View previous topic :: View next topic |
Author |
Message |
timeraider n00b
Joined: 27 Jul 2015 Posts: 41
|
Posted: Wed Nov 23, 2016 9:37 am Post subject: Libreoffice-online |
|
|
Dear Gentoo community,
I would like to advertise my overlay for libreoffice-online at https://github.com/timeraider4u/libreoffice-online.git with the corresponding ebuilds. With these ebuilds you do not need any Docker container to get the collaborative office suite running but can install them on any workstation or virtual machine directly instead.
Feel free to use, fork and modify them. |
|
Back to top |
|
|
MageSlayer Apprentice
Joined: 26 Jul 2007 Posts: 252 Location: Ukraine
|
Posted: Tue Dec 06, 2016 5:59 pm Post subject: |
|
|
Amazing.
I've just wondered if any real-time collaboration is finally available on Linux!
I wondering - should I install OwnCloud/NextCloud/... as well to get a "full" Google Docs-like solution?
Where would it save documents if *Cloud is not installed? Maybe some clarifications/FAQ on github for others to see? |
|
Back to top |
|
|
timeraider n00b
Joined: 27 Jul 2015 Posts: 41
|
Posted: Wed Dec 07, 2016 4:43 pm Post subject: |
|
|
Yes, you are right. I will add some more instructions on how to use it when I have some time.
Basically, as far as I have found out yet, the back-end-storage can be used in two different modes:
filesystem or webdav (I have not had time to test the later one, so no guarantee is given that it will work)
You can configure this in Code: | /etc/loolwsd/loolwsd.xml | inside the tag Code: | <storage>...</storage> |
The important thing is the boolean value for attribute allow in: Code: | <filesystem allow="true"/> | .
You can then open the file Code: | /var/lib/libreoffice-online/home/hello.odt | by opening
https://localhost:9980/loleaflet/loleaflet.html?file_path=file:///var/lib/libreoffice-online/home/hello.odt&host=wss://localhost:9980
in your web-browser. |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Mon Aug 13, 2018 12:44 pm Post subject: |
|
|
Sorry for digging out this old thread, but I am still looking for a way to implement online office in my nextcloud without the need of docker bloat. Now, if reading the following blog correctly colabora online without docker would mean to compile libreoffice and libreoffice online. Thats where I found this thread and I now am wondering, wether this still works as the github entries are 1-2 years old.
https://blog.emrich-ebersheim.de/2017/03/31/collabora-online-fuer-nextcloud-auf-ubuntu-16-04-ohne-docker/
Could this blog serve for creating an actual ebuild for this? Unfortunatelly I am not capable to create an ebuild myself
Or is the only way to use docker in the end? I dont hope so, as I read some posts about running nextcloud and online office on the same server and set it up without docker. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21607
|
Posted: Tue Aug 14, 2018 2:19 am Post subject: |
|
|
Docker is just a way of bundling together packages so you don't need to know what you're doing to get something going. If a project can be made to run in Docker, then you can get it to run without Docker, if you have enough patience and information about its requirements. Whether that is a worthwhile use of your time is a separate question. |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Wed Jan 30, 2019 1:11 am Post subject: |
|
|
I am still interested to integrate office document integration in my nextcloud but still not willing to do it the docker way. Is there some information available, on howto to do this with gentoo? I would really like to avoid the docker bloat but if there is no other way I maybe will have to think about docker anyhow. |
|
Back to top |
|
|
xdch47 n00b
Joined: 01 May 2019 Posts: 9
|
Posted: Wed May 01, 2019 9:02 am Post subject: |
|
|
Hi,
I just want to invite those of you, who are still interested in the topic to try the ebuild from my overlay ( https://github.com/xdch47/gpo-xdch47/tree/master/www-apps/loolwsd ).
It's in a kind of simple and in a quite initial state, so feedback and improvements are welcome !
In case that /var and /usr are on different partition/subvol's I recommend to copy /usr/lib64/libreoffice to the same partition and adapt the lo_template_path in /etc/libreoffice-online/loolwsd.xml
(Otherwise the jails will copy instead of symlinking all lib's, what takes quite a while)
Setup:
Code: |
loolconfig update-system-template
loolconfig set-admin-password
rc-service loolwsd start
|
--> Test the admin console: https://localhost:9980/loleaflet/dist/admin/admin.html
Nextcloud integration:
Works fine so far (allow your hostnames in the wopi section!), except the pdf export (lool (secomp??) bug).
--> Configure apache/nginx as reverse proxy (template configuration are available at /etc/apache2/conf-available/loolwsd.conf /etc/nginx/snippets/loolwsd.conf)
--> Add the collabora nextcould app and insert our lool-hostname
Done!
