Docker Nextcloud Ssl



Docker

CyberPanel is web hosting control which is based on OpenLitespeed. Comes with builtin support for DNS, FTP, Email, File Manager and automatic SSL. Install NextCloud 19 on Debian 10 Buster. Nextcloud has a number of dependencies that must be installed beforehand. To give you a better experience, we will cover the installation of all the dependencies.

We'll describe how to get Collabora Online running on your server and how to integrate it into your Nextcloud using the docker image Nextcloud and Collabora built.

  1. Learn all the ins and outs of CODE How to grab the CODE image from Docker image Collabora Online Development Edition (CODE) is available as a Docker image from Docker Hub. Currently, the only supported platform is x86-64, and the image was mostly tested on Linux. If you are not familiar with Docker concepts.
  2. We are going to cover most of everything there is to setup a Docker Home Server with Traefik 2, LetsEncrypt SSL certificates, and Google OAuth for security.However, frequently, we will refer you back to my previous guides for some reading to not make this guide too lengthy.

To install it the following dependencies are required:

  • A host that can run a Docker container
  • A subdomain or a second domain that the Collabora Online server can run on
  • An Apache server with some enabled modules (NGINX instructions in a blog here)
  • A valid SSL certificate for the domain that Collabora Online should run on
  • A valid SSL certificate for your Nextcloud

Note: This guide does NOT cover self-signed certificates. If you use a self-signed certificate then you're mostly on your own ;-)

Install the Collabora Online server

Setup using the built-in CODE server

Install the Collabora Online - Built-in CODE Server app from your Nextclouds apps management. This app provides a built-in server with all of the document editing features of Collabora Online. Easy to install, for personal use or for small teams. It is a bit slower than a standalone server and without the advanced scalability features.

Setup using docker

The collabora/code Docker image can be installed to any x86-64 host (e.g. on Linux and Windows 10), and it is fully configurable. For more information about setup and configuration for deployment, please read the CODE Docker page. If you want to try it out quickly, you can set up CODE docker image with file sharing integration in less than 5 minutes in a very basic way, following these instructions: quick tryout with Nextcloud.

The following steps will download the Collabora Online docker, make sure to replace 'cloud.nextcloud.com' with the host that your own Nextcloud runs on. Also make sure to escape all dots with double backslashes (), since this string will be evaluated as a regular expression (and your bash 'eats' the first backslash.) If you want to use the docker container with more than one Nextcloud, you'll need to use 'domain=cloud.nextcloud.com|second.nexcloud.com' instead. (All hosts are separated by |.)

Optionally, you can select the dictionaries you want with:

This way you are not only limited to German, English, Italian, French and Spanish.

That will be enough. Once you have done that the server will listen on 'localhost:9980'. Now we just need to configure the locally installed Apache reverse proxy.

Setup using packages

As an alternative to Docker image, Collabora provide native Linux packages for selected Linux distributions. If you have Debian 8, Debian 9, Ubuntu 16.04, Ubuntu 18.04, CentOS 7 or openSUSE Leap, please read the CODE Linux packages page.

Setting up a reverse proxy and SSL

It is highly recommended to set up a reverse proxy in front of CODE, either you run CODE from Docker, or you use native packages. It is easy, and this way CODE can be reached on standard HTTP or HTTPS ports. We provide sample configuration files for Apache2 and Nginx. If you want SSL, we recommend certificates from Let's Encrypt.

Now you can give https://collabora.example.com as the WOPI URL in your preferred File Sync and Share solution. See below for specific examples.

Apache guide

On a recent Ubuntu or Debian this should be possible using:

Afterward, configure one VirtualHost properly to proxy the traffic. For security reason we recommend to use a subdomain such as office.nextcloud.com instead of running on the same domain. An example config can be found below:

After configuring these do restart your apache using /etc/init.d/apache2 restart.

Configure the app

You can configure the app either from within Nextcloud itself, or from thecommandline. The latter facilitates automated setup, e.g. via Ansible.

