starred/documenso

Fork 0

mirror of https://github.com/documenso/documenso.git synced 2026-04-25 13:55:59 +03:00

[GH-ISSUE #1892] Improve docs for creating self signing doc in docker #548

New issue

Closed

opened 2026-02-26 18:47:32 +03:00 by kerem · 4 comments

kerem commented

2026-02-26 18:47:32 +03:00

Owner

Originally created by @AhmadBinKhalil on GitHub (Jul 10, 2025).
Original GitHub issue: https://github.com/documenso/documenso/issues/1892

Describe the improvement you are suggesting in detail

Procedure

Documenso Certificate Setup Guide - Working Solution

This guide shows how to properly set up self-signed certificates for Documenso in Docker to fix the "Failed to get private key bags" error.

Problem

When deploying Documenso with Docker, documents fail to complete signing due to certificate permission/format issues

Solution Overview

Use Docker volumes for certificate persistence
Create certificates inside the container (avoids permission issues)
Use compatible certificate formats
Remove password complexity

Step 1: Docker Compose Setup

Create your docker-compose.yml file:

services:
  documenso:
    image: documenso/documenso
    depends_on:
      database:
        condition: service_healthy
    ports:
      - '3000:3000'
    environment:
      - 'NEXTAUTH_URL=your_service_FQDN
      - 'NEXTAUTH_SECRET=${SERVICE_BASE64_AUTHSECRET}'
      - 'NEXT_PRIVATE_ENCRYPTION_KEY=${SERVICE_BASE64_ENCRYPTIONKEY}'
      - 'NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY=${SERVICE_BASE64_SECONDARYENCRYPTIONKEY}'
      - 'NEXT_PUBLIC_WEBAPP_URL=your_service_FQDN
      - 'NEXT_PRIVATE_SMTP_TRANSPORT=${NEXT_PRIVATE_SMTP_TRANSPORT}'
      - 'NEXT_PRIVATE_SMTP_HOST=${NEXT_PRIVATE_SMTP_HOST}'
      - 'NEXT_PRIVATE_SMTP_PORT=${NEXT_PRIVATE_SMTP_PORT}'
      - 'NEXT_PRIVATE_SMTP_USERNAME=${NEXT_PRIVATE_SMTP_USERNAME}'
      - 'NEXT_PRIVATE_SMTP_PASSWORD=${NEXT_PRIVATE_SMTP_PASSWORD}'
      - 'NEXT_PRIVATE_SMTP_FROM_NAME=${NEXT_PRIVATE_SMTP_FROM_NAME}'
      - 'NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS}'
      - 'NEXT_PRIVATE_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public'
      - 'NEXT_PRIVATE_DIRECT_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public'
      - 'NODE_ENV=production'
      - 'NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=/app/certs/cert.p12'
      # Note: NO passphrase environment variable, You can set it but generate key with passphrase
    healthcheck:
      test:
        - CMD-SHELL
        - "wget -q -O - http://documenso:3000/ | grep -q 'Sign in to your account'"
      interval: 2s
      timeout: 10s
      retries: 20
    volumes:
      - documenso_certs:/app/certs

  database:
    image: 'postgres:17'
    environment:
      - 'POSTGRES_USER=${SERVICE_USER_POSTGRES}'
      - 'POSTGRES_PASSWORD=${SERVICE_PASSWORD_POSTGRES}'
      - 'POSTGRES_DB=${POSTGRES_DB:-documenso-db}'
    volumes:
      - 'documenso_postgresql_data:/var/lib/postgresql/data'
    healthcheck:
      test:
        - CMD-SHELL
        - 'pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}'
      interval: 5s
      timeout: 20s
      retries: 10

volumes:
  documenso_certs: {}
  documenso_postgresql_data: {}

Step 2: Start the Services

docker-compose up -d

Step 3: Create Certificate Inside Container

Access the container as root to create the certificate:

docker-compose exec --user root documenso sh

Navigate to the certs directory:

cd /app/certs

Create the certificate files:

# Generate private key
openssl genrsa -out private.key 2048

# Generate certificate (adjust the subject as needed)
openssl req -new -x509 -key private.key -out certificate.crt -days 1460