Last edited by xdch47 on Tue Dec 29, 2020 7:57 am; edited 1 time in total |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Fri May 10, 2019 7:53 pm Post subject: |
|
|
Hey xdch47 and thanks for joining this forum to offer us this opportunity to test. I will check and try your ebuild. |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Thu May 16, 2019 4:19 pm Post subject: |
|
|
It successfully built and setup, but service is crashing when launching it. Please tell me, where I can find information helping to identify why it is crashing.
Code: | /etc/init.d/loolwsd start
* Starting loolwsd ... [ ok ]
/etc/init.d/loolwsd status
* status: crashed |
And regarding the vhost configuration here is what I have prepared sofar.
http://dpaste.com/3GGRG17
ls -l /var/www/lool/htdocs/
Code: | lrwxrwxrwx 1 root root 30 16. Mai 15:47 lool -> /usr/share/libreoffice-online/
|
Would that be correct?
On a browser issuing http://lool.mydomain.com -> shows me the content of /usr/share/libreoffice-online.
Executing loolwsd as user lool:
Code: | su - lool
lool@srvhostname ~ $ loolwsd --debug
Unknown option specified: debug
-29283 2019-05-17 12:32:11.165189 [ loolwsd ] WRN Waking up dead poll thread [delay_poll], started: false, finished: false| ./net/Socket.hpp:622
-29283 2019-05-17 12:32:11.165317 [ loolwsd ] WRN Waking up dead poll thread [delay_poll], started: false, finished: false| ./net/Socket.hpp:622
<shutdown>-29283 2019-05-17 12:32:11.165431 [ loolwsd ] WRN Waking up dead poll thread [accept_poll], started: false, finished: false| ./net/Socket.hpp:622
<shutdown>-29283 2019-05-17 12:32:11.165488 [ loolwsd ] WRN Waking up dead poll thread [accept_poll], started: false, finished: false| ./net/Socket.hpp:622
<shutdown>-29283 2019-05-17 12:32:11.165512 [ loolwsd ] WRN Waking up dead poll thread [websrv_poll], started: false, finished: false| ./net/Socket.hpp:622
<shutdown>-29283 2019-05-17 12:32:11.165529 [ loolwsd ] WRN Waking up dead poll thread [websrv_poll], started: false, finished: false| ./net/Socket.hpp:622
<shutdown>-29283 2019-05-17 12:32:11.165544 [ loolwsd ] WRN Waking up dead poll thread [accept_poll], started: false, finished: false| ./net/Socket.hpp:622
<shutdown>-29283 2019-05-17 12:32:11.165559 [ loolwsd ] WRN Waking up dead poll thread [accept_poll], started: false, finished: false| ./net/Socket.hpp:622
<shutdown>-29283 2019-05-17 12:32:11.165579 [ loolwsd ] WRN Waking up dead poll thread [prisoner_poll], started: false, finished: false| ./net/Socket.hpp:622
<shutdown>-29283 2019-05-17 12:32:11.165604 [ loolwsd ] WRN Waking up dead poll thread [prisoner_poll], started: false, finished: false| ./net/Socket.hpp:622
<shutdown>-29283 2019-05-17 12:32:11.165619 [ loolwsd ] WRN Waking up dead poll thread [websrv_poll], started: false, finished: false| ./net/Socket.hpp:622
<shutdown>-29283 2019-05-17 12:32:11.165630 [ loolwsd ] WRN Waking up dead poll thread [websrv_poll], started: false, finished: false| ./net/Socket.hpp:622 |
I also tried to change log level to debug but I see no log in /var/log/ named libreoffice-online.log and no entries in /var/log/messages either |
|
Back to top |
|
|
xdch47 n00b
Joined: 01 May 2019 Posts: 9
|
Posted: Mon May 20, 2019 5:51 pm Post subject: |
|
|
Hi
logfile should be found at
Code: |
ls -l /var/log/libreoffice-online
-rw-r--r-- 1 lool lool 199346 20. Mai 19:30 loolwsd.log
|
did you ran something to update / create the systemtemplates ?
e.g.
Code: |
loolconfig update-system-template
|
do you have access to the admin console ?