Configure the app in Nextcloud

Go to the Apps section and choose 'Office & text'Install the 'Collabora Online app'Admin -> Collabora Online -> Specify the server you have setup before (e.g. 'https://office.nextcloud.com')

Congratulations, your Nextcloud has Collabora Online Office integrated!

Configure the app from the commandline

Nextcloud

From a shell running in the Nextcloud root directory, run the following occcommands, substituting the server url you've setup (e.g. 'https://office.nextcloud.com'):

Congratulations, your Nextcloud has Collabora Online Office integrated!

Updating the docker image

Occasionally, new versions of this docker image are released with security and feature updates. We will of course let you know when that happens! This is how you upgrade to a new version:

grab new docker image:

List docker images:

from the output you can glean the Container ID of your Collabora Online docker image.stop and remove the Collabora Online docker image:

start the new image:

Enjoy!

Let's Encrypt (out-of-the-box)¶

The 'acme-mailcow' container will try to obtain a LE certificate for ${MAILCOW_HOSTNAME}, autodiscover.ADDED_MAIL_DOMAIN and autoconfig.ADDED_MAIL_DOMAIN.

Warning

mailcow must be available on port 80 for the acme-client to work. Our reverse proxy example configurations do cover that. You can also use any external ACME client (certbot for example) to obtain certificates, but you will need to make sure, that they are copied to the correct location and a post-hook reloads affected containers. See more in the Reverse Proxy documentation.

By default, which means 0 domains are added to mailcow, it will try to obtain a certificate for ${MAILCOW_HOSTNAME}.

For each domain you add, it will try to resolve autodiscover.ADDED_MAIL_DOMAIN and autoconfig.ADDED_MAIL_DOMAIN to its IPv6 address or - if IPv6 is not configured in your domain - IPv4 address. If it succeeds, a name will be added as SAN to the certificate request.

Only names that can be validated, will be added as SAN.

For every domain you remove, the certificate will be moved and a new certificate will be requested. It is not possible to keep domains in a certificate, when we are not able validate the challenge for those.

Nextcloud

If you want to re-run the ACME client, use docker-compose restart acme-mailcow and monitor its logs with docker-compose logs --tail=200 -f acme-mailcow.

Additional domain names¶

Edit 'mailcow.conf' and add a parameter ADDITIONAL_SAN like this:

Do not use quotes (') and do not use spaces between the names!

Each name will be validated against its IPv6 address or - if IPv6 is not configured in your domain - IPv4 address.

A wildcard name like smtp.* will try to obtain a smtp.DOMAIN_NAME SAN for each domain added to mailcow.

Run docker-compose up -d to recreate affected containers automatically.

Info

Using names other name MAILCOW_HOSTNAME to access the mailcow UI may need further configuration.

Docker

If you plan to use a server name that is not MAILCOW_HOSTNAME to access the mailcow UI (for example by adding mail.* to ADDITIONAL_SAN make sure to populate that name in mailcow.conf via ADDITIONAL_SERVER_NAMES. Names must be separated by commas and must not contain spaces. If you skip this step, mailcow may respond with an incorrect site.

Run docker-compose up -d to apply.

Force renewal¶

To force a renewal, you need to create a file named force_renew and restart the acme-mailcow container:

The file will be deleted automatically.

Validation errors and how to skip validation¶

You can skip the IP verification by setting SKIP_IP_CHECK=y in mailcow.conf (no quotes). Be warned that a misconfiguration will get you ratelimited by Let's Encrypt! This is primarily useful for multi-IP setups where the IP check would return the incorrect source IP address. Due to using dynamic IPs for acme-mailcow, source NAT is not consistent over restarts.

If you encounter problems with 'HTTP validation', but your IP address confirmation succeeds, you are most likely using firewalld, ufw or any other firewall, that disallows connections from br-mailcow to your external interface. Both firewalld and ufw disallow this by default. It is often not enough to just stop these firewall services. You'd need to stop mailcow (docker-compose down), stop the firewall service, flush the chains and restart Docker.

