.key /app/onlyoffice/DocumentServer/data/certs/ -cp onlyoffice.crt /app/onlyoffice/DocumentServer/data/certs/ +cp tls.key /app/onlyoffice/DocumentServer/data/certs/ +cp tls.crt /app/onlyoffice/DocumentServer/data/certs/ cp dhparam.pem /app/onlyoffice/DocumentServer/data/certs/ -chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key +chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key ``` You are now just one step away from having our application secured. @@ -160,8 +160,8 @@ Below is the complete list of parameters that can be set using environment varia - **ONLYOFFICE_HTTPS_HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. - **ONLYOFFICE_HTTPS_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the onlyoffice nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`. -- **SSL_CERTIFICATE_PATH**: The path to the SSL certificate to use. Defaults to `/var/www/onlyoffice/Data/certs/onlyoffice.crt`. -- **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/onlyoffice.key`. +- **SSL_CERTIFICATE_PATH**: The path to the SSL certificate to use. Defaults to `/var/www/onlyoffice/Data/certs/tls.crt`. +- **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/tls.key`. - **SSL_DHPARAM_PATH**: The path to the Diffie-Hellman parameter. Defaults to `/var/www/onlyoffice/Data/certs/dhparam.pem`. - **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `CA_CERTIFICATES_PATH` file. Defaults to `false` - **DB_TYPE**: The database type. Supported values are `postgres`, `mariadb` or `mysql`. Defaults to `postgres`. diff --git a/run-document-server.sh b/run-document-server.sh index 5359467..b040372 100755 --- a/run-document-server.sh +++ b/run-document-server.sh @@ -16,8 +16,16 @@ ONLYOFFICE_DATA_CONTAINER_HOST=${ONLYOFFICE_DATA_CONTAINER_HOST:-localhost} ONLYOFFICE_DATA_CONTAINER_PORT=80 SSL_CERTIFICATES_DIR="${DATA_DIR}/certs" -SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/onlyoffice.crt} -SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/onlyoffice.key} +if [[ -z $SSL_CERTIFICATE_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/onlyoffice.crt ]]; then + SSL_CERTIFICATE_PATH=${SSL_CERTIFICATES_DIR}/onlyoffice.crt +else + SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/tls.crt} +fi +if [[ -z $SSL_KEY_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/onlyoffice.key ]]; then + SSL_KEY_PATH=${SSL_CERTIFICATES_DIR}/onlyoffice.key +else + SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/tls.key} +fi CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-${SSL_CERTIFICATES_DIR}/ca-certificates.pem} SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem} SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off} diff --git a/tests/certs-customized.yml b/tests/certs-customized.yml new file mode 100644 index 0000000..af73081 --- /dev/null +++ b/tests/certs-customized.yml @@ -0,0 +1,18 @@ +version: '2.1' +services: + onlyoffice-documentserver: + container_name: onlyoffice-documentserver + build: + context: ../. + environment: + - SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-/var/www/onlyoffice/Data/certs/tls.crt} + - SSL_KEY_PATH=${SSL_KEY_PATH:-/var/www/onlyoffice/Data/certs/tls.key} + - CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-/var/www/onlyoffice/Data/certs/ca-certificates.pem} + - SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-/var/www/onlyoffice/Data/certs/dhparam.pem} + stdin_open: true + restart: always + ports: + - '80:80' + - '443:443' + volumes: + - ./data:/var/www/onlyoffice/Data diff --git a/tests/certs.yml b/tests/certs.yml new file mode 100644 index 0000000..77d37ce --- /dev/null +++ b/tests/certs.yml @@ -0,0 +1,13 @@ +version: '2.1' +services: + onlyoffice-documentserver: + container_name: onlyoffice-documentserver + build: + context: ../. + stdin_open: true + restart: always + ports: + - '80:80' + - '443:443' + volumes: + - ./data:/var/www/onlyoffice/Data diff --git a/tests/test.sh b/tests/test.sh index 4bd15fa..6028584 100755 --- a/tests/test.sh +++ b/tests/test.sh @@ -1,5 +1,32 @@ #!/bin/bash +ssl=${ssl:-false} +private_key=${private_key:-tls.key} +certificate_request=${certificate_request:-tls.csr} +certificate=${certificate:-tls.crt} + +# Generate certificate +if [[ $ssl == "true" ]]; then + url=${url:-"https://localhost"} + + mkdir -p data/certs + pushd data/certs + + openssl genrsa -out ${private_key} 2048 + openssl req \ + -new \ + -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \ + -key ${private_key} \ + -out ${certificate_request} + openssl x509 -req -days 365 -in ${certificate_request} -signkey ${private_key} -out ${certificate} + openssl dhparam -out dhparam.pem 2048 + chmod 400 ${private_key} + + popd +else + url=${url:-"http://localhost"} +fi + # Check if the yml exists if [[ ! -f $config ]]; then echo "File $config doesn't exist!" @@ -14,7 +41,7 @@ wakeup_timeout=30 # Get documentserver healthcheck status echo "Wait for service wake up" sleep $wakeup_timeout -healthcheck_res=$(wget --no-check-certificate -qO - localhost/healthcheck) +healthcheck_res=$(wget --no-check-certificate -qO - ${url}/healthcheck) # Fail if it isn't true if [[ $healthcheck_res == "true" ]]; then