-> http://lool.mydomain.com/loleaflet/dist/admin/admin.html |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Mon May 20, 2019 7:12 pm Post subject: |
|
|
Yes, following your description I issued:
loolconfig update-system-template
Code: |
Running the following command:
su lool --shell=/bin/sh -c 'loolwsd-systemplate-setup /var/lib/libreoffice-online/systemplate /usr/lib64/libreoffice >/dev/null 2>&1'
|
loolwsd.log
As /etc/init.d/loolwsd status is showing
crashed
There is no listening port for loolwsd. (checked with netstat -plnt)
No access to admin console - Browser is showing
Code: | Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
Apache Server at lool.mydomain.com Port 443 |
|
|
Back to top |
|
|
xdch47 n00b
Joined: 01 May 2019 Posts: 9
|
Posted: Tue May 21, 2019 7:00 am Post subject: |
|
|
hi,
could be an ipv6 related configuration problem. maybe you can try to set the protocol to IPv4
edit loolwsd.xml or use loolconfig
Code: |
loolconfig set net.proto IPv4
|
Quote: |
ls -l /var/www/lool/htdocs/
Code:
lrwxrwxrwx 1 root root 30 16. Mai 15:47 lool -> /usr/share/libreoffice-online/
Would that be correct?
On a browser issuing http://lool.mydomain.com -> shows me the content of /usr/share/libreoffice-online.
|
this is not necessary afaik. i think loolwsd is an acronym: LibreOffice-OnLine-WebServer-Damon
so your webserver does not need to have access to those files - libreoffice-online comes along with it's own webserver
your websever can be used as a reverse proxy to access the loolwsd locally running on port 9980.
for the reverse proxy configuration have a look at /etc/apache2/conf-available/loolwsd.conf
however, if your going to access externally you that make sure that your ip address is allowed - see the <net></net> of loolwsd.xml
hopefully,
that helps !
Last edited by xdch47 on Tue May 21, 2019 10:29 am; edited 1 time in total |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Tue May 21, 2019 10:27 am Post subject: |
|
|
Hey, xdch47, it does
You were right. Setting the protocol to IPv4 lets the service start successfully, and netstat shows, it listens to port 9980 and 9981.
Code: | tcp 0 0 0.0.0.0:9980 0.0.0.0:* LISTEN 30368/loolwsd
tcp 0 0 127.0.0.1:9981 0.0.0.0:* LISTEN 30368/loolwsd |
I modified vhost configuration to the following and now I can access LibreoOffice Online - Administratorkonsole via http://lool.mydomain.com/loleaflet/dist/admin/admin.html but not via lool.mydomain.com where webserver shows forbidden, I guess this is normal? Adding a line lool.mydomain.com in wopi section and configuring libreoffice online app works fine, so I think I should be good, and there is no need to access libreofficeonline directly via lool.mydomain.com? Finally what would I need to be able to export documents as pdf?
Code: | ## Another Virtual hosts statemes ending in </VirtualHost> ###
<VirtualHost *:80>
ServerName lool.mydomain.com
# Redirect to SSL
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
</VirtualHost>
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
<VirtualHost *:443>
ServerName lool.mydomain.com
# Apache2 reverse proxy configuration for Collabora Online / LibreOffice Online
# Internet <-- SSL --> Reverse Proxy <-- No SSL --> loolwsd
# Make sure that you enable the following Apache2 modules: proxy, proxy_wstunnel, and proxy_http.
# Create a virtual host for Collabora Online / LibreOffice Online and include this configuration file.
Options -Indexes
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode
# keep the host
ProxyPreserveHost On
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass /loleaflet http://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet http://127.0.0.1:9980/loleaflet
# WOPI discovery URL
ProxyPass /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery http://127.0.0.1:9980/hosting/discovery
# Capabilities
ProxyPass /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities
# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" ws://127.0.0.1:9980/lool/$1/ws nocanon
# Admin Console websocket
ProxyPass /lool/adminws ws://127.0.0.1:9980/lool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /lool http://127.0.0.1:9980/lool
ProxyPassReverse /lool http://127.0.0.1:9980/lool
ErrorLog /var/log/apache2/lool.mydomain.com-ssl_error_log
<IfModule log_config_module>
TransferLog /var/log/apache2/lool.mydomain.com-ssl_access_log
</IfModule>
SSLEngine on
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLCertificateFile /path/to/cert/fullchain.pem
SSLCertificateKeyFile /path/to/cert/privkey.pem
SSLUseStapling on
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
<IfModule log_config_module>
CustomLog /var/log/apache2/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</IfModule>
</VirtualHost> |
Again thank you alot for making this possible by sharing your ebuild
Last edited by Elleni on Tue May 21, 2019 5:54 pm; edited 1 time in total |
|
Back to top |
|
|
xdch47 n00b
Joined: 01 May 2019 Posts: 9
|
Posted: Tue May 21, 2019 5:47 pm Post subject: |
|
|
nice !
yes, it fine to use it without certificate the reverse proxy-way - no need for direct access.
