OnlyOffice WorkSpace Connect SSO Saml ( Self Signed Cert ) Error

Workspace
1

================================================================================================================================================================================

A. Scenario: OnlyOffice WorkSpace Connect SSO SAML (Self-Signed Cert) Error

Hi All OnlyOffice Experts

I tested 3 products using Self-Signed Cert and they were all successfully accessed by the browser:

OnlyOffice Docs

OnlyOffice DocSpace

OnlyOffice WorkSpace

However, when connecting to KeyCloak SSO SAML, due to the use of Self-Signed Cert in the internal environment,

  1. OnlyOffice DocSpace: (HTTPS) can be easily configured successfully

  2. OnlyOffice WorkSpace: A. (HTTP) can be easily configured successfully

B. (HTTPS) Fail (see image)

OOWS
OOWS909×1039 122 KB

After checking the Log: /var/lib/docker/volumes/onlyoffice_workspace_community_log/_data/web.sso.03-30.log

I found that

============================================================================================

B. Log

[root@DockerHost ~]# tail -f /var/lib/docker/volumes/onlyoffice_workspace_community_log/_data/web.sso.03-30.log

{“error”:{“message”:“request to https://oows.example.com/ssologin.ashx?config=saml failed, reason: self-signed certificate in certificate chain”,
{“message”:“::ffff:127.0.0.1 - - [30/Mar/2026:09:07:14 +0000] "POST /loadmetadata HTTP/1.1" - - "-" "-"”,“level”:“info”}

This clearly requires importing Self-Signed CA Cert, so I did the following:

============================================================================================

C. Container OS Import SSL CA Cert

Container_Name=“onlyoffice-control-panel”
Container_Name=“onlyoffice-community-server”

Container_Name=“onlyoffice-mail-server” # Container OS: CentOS 6.10

Container_Name=“onlyoffice-document-server”
Container_Name=“onlyoffice-elasticsearch”
Container_Name=“onlyoffice-mysql-server”

All Container Import Self Signed CA Cert

update-ca-certificates

curl : All Success but “onlyoffice-mail-server” Container OS very Old, So I have nothing to do with it

============================================================================================

When I modify “docker-compose.workspace.yml” and add the following 4 containers:

Container_Name=“onlyoffice-control-panel”
Container_Name=“onlyoffice-community-server”
Container_Name=“onlyoffice-document-server”
Container_Name=“onlyoffice-elasticsearch”

I add

environment:
 - NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
 # - NODE_USE_SYSTEM_CA=1
 # - NODE_TLS_REJECT_UNAUTHORIZED=0

===================================================================================================================================================

================================================================================================================================================================================

D. Container Node Check Self Sign CA HTTPS Status

===================================================================================================================================================

File_Name=“./tmp/test-https.js”

cat << EEOOFF > “${File_Name}”
//
const https = require(‘https’);
//
const url = process.argv[2];
//
https.get(url, (res) => {
console.log(‘Static Code:’, res.statusCode);
console.log(‘Success !’);

let data = ‘’;
res.on(‘data’, (chunk) => { data += chunk; });
res.on(‘end’, () => {
// console.log(‘Content Before 200 bit:’, data.slice(0, 200));
});
}).on(‘error’, (e) => {
console.error(‘Connect Fail:’, e.message);
console.error(‘Error Code:’, e.code);
console.error(‘Full Error:’, e);
});
//
EEOOFF

cat “${File_Name}”

===================================================================================================================================================

Container_Name=“onlyoffice-community-server”

Container_Name=“onlyoffice-control-panel”

Shell_Type=“/bin/bash”

Shell_Type=“/bin/sh”

docker cp “${File_Name}” “${Container_Name}”:/tmp/

docker exec -t -u 0 “${Container_Name}” “${Shell_Type}” -c “env | grep -E ‘NODE_EXTRA_CA_CERTS|NODE_USE_SYSTEM_CA|NODE_TLS_REJECT_UNAUTHORIZED’” # NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt

docker exec -t -u 0 “${Container_Name}” “${Shell_Type}” -c “node /tmp/test-https.js https://sso.example.com” # OK !

===================================================================================================================================================

================================================================================================================================================================================

F. This was also modified last time.

Container_Name=“onlyoffice-document-server”

Shell_Type=“/bin/bash”

Container_File_Name=“/etc/onlyoffice/documentserver/default.json”

docker exec -t -u 0 “${Container_Name}” “${Shell_Type}” -c “grep rejectUnauthorized ${Container_File_Name}”

docker exec -t -u 0 “${Container_Name}” “${Shell_Type}” -c “sed -i ‘s/"rejectUnauthorized": true/"rejectUnauthorized": false/g’ ${Container_File_Name}”

docker exec -t -u 0 “${Container_Name}” “${Shell_Type}” -c “grep rejectUnauthorized ${Container_File_Name}”

docker exec -t -u 0 “${Container_Name}” “${Shell_Type}” -c “supervisorctl restart all”

================================================================================================================================================================================

The image context and log remain unchanged, so I need to ask for help here on how to resolve this. Thx !

BR,
–Roy

2

Hi All

I have successfully solved it.


Container_Name="onlyoffice-community-server"

Shell_Type="/bin/bash"

docker exec  -t -u 0 "${Container_Name}" "${Shell_Type}" -c "sed -i \"/\[Service\]/aEnvironment=NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt\" /lib/systemd/system/onlyofficeSsoAuth.service"

docker exec  -t -u 0 "${Container_Name}" "${Shell_Type}" -c "cat /lib/systemd/system/onlyofficeSsoAuth.service"

docker exec  -t -u 0 "${Container_Name}" "${Shell_Type}" -c "systemctl daemon-reload"

docker exec  -t -u 0 "${Container_Name}" "${Shell_Type}" -c "systemctl restart onlyofficeSsoAuth"
3

Hello, @royleong2010 !

Thank you for sharing the solution and detailed steps – this is indeed a correct approach for your scenario with an internal self‑signed CA. You correctly identified that the onlyofficeSsoAuth service inside the onlyoffice-community-server container must see your root certificate, and passed the path to the system trust store via NODE_EXTRA_CA_CERTS, then restarted the service.

The only thing to keep in mind is that such changes to the systemd unit file inside the container can be overwritten when the image is updated or the container is recreated. We recommend keeping your commands/script so that you can quickly re‑apply this configuration after updates.

If you have any further questions in the future, feel free to share them and we will do our best to help!