# Create PKCS12 certificate with compatible format (NO PASSWORD)
openssl pkcs12 -export -out cert.p12 \
  -inkey private.key \
  -in certificate.crt \
  -name "documenso" \
  -passout pass: \
  -keypbe PBE-SHA1-3DES \
  -certpbe PBE-SHA1-3DES \
  -macalg sha1

# Set correct ownership (container runs as UID 1001)
chown 1001:1001 cert.p12 certificate.crt private.key
chmod 644 cert.p12 certificate.crt private.key

Step 4: Verify Certificate

Check the certificate was created correctly:

# Check file permissions
ls -la /app/certs/cert.p12

# Verify certificate structure (should show no errors)
openssl pkcs12 -info -in cert.p12 -passin pass: -noout

Expected output should show:

MAC: sha1, Iteration 2048
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

Exit the container:

exit

Step 5: Restart and Test

Restart the Documenso service:

docker-compose restart documenso

Step 6: Test Document Signing

Access your Documenso web interface
Create a new document
Add recipients and signature fields
Complete the signing process
Verify the document completes without errors

Key Success Factors

Volume Persistence: Using documenso_certs:/app/certs ensures certificates survive container restarts
Correct Permissions: Creating certificates as root then changing ownership to 1001:1001 (nodejs user)
Compatible Certificate Format: Using older encryption algorithms:
- PBE-SHA1-3DES instead of modern PBES2/AES-256
- sha1 MAC algorithm instead of sha256
No Password: Eliminating password complexity by using empty passphrase
Production Mode: Setting NODE_ENV=production forces the app to use the certificate file path

Troubleshooting

If you still get errors:

Check file permissions:

docker-compose exec documenso ls -la /app/certs/

Verify certificate format:

docker-compose exec documenso openssl pkcs12 -info -in /app/certs/cert.p12 -passin pass: -noout

Check environment variables:

docker-compose exec documenso env | grep SIGNING

This setup ensures reliable document signing without certificate-related errors.

Additional Information & Alternatives (optional)

No response

Do you want to work on this improvement?

Please check the boxes that apply to this improvement suggestion.

I have searched the existing issues and improvement suggestions to avoid duplication.
I have provided a clear description of the improvement being suggested.
I have explained the rationale behind this improvement.
I have included any relevant technical details or design suggestions.
I understand that this is a suggestion and that there is no guarantee of implementation.