it seems that for pdf export there is a seccomp problem - maybe as a work around seccomp could be disabled - have not tested yet. |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Tue May 21, 2019 6:14 pm Post subject: |
|
|
Indeed
Did a quick test putting seccomp to false and restarting loolwsd, but it does not work yet. Nevermind - I am happy, I have got running. This is so cool |
|
Back to top |
|
|
xdch47 n00b
Joined: 01 May 2019 Posts: 9
|
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Fri May 24, 2019 7:10 pm Post subject: |
|
|
Sooner or later we'll find out or it will be fixed, no doubt
I have a question: Compared to my desktop there are much less fonts in libreoffice-online. How would I get the same fonts, you get in normal gentoo installation? |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Mon Aug 19, 2019 7:28 pm Post subject: |
|
|
After having updated my nextcloud server and thus libreoffice to version 6.3.0.4, libreoffice-online does not work anymore on my nextcloud instance. I can still access the webinterface on
Code: |
https://lool.mydomain.com/loleaflet/dist/admin/admin.html |
But trying to open a document I get a message, like colabora online cannot be loaded, try again later within nextcloud. I guess, there could be needed an updated libreoffice-online ebuild?
loolwsd.log |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Tue Nov 05, 2019 12:01 am Post subject: |
|
|
I have a question concerning letsencrypt certificate renewal for libreoffice-online. When stopping apache and spinning the webserver, certbot brings with it, it works. But how can I enable getting automatic certificate renewal for my lool.mydomain.com with webroot option without stopping my local apache on the server?
Certbot fails for this domain as lool.mydomain.com is not accessible (403 forbidden).
http://lool.mydomain.com/loleaflet/dist/admin/admin.html is working (but is asking for username and password as expected) and I am out of ideas howto automate certificate renewal including lool domain. For every other domain it works just fine. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21607
|
Posted: Tue Nov 05, 2019 2:27 am Post subject: |
|
|
As I understand certbot, if you want to use HTTP/S based validation, then you need to serve to the validation bot the expected proof of ownership token. The easiest way to do this would be to configure Apache not to restrict access to the directory where the proof of ownership is hosted. There is no reason to stop the local Apache and run a Certbot HTTP server. You can instead configure Apache to serve the relevant directory, and have Certbot store the proof files there. The Certbot Apache plugin is intended for this use case. |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Tue Nov 05, 2019 5:52 am Post subject: |
|
|
Hello Hu,
you are right, and while it works as intended on every other subdomain I host, it does not for lool.mydomain.ch because there is proxy pass configured for libreoffice-online, and I dont know, how to modify the corresponding vhost in order to let letsencrypt do it's magic for lool.mydomain.com
Code: | ## Another Virtual hosts statemes ending in </VirtualHost> ###
<VirtualHost *:80>
ServerName lool.mydomain.com.ch
# Redirect to SSL
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
</VirtualHost>
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
<VirtualHost *:443>
ServerName lool.mydomain.com
# Apache2 reverse proxy configuration for Collabora Online / LibreOffice Online
# Internet <-- SSL --> Reverse Proxy <-- No SSL --> loolwsd
# Make sure that you enable the following Apache2 modules: proxy, proxy_wstunnel, and proxy_http.
# Create a virtual host for Collabora Online / LibreOffice Online and include this configuration file.
Options -Indexes
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode
# keep the host
ProxyPreserveHost On
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass /loleaflet http://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet http://127.0.0.1:9980/loleaflet
# WOPI discovery URL
ProxyPass /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery http://127.0.0.1:9980/hosting/discovery
# Capabilities
ProxyPass /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities
# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" ws://127.0.0.1:9980/lool/$1/ws nocanon
# Admin Console websocket
ProxyPass /lool/adminws ws://127.0.0.1:9980/lool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /lool http://127.0.0.1:9980/lool
ProxyPassReverse /lool http://127.0.0.1:9980/lool
ErrorLog /var/log/apache2/lool.mydomain.om-ssl_error_log
<IfModule log_config_module>
TransferLog /var/log/apache2/loolmydomain.com-ssl_access_log
</IfModule>
SSLEngine on
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLCertificateFile /etc/letsencrypt/path/to/certificate/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/path/to/certificate/privkey.pem
SSLUseStapling on
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<IfModule setenvif_module>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
<IfModule log_config_module>
CustomLog /var/log/apache2/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</IfModule>
</VirtualHost> |
certbot renew --dry-run gives Code: | Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lool.mydomain.com
Cleaning up challenges
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s |
As alternative I could setup a cron job to first stop apache service, then let certbot renew the certificate for my domains by spinning its own webserver, and restart apache afterwards. This should work, as it's the way I was able to install the certificate including lool.mydomain.com, but I have to find out, how to implement this either. |
|
Back to top |
|
|
guitou Guru
Joined: 02 Oct 2003 Posts: 534 Location: France
|
Posted: Tue Nov 05, 2019 12:23 pm Post subject: |
|
|
Hello.
