Snap OnlyOffice-ds ssl with Snap Certbot on Ubuntu 22.04 (and a little apache)
Yes, the crime that is snaps, but they can be useful, so lets take a look.
Ok, I’ve put this together from bits and pieces of instructions, and since i feel there is less documentation on snap, I think this deserves writing about since it really is quite straight forward overall.
What is this use case?
Onlyoffice-ds is a server API which Nextcloud is able to integrate quite nicely. I have a bare metal Nextcloud on a different VPS server, but this could probably be set up similarly with snap, and I may well come back here and write about this… that would be cool… snap certbot, snap onlyoffice-ds and snap nextcloud!
I already have my nextcloud server running with https, and quite rightly nextcloud was nudging me to follow on with this secure protocol when I was setting up onlyoffice. This meant I had to configure the snap onlyoffice to work with https, and I didn’t want the snake oil certs for this if I could and thought i’d try snap certbot.
My setup
On this onlyoffice VPS server, I already use it for linking files for people on reddit, or family using plain old http port 80 apache. There’s a conflict here with snap onlyoffice, so for this, I have to move the http port of onlyoffice away from port 80, like so..
1
snap set onlyoffice-ds onlyoffice.ds-port=8888
There’s also a conflict with certbot and apache running on port 80, so I have to disable the apache service before running certbot.
1
systemctl stop apache2.service
Firewall rules
I’d love to say I know exactly how you should set this up, but this is homelab, and as hard as I try, something might be slightly off.
Since my VPS is Ubuntu, i’ve remained with UFW for this since it plays ok with snaps (unlike docker where i prefer iptables).
I have rate limitted my connections, but also static routes between Nextcloud and Onlyoffice, so…
1
2
3
ufw allow from "nextcloud-server-ip-address" to any port 443 proto tcp
ufw limit 443/tcp
ufw limit 80/tcp
I put a limit on port 80 for my apache server which is up to you if you want to go the same route as me. I also put a limit on port 443, since it’s only ever going to be used for my nextcloud server. Rule sequence takes presidence though, so add the rules in this order if you want the same.
Because I went bare metal Nextcloud, my firewall rules are a little different, and Nextcloud has builtin protection as well. You could also use fail2ban, and also crowdsec which is amazing. So, for my nextcloud, i’ve left port 443/tcp open (it doesn’t like the ufw limit).
So, lets get started.
Switch to the root user on your onlyoffice server, it’s easier when working with the certificates.
1
sudo su -
Install onlyoffice-ds & certbot using snap
1
2
snap install onlyoffice-ds
snap install certbot --classic
Using your favourite text editor, paste this into the root home directory. I’ve called my file certbot.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/bin/bash
##################################################################################
# Generate keys. privkey.pem is onlyoffice.key & fullchain.pem is the onlyoffice.crt
domain=example.com
now=$(printf '%(%Y-%m-%d)T\n')
# onlyoffice & certbot snap directories
onlyo_path=/var/snap/onlyoffice-ds/current/var/www/onlyoffice/Data/certs
cert_path=/etc/letsencrypt/live/"$domain"
# create new certificates
if certbot certonly --standalone -d "$domain"
then
# certbot wont run with port 80 blocked
systemctl stop apache2.service
wait
# archive old keys
mv "$onlyo_path"/onlyoffice.key /root/archive-certs/"$now"-onlyoffice.key
mv "$onlyo_path"/onlyoffice.crt /root/archive-certs/"$now"-onlyoffice.crt
# copy the keys...
cp "$cert_path"*/privkey.pem "$onlyo_path"/onlyoffice.key
cp "$cert_path"*/fullchain.pem "$onlyo_path"/onlyoffice.crt
# remove the cert path because it blocks the only office snap, and hence we will write a cronjob to renew this.
rm -r "$cert_path"*
# remove config and archive
rm /etc/letsencrypt/renewal/"$domain"*
rm -r /etc/letsencrypt/archive/"$domain"*
snap restart onlyoffice-ds
wait
systemctl start apache2.service
else
echo "certbot failed to run, exitting..."
fi
# check if the dhparam.pem file exists.
if [[ ! -f "$onlyo_path"/dhparam.pem ]]
then
openssl dhparam -out "$onlyo_path"/dhparam.pem 2048
else
echo "dhparam file exists, skipping...."
fi
# check on another server whether the ssl is active
# openssl s_client -connect linode.jp-cloud.co.uk:443
# I don't think this file needs renewed - dhparam.pem, but command below.
# openssl dhparam -out dhparam.pem 2048
Open crontab
1
crontab -e
For the 3 month cycle certbot uses, paste this at the bottom for cron to use this script every 3 months at 3am. You might want to increase the frequency, will leave with you :
1
0 3 1 */3 * /root/certbot.sh