How to configure HTTPS with a LetsEncrypt Certificate on OnlyOffice Community Server for Docker

OnlyOffice Community Server is a great self-hosted open source alternative to Google Docs or Microsoft Office 365.
It can be easily installed with Docker (https://helpcenter.onlyoffice.com/server/docker/community/docker-installation.aspx#AlternativeInstallation).
However, you might want to add a valid certificate to enable HTTPS connections on your OnlyOffice instance, and you might want to use a LetsEncrypt certificate.
In that case, here is a tutorial to do so.

How to configure HTTPS with a LetsEncrypt Certificate on OnlyOffice Community Server for Docker

  1. Install OnlyOffice (if you have not already done that)

    Follow the steps here https://helpcenter.onlyoffice.com/server/docker/community/docker-installation.aspx

  2. Connect to your machine with SSH

  3. Switch to the super-user with the command:

    sudo -i

  4. Create your OnlyOffice certificate folder with the command:

    mkdir -p /app/onlyoffice/CommunityServer/data/certs

  5. Create your Diffie-Hellman params with the command:

    openssl dhparam -out /app/onlyoffice/CommunityServer/data/certs/dhparam.pem 2048

  6. Now, install Certbot with the command (for Ubuntu/Debian):

    apt-get install certbot python-certbot-nginx

  7. We will use the « standalone » mode of Certbot, which will use the 80 port of your machine. In order to avoid any conflict with OnlyOffice, we need to stop your OnlyOffice instances. The easiest way is to stop Docker with the command:

    systemctl stop docker

  8. Now we will generate the Let’s Encrypt certificate with CertBot and this command (replace the <YOUR_DOMAIN> parameter by your domain name):

    certbot certonly --standalone -d <YOUR_DOMAIN>

  9. Complete the LetsEncrypt procedure

  10. Restart Docker

    systemctl start docker

  11. Find the ID of your OnlyOffice Community Server container

    onlyofficecs_container_id=$(docker ps -f name=onlyoffice-community-server -q)

  12. Copy your certificate to the OnlyOffice certificate folder with the command (replace the <YOUR_DOMAIN> parameter by your domain name):

    cp /etc/letsencrypt/live/<YOUR_DOMAIN>/privkey.pem /app/onlyoffice/CommunityServer/data/certs/onlyoffice.key &&
    cp /etc/letsencrypt/live/<YOUR_DOMAIN>/fullchain.pem /app/onlyoffice/CommunityServer/data/certs/onlyoffice.crt

  13. Restart your OnlyOffice Community Server container with the command:

    docker restart "$onlyofficecs_container_id" #it reuses the ID found at step 11

You should now be able to access to your OnlyOffice Community server over HTTPS at https://<YOUR_DOMAIN> (replace the <YOUR_DOMAIN> parameter by your domain name).

For your certificate renewal, it is way easier as it can be fully automated. You can use the script below for this, just set properly the YOURDOMAIN variable to your domain name.

#!/bin/bash

YOURDOMAIN="TYPE_YOUR_DOMAIN_NAME_HERE"

echo "Stopping Docker..." &&
systemctl stop docker &&
echo "Registering / Renewing certificate" &&
certbot certonly --standalone -d $YOURDOMAIN &&
echo "Starting Docker..." &&
systemctl start docker &&
onlyofficecs_container_id=$(docker ps -f name=onlyoffice-community-server -q) &&
if [ -z "$onlyofficecs_container_id" ]
then
    echo "ERROR: Cannot find a valid OnlyOffice Community Server container. Please check that OnlyOffice is running."
    exit 1
else
    echo "Copying certificates files in the OnlyOffice folder" &&
    cp /etc/letsencrypt/live/$YOURDOMAIN/privkey.pem /app/onlyoffice/CommunityServer/data/certs/onlyoffice.key &&
    cp /etc/letsencrypt/live/$YOURDOMAIN/fullchain.pem /app/onlyoffice/CommunityServer/data/certs/onlyoffice.crt &&
    docker restart "$onlyofficecs_container_id"
    echo "Certificate configured successfully for OnlyOffice Community Server!"
fi

Richelieu – Free list of the most common French passwords

Richelieu is a free list of the most common French passwords

Based on my experience as a pentester, I often had to try brute-force and dictionary-based attacks against exposed websites and services. The easiest way to do so is to use an existing list of common passwords, and to load it in a dedicated tool like hydra.

However, the best lists of common passwords (such as danielmiessler’s SecLists) do not work against French assets. The reason is simple: these passwords lists are based on the frequential analysis of huge dataleaks (like Collection #1), with mixed sources from different countries and cultures. As a result, these lists say that most common passwords are « qwerty« , « password« , « letmein« , etc. But French people do not use a QWERTY keyboard nor say « let me in » to log in. We prefer « azerty« , « motdepasse« , or even « bonjour« .

QWERTY keyboard by Pixabay
AZERTY keyboard by NemossosCC BY 2.0

This cultural difference reveals a real limit for brute-force attacks.

In order to build a better dictionary to pentest French targets, I analyzed public dataleaks and filtered all the results to target only « .fr » emails. The hypothesis here is that a « .fr » email address is linked to a French user. Even if this approach might be unperfect, the results are really interesting and accurate. This new dictionary, named « Richelieu » after the creator of the Académie française, has the following top 50:

  • 123456
  • 123456789
  • azerty
  • 1234561
  • qwerty
  • marseille
  • 000000
  • 1234567891
  • doudou
  • 12345
  • loulou
  • 123
  • password
  • azertyuiop
  • 12345678
  • soleil
  • chouchou
  • 1234
  • 1234567
  • 123123
  • 123451
  • bonjour
  • 111111
  • nicolas
  • jetaime

  • coucou
  • motdepasse
  • Status
  • julien
  • thomas
  • camille
  • 010203
  • chocolat
  • iloveyou
  • iloveyou1
  • portugal
  • 1234567890
  • alexandre
  • 654321
  • maxime
  • 00000
  • wxcvbn
  • oceane
  • pompier
  • 12345671
  • marine
  • 0000
  • maison
  • isabelle
  • celine

Cultural analysis of this dictionary

An analysis of the full dictionary shows unsurprisingly that the most common French passwords are based on:

  • a spatial sequence on an AZERTY keyboard (123456, azerty, 1a2z3e, wxcvbn…) ;
  • a logical sequence (1a2b3c4d, 010203040506…) ;
  • a proper noun, such as a firstname, a town, a country (nicolas, marseille, algerie…) ;
  • a phrase (motdepasse, auboulot, vivelafrance…) ;
  • or a cultural item (france98, warcraft, carapuce…).
A moment that inspired our passwords!
REUTERS/Vincent Kessler
CC BY-NC 2.0
Marseille, one of the biggest cities in France and an inspiration source for our passwords
F. Laffont-FeraudCC BY-SA 3.0

Get the dictionary

DISCLAIMER: THIS DICTIONARY IS PUBLISHED FOR LEGAL PURPOSES ONLY. PLEASE DO NOT USE IN MILITARY OR SECRET SERVICE ORGANIZATIONS OR FOR ILLEGAL PURPOSES.

The full dictionary is available for free here: https://github.com/tarraschk/richelieu.