If possible, you may try DNS challenge for your certificate, but you will still need to reload apache server anyway (to take new certificate into account).
++
Gi) |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Tue Nov 05, 2019 5:25 pm Post subject: |
|
|
Yeah, well as a workaround I am also thinking of just stopping apache2 a minute before if needed I run certbot without webroot option as this is working as intended and gets the certificate for all needed domains using its own webserver. After that I can start apache within --renew-hook option. I already had used this option for restarting mail and apache services. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21607
|
Posted: Wed Nov 06, 2019 3:19 am Post subject: |
|
|
Elleni wrote: | you are right, and while it works as intended on every other subdomain I host, it does not for lool.mydomain.ch because there is proxy pass configured for libreoffice-online, and I dont know, how to modify the corresponding vhost in order to let letsencrypt do it's magic for lool.mydomain.com | Why do you think ProxyPass is a problem here? As I read the documentation, if you are using the webroot plugin, and you let the server serve files from the /.well-known directory, automated renewal through http proof of ownership should work. Your shown configuration does not assign special meaning to that path. What happens if you manually post files in that directory, then try to retrieve them from that path on the server via curl? Does it try to serve them? Does it try to proxy the request to LOOL (which, by the way, is a terrible, if obvious, name for this product)? Elleni wrote: | certbot renew --dry-run gives Code: | Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None |
| You probably want webroot enabled here. Elleni wrote: | Code: | Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping. |
| You did not tell Certbot to cooperate with your webserver, so it tried to assume exclusive control of the http port. This failed. Tell it to cooperate. Elleni wrote: | As alternative I could setup a cron job to first stop apache service, then let certbot renew the certificate for my domains by spinning its own webserver, and restart apache afterwards. This should work, as it's the way I was able to install the certificate including lool.mydomain.com, but I have to find out, how to implement this either. | That might work, but it is fragile, disruptive, and a horrible workaround for a problem that should be easily solvable correctly. |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Wed Nov 06, 2019 7:12 pm Post subject: |
|
|
Hu wrote: | Why do you think ProxyPass is a problem here? As I read the documentation, if you are using the webroot plugin, and you let the server serve files from the /.well-known directory, automated renewal through http proof of ownership should work. Your shown configuration does not assign special meaning to that path. What happens if you manually post files in that directory, then try to retrieve them from that path on the server via curl? Does it try to serve them? Does it try to proxy the request to LOOL (which, by the way, is a terrible, if obvious, name for this product)? You did not tell Certbot to cooperate with your webserver, so it tried to assume exclusive control of the http port. This failed. Tell it to cooperate. |
Why you mean it is a terrible name? I am open for better suggestions
Hu wrote: | You probably want webroot enabled here. |
Once successfully acquired the certificates, certbot will use configuration stored @/etc/letsencrypt/renewal/mydomain.conf thus authenticator = webroot
Code: | renew_before_expiry = 30 days
version = 0.39.0
archive_dir = /etc/letsencrypt/archive/mydomain.com
cert = /etc/letsencrypt/live/mydomain.com/cert.pem
privkey = /etc/letsencrypt/live/mydomain.com/privkey.pem
chain = /etc/letsencrypt/live/mydomain.com/chain.pem
fullchain = /etc/letsencrypt/live/mydomain.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
renew_hook = /usr/local/bin/restart_services.sh
[[webroot_map]]
www.mydomain.com = /var/www/webroot1
www.mydomain2.com = /var/www/webroot2
sub.mydomain.com = /var/www/webroot3
(...) |
I just had to add (dummy) Document Root and Directory entries in lool vhost configuration file. Certbot can now successfully access lool.mydomain.com thus renews certificate with webroot option for lool subdomain too, while apparently proxypass is still working. So the problem is solved - Thank you for asking the right questions which lead me to the solution
Code: |
<VirtualHost *:80>
ServerName lool.mydomain.com
DocumentRoot "/var/www/dummy/path"
<Directory "/var/www/dummy">
....
</Directory>
....
<VirtualHost *:443>
ServerName lool.mydomain.com
DocumentRoot "/var/www/dummy/path"
......
<Directory "/var/www/dummy">
</Directory>
...... |
Leaves us with your comment about terrible name |
|
Back to top |
|
|
|