You can also skip this validation method by setting SKIP_HTTP_VERIFICATION=y in 'mailcow.conf'. Be warned that this is discouraged. In most cases, the HTTP verification is skipped to workaround unknown NAT reflection issues, which are not resolved by ignoring this specific network misconfiguration. If you encounter problems generating TLSA records in the DNS overview within mailcow, you are most likely having issues with NAT reflection you should fix.

If you changed a SKIP_* parameter, run docker-compose up -d to apply your changes.

Disable Let's Encrypt¶

Disable Let's Encrypt completely¶

Set SKIP_LETS_ENCRYPT=y in 'mailcow.conf' and recreate 'acme-mailcow' by running docker-compose up -d.

Skip all names but ${MAILCOW_HOSTNAME}¶

Add ONLY_MAILCOW_HOSTNAME=y to 'mailcow.conf' and recreate 'acme-mailcow' by running docker-compose up -d.

The Let's Encrypt subjectAltName limit of 100 domains¶

Let's Encrypt currently has a limit of 100 Domain Names per Certificate.

By default, 'acme-mailcow' will create a single SAN certificate for all validated domains(see the first section and Additional domain names).This provides best compatibility but means the Let's Encrypt limit exceeds if you add too many domains to a single mailcow installation.

To solve this, you can configure ENABLE_SSL_SNI to generate:

  • A main server certificate with MAILCOW_HOSTNAME and all fully qualified domain names in the ADDITIONAL_SAN config
  • One additional certificate for each domain found in the database with autodiscover., autoconfig. and any other ADDITIONAL_SAN configured in this format (subdomain.*).
  • Limitations: A certificate name ADDITIONAL_SAN=test.example.com will be added as SAN to the main certificate. A separate certificate/key pair will not be generated for this format.

Postfix, Dovecot and Nginx will then serve these certificates with SNI.

Set ENABLE_SSL_SNI=y in 'mailcow.conf' and recreate 'acme-mailcow' by running docker-compose up -d.

Warning

Not all clients support SNI, see Dovecot documentation or Wikipedia.You should make sure these clients use the MAILCOW_HOSTNAME for secure connections if you enable this feature.

Here is an example:

  • MAILCOW_HOSTNAME=server.email.tld
  • ADDITIONAL_SAN=webmail.email.tld,mail.*
  • Mailcow email domains: 'domain1.tld' and 'domain2.tld'

The following certificates will be generated:

  • server.email.tld, webmail.email.tld -> this is the default certificate, all clients can connect with these domains
  • mail.domain1.tld, autoconfig.domain1.tld, autodiscover.domain1.tld -> individual certificate for domain1.tld, cannot be used by clients without SNI support
  • mail.domain2.tld, autoconfig.domain2.tld, autodiscover.domain2.tld -> individual certificate for domain2.tld, cannot be used by clients without SNI support

How to use your own certificate¶

Make sure you disable mailcows internal LE client (see above).

To use your own certificates, just save the combined certificate (containing the certificate and intermediate CA/CA if any) to data/assets/ssl/cert.pem and the corresponding key to data/assets/ssl/key.pem.

IMPORTANT: Do not use symbolic links! Make sure you copy the certificates and do not link them to data/assets/ssl.

Restart affected services afterwards:

See Post-hook script for non-mailcow ACME clients for a full example script.

Test against staging ACME directory¶

Edit mailcow.conf and add LE_STAGING=y.

Run docker-compose up -d to activate your changes.

Custom directory URL¶

Edit mailcow.conf and add the corresponding directory URL to the new variable DIRECTORY_URL:

You cannot use LE_STAGING with DIRECTORY_URL. If both are set, only LE_STAGING is used.

Run docker-compose up -d to activate your changes.

Check your configuration¶

Nextcloud Docker Disable Ssl

Run docker-compose logs acme-mailcow to find out why a validation fails.

To check if nginx serves the correct certificate, simply use a browser of your choice and check the displayed certificate.

Nextcloud Docker Nginx Ssl

To check the certificate served by Postfix, Dovecot and Nginx we will use openssl:

Docker Nextcloud Ssl Ubuntu

To validate the expiry dates as returned by openssl against MAILCOW_HOSTNAME, you are able to use our helper script: