Setting up OnlyOffice with Let's Encrypt

Posted February 4, 2020 6.7k views
Let's EncryptONLYOFFICE 1-Click App

Hi there,

How can one setup OnlyOffice from the Marketplace with Let’s Encrypt. I’ve tried using the generic LE guide on DO tutorials, but that changes the config to direct the domain to the default nginx page. Any ideas?

edited by AHA

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
3 answers

Hey @rtaibah

I had a look for myself, and I think you are getting that issue because you are attempting to install Lets Encrypt via the nginx running on the Ubuntu VM, but the OnlyOffice One-Click is configured to just skip that and forward everything from port 80 and 443 (HTTP/HTTPS ports) directly to a docker container. All the config and logic is inside the Docker container.

This is not really a great method because you are going into the docker container and modifying it, but I think it should work:

  1. SSH into the Droplet
  2. List the ID’s of the running docker containers with docker container ls - look for the ID of the “onlyoffice/communityserver” container, you will also see it has the HTTP/HTTPS ports proxied to it.
  3. Now initialize a bash session inside the container by running: docker exec -it ID_OF_COMMUNITY_IMAGE /bin/bash
  4. Now you can go through the Let’s Encrypt instructions you referenced earlier, with a couple important notes:

A. The nginx config file for onlyoffice is located at /etc/nginx/sites-enabled/onlyoffice <– that’s where you add the `servername …; line_
B. Instead of running systemctl reload nginx you need to run service nginx restart

Thanks for the question and answer, I am doing the exact same thing!

However, when I tried to generate the certificate I get the following error:

Could not automatically find a matching server block for Set the `server_name` directive to use the Nginx installer.

My /etc/nginx/sites-available/onlyoffice file looks like this:

upstream fastcgi_backend {
        server unix:/var/run/onlyoffice/onlyoffice.socket;
        keepalive 32;

server {
        listen 80;
        listen 443 ssl;

        ssl_certificate {{SSL_CERTIFICATE_PATH}};
        ssl_certificate_key {{SSL_KEY_PATH}};

        fastcgi_keep_conn on;
        fastcgi_index   Default.aspx;
        fastcgi_intercept_errors on;

        include fastcgi_params;

        fastcgi_param HTTP_X_REWRITER_URL $http_x_rewriter_url;
        fastcgi_param SERVER_NAME $host;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO "";

        fastcgi_read_timeout    600;
        fastcgi_send_timeout    600;

        location / {
                root    /var/www/onlyoffice/WebStudio/;
                expires           0;
                add_header        Cache-Control no-cache;
                rewrite ^(.*)$ /StartConfigure.htm  break;

        location /api {
                fastcgi_pass fastcgi_backend;

        location  ~* ^/(warmup[2-9]?)/ {
                rewrite /warmup([^/]*)/(.*) /$2 break;
                fastcgi_pass unix:/var/run/onlyoffice/onlyoffice$1.socket;

The nginx -t command returns OK/success.

Any idea?

  • It worked for me, but my /etc/nginx/sites-available/onlyoffice looked much different before (and after).

    I strictly followed these directions with the two changes AHA added.

    Yours has extra information that I suspect shouldn’t be there before running, specifically the ssl related information, which the cerbot script later adds.

    The ssl information on my is added with a # managed by certbot comment afterwards. Try removing the ssl related lines.
    I’m not really certain this is your problem, the error is a bit odd, but perhaps you also didn’t follow some of the other directions? reloading nginx, etc?

I struggled to do this, I found an easier solution was just to create a cloudflare account that basically sat between my droplet and the user and cloudflare provided it’s catch-all SSL certificate.

Really easy, hardly any setup.

Hope this offers a different perspective.