Originally created by @AhmadBinKhalil on GitHub (Jul 10, 2025). Original GitHub issue: https://github.com/documenso/documenso/issues/1892 ### Describe the improvement you are suggesting in detail # Procedure # Documenso Certificate Setup Guide - Working Solution This guide shows how to properly set up self-signed certificates for Documenso in Docker to fix the "Failed to get private key bags" error. ## Problem When deploying Documenso with Docker, documents fail to complete signing due to certificate permission/format issues ## Solution Overview 1. Use Docker volumes for certificate persistence 2. Create certificates inside the container (avoids permission issues) 3. Use compatible certificate formats 4. Remove password complexity ## Step 1: Docker Compose Setup Create your `docker-compose.yml` file: ```yaml services: documenso: image: documenso/documenso depends_on: database: condition: service_healthy ports: - '3000:3000' environment: - 'NEXTAUTH_URL=your_service_FQDN - 'NEXTAUTH_SECRET=${SERVICE_BASE64_AUTHSECRET}' - 'NEXT_PRIVATE_ENCRYPTION_KEY=${SERVICE_BASE64_ENCRYPTIONKEY}' - 'NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY=${SERVICE_BASE64_SECONDARYENCRYPTIONKEY}' - 'NEXT_PUBLIC_WEBAPP_URL=your_service_FQDN - 'NEXT_PRIVATE_SMTP_TRANSPORT=${NEXT_PRIVATE_SMTP_TRANSPORT}' - 'NEXT_PRIVATE_SMTP_HOST=${NEXT_PRIVATE_SMTP_HOST}' - 'NEXT_PRIVATE_SMTP_PORT=${NEXT_PRIVATE_SMTP_PORT}' - 'NEXT_PRIVATE_SMTP_USERNAME=${NEXT_PRIVATE_SMTP_USERNAME}' - 'NEXT_PRIVATE_SMTP_PASSWORD=${NEXT_PRIVATE_SMTP_PASSWORD}' - 'NEXT_PRIVATE_SMTP_FROM_NAME=${NEXT_PRIVATE_SMTP_FROM_NAME}' - 'NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS}' - 'NEXT_PRIVATE_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public' - 'NEXT_PRIVATE_DIRECT_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public' - 'NODE_ENV=production' - 'NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=/app/certs/cert.p12' # Note: NO passphrase environment variable, You can set it but generate key with passphrase healthcheck: test: - CMD-SHELL - "wget -q -O - http://documenso:3000/ | grep -q 'Sign in to your account'" interval: 2s timeout: 10s retries: 20 volumes: - documenso_certs:/app/certs database: image: 'postgres:17' environment: - 'POSTGRES_USER=${SERVICE_USER_POSTGRES}' - 'POSTGRES_PASSWORD=${SERVICE_PASSWORD_POSTGRES}' - 'POSTGRES_DB=${POSTGRES_DB:-documenso-db}' volumes: - 'documenso_postgresql_data:/var/lib/postgresql/data' healthcheck: test: - CMD-SHELL - 'pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}' interval: 5s timeout: 20s retries: 10 volumes: documenso_certs: {} documenso_postgresql_data: {} ``` ## Step 2: Start the Services ```bash docker-compose up -d ``` ## Step 3: Create Certificate Inside Container Access the container as root to create the certificate: ```bash docker-compose exec --user root documenso sh ``` Navigate to the certs directory: ```bash cd /app/certs ``` Create the certificate files: ```bash # Generate private key openssl genrsa -out private.key 2048 # Generate certificate (adjust the subject as needed) openssl req -new -x509 -key private.key -out certificate.crt -days 1460 # Create PKCS12 certificate with compatible format (NO PASSWORD) openssl pkcs12 -export -out cert.p12 \ -inkey private.key \ -in certificate.crt \ -name "documenso" \ -passout pass: \ -keypbe PBE-SHA1-3DES \ -certpbe PBE-SHA1-3DES \ -macalg sha1 # Set correct ownership (container runs as UID 1001) chown 1001:1001 cert.p12 certificate.crt private.key chmod 644 cert.p12 certificate.crt private.key ``` ## Step 4: Verify Certificate Check the certificate was created correctly: ```bash # Check file permissions ls -la /app/certs/cert.p12 # Verify certificate structure (should show no errors) openssl pkcs12 -info -in cert.p12 -passin pass: -noout ``` Expected output should show: ``` MAC: sha1, Iteration 2048 PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 Certificate bag PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 ``` Exit the container: ```bash exit ``` ## Step 5: Restart and Test Restart the Documenso service: ```bash docker-compose restart documenso ``` ## Step 6: Test Document Signing 1. Access your Documenso web interface 2. Create a new document 3. Add recipients and signature fields 4. Complete the signing process 5. Verify the document completes without errors ## Key Success Factors 1. **Volume Persistence**: Using `documenso_certs:/app/certs` ensures certificates survive container restarts 2. **Correct Permissions**: Creating certificates as root then changing ownership to `1001:1001` (nodejs user) 3. **Compatible Certificate Format**: Using older encryption algorithms: - `PBE-SHA1-3DES` instead of modern `PBES2/AES-256` - `sha1` MAC algorithm instead of `sha256` 4. **No Password**: Eliminating password complexity by using empty passphrase 5. **Production Mode**: Setting `NODE_ENV=production` forces the app to use the certificate file path ## Troubleshooting If you still get errors: 1. **Check file permissions**: ```bash docker-compose exec documenso ls -la /app/certs/ ``` 2. **Verify certificate format**: ```bash docker-compose exec documenso openssl pkcs12 -info -in /app/certs/cert.p12 -passin pass: -noout ``` 3. **Check environment variables**: ```bash docker-compose exec documenso env | grep SIGNING ``` This setup ensures reliable document signing without certificate-related errors. ### Additional Information & Alternatives (optional) _No response_ ### Do you want to work on this improvement? No ### Please check the boxes that apply to this improvement suggestion. - [x] I have searched the existing issues and improvement suggestions to avoid duplication. - [x] I have provided a clear description of the improvement being suggested. - [x] I have explained the rationale behind this improvement. - [x] I have included any relevant technical details or design suggestions. - [x] I understand that this is a suggestion and that there is no guarantee of implementation.

kerem

2026-02-26 18:47:32 +03:00

closed this issue
added the
status: triage
label

kerem commented

2026-02-26 18:47:32 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Jul 10, 2025):

Thank you for opening your first issue and for being a part of the open signing revolution!

