Using letsencrypt

I’ve written about this before in the Nextcloud forums and I realized someone here might benefit from it.

I use letsencrypt to provide SSL certificates for my CODE instance. After recently updating lool to cool to go from 6.4 to 21.06.13 I was reminded of all the steps it takes to manage letsencrypt certs.

I’m running Debian, so paths may be different for your installation, but should be the same or similar for any Debian derivative.

I run Apache and found it easier to give my CODE instance it’s own domain name, but there’s nothing here specific to using Apache.

You will need to set up the SSL lines in coolwsd.xml:

                <cert_file_path desc="Path to the cert file" relative="false">/etc/coolwsd/certs/documents.myserver.home.cert</cert_file_path>
                <key_file_path desc="Path to the key file" relative="false">/etc/coolwsd/certs/documents.myserver.home.key</key_file_path>

There’s an <ssl> section in both the main body and in the <storage> section. I set them both the same. I’m not sure that’s necessary.

By default letsencrypt dumps the certs and the keys in /etc/letsencrypt/live/documents.myserver.home which is very locked down (as it should be). In order for CODE to be able to read your cert and key, you will need to move it to someplace that is readable by the cool user. By default this should be /etc/coolwsd/certs.

Letsencrypt provides a way modify how your certs/keys are used with renewal-hooks, which live at /etc/letsencrypt/renewal-hooks. You will want to add a shell script in deploy (/etc/letsencrypt/renewal-hooks/deploy).

This is what mine looks like:

#!/bin/sh

set -e

for domain in $RENEWED_DOMAINS; do
        case $domain in
        documents.myserver.home)
                daemon_cert_root=/etc/coolwsd/certs

                # Make sure the certificate and private key files are
                # never world readable, even just for an instant while
                # we're copying them into daemon_cert_root.
                umask 077

                cp "$RENEWED_LINEAGE/fullchain.pem" "$daemon_cert_root/$domain.cert"
                cp "$RENEWED_LINEAGE/privkey.pem" "$daemon_cert_root/$domain.key"

                # Apply the proper file ownership and permissions for
                # the daemon to read its certificate and key.
                chown cool "$daemon_cert_root/$domain.cert" \
                        "$daemon_cert_root/$domain.key"
                chmod 400 "$daemon_cert_root/$domain.cert" \
                        "$daemon_cert_root/$domain.key"

                service coolwsd restart >/dev/null
                ;;
        esac
done

Please don’t ever run a script you find online unless you understand what it does. That being said, this is not my script and I found it online, but I understand what the script is doing. This has been modified for my purposes and you must do the same.

I hope this is helpful to someone out there who is having difficulty getting their CODE to run.

1 Like

Thanks @jimbolaya for sharing this and welcome to the forum! Yes this most. definitely will be useful for many : )