One of our team members will review it and get back to you as soon as it possible 💚

Meanwhile, please feel free to hop into our community in Discord

@github-actions[bot] commented on GitHub (Jul 10, 2025): Thank you for opening your first issue and for being a part of the open signing revolution! <br /> One of our team members will review it and get back to you as soon as it possible 💚 <br /> Meanwhile, please feel free to hop into our community in [Discord](https://documen.so/discord)

kerem commented

2026-02-26 18:47:32 +03:00

Author

Owner

@Dvalin21 commented on GitHub (Jul 29, 2025):

Im wondering, if the certs would have to be done inside the container, wouldn't it be better to just have this be part of the container build function? It would seem as if the certs HAS to be done a certain way in order to work. I had issues myself which I have a feeling you've probably ran into before, that it would look for certs or inside the container but not what I would mount to the container. I didn't think of making it persistent volume and run it on inside the container.

@Dvalin21 commented on GitHub (Jul 29, 2025): Im wondering, if the certs would have to be done inside the container, wouldn't it be better to just have this be part of the container build function? It would seem as if the certs HAS to be done a certain way in order to work. I had issues myself which I have a feeling you've probably ran into before, that it would look for certs or inside the container but not what I would mount to the container. I didn't think of making it persistent volume and run it on inside the container.

kerem commented

2026-02-26 18:47:32 +03:00

Author

Owner

@Dvalin21 commented on GitHub (Aug 3, 2025):

Describe the improvement you are suggesting in detail

Procedure

Documenso Certificate Setup Guide - Working Solution

This guide shows how to properly set up self-signed certificates for Documenso in Docker to fix the "Failed to get private key bags" error.

Problem

When deploying Documenso with Docker, documents fail to complete signing due to certificate permission/format issues

Solution Overview

Use Docker volumes for certificate persistence

Create certificates inside the container (avoids permission issues)

Use compatible certificate formats

Remove password complexity

Step 1: Docker Compose Setup

Create your docker-compose.yml file:

services:
documenso:
image: documenso/documenso
depends_on:
database:
condition: service_healthy
ports:
- '3000:3000'
environment:
- 'NEXTAUTH_URL=your_service_FQDN
- 'NEXTAUTH_SECRET=${SERVICE_BASE64_AUTHSECRET}'
- 'NEXT_PRIVATE_ENCRYPTION_KEY=${SERVICE_BASE64_ENCRYPTIONKEY}'
- 'NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY=${SERVICE_BASE64_SECONDARYENCRYPTIONKEY}'
- 'NEXT_PUBLIC_WEBAPP_URL=your_service_FQDN
- 'NEXT_PRIVATE_SMTP_TRANSPORT=${NEXT_PRIVATE_SMTP_TRANSPORT}'
- 'NEXT_PRIVATE_SMTP_HOST=${NEXT_PRIVATE_SMTP_HOST}'
- 'NEXT_PRIVATE_SMTP_PORT=${NEXT_PRIVATE_SMTP_PORT}'
- 'NEXT_PRIVATE_SMTP_USERNAME=${NEXT_PRIVATE_SMTP_USERNAME}'
- 'NEXT_PRIVATE_SMTP_PASSWORD=${NEXT_PRIVATE_SMTP_PASSWORD}'
- 'NEXT_PRIVATE_SMTP_FROM_NAME=${NEXT_PRIVATE_SMTP_FROM_NAME}'
- 'NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS}'
- 'NEXT_PRIVATE_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public'
- 'NEXT_PRIVATE_DIRECT_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public'
- 'NODE_ENV=production'
- 'NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=/app/certs/cert.p12'
# Note: NO passphrase environment variable, You can set it but generate key with passphrase
healthcheck:
test:
- CMD-SHELL
- "wget -q -O - http://documenso:3000/ | grep -q 'Sign in to your account'"
interval: 2s
timeout: 10s
retries: 20
volumes:
- documenso_certs:/app/certs

database:
image: 'postgres:17'
environment:
- 'POSTGRES_USER=${SERVICE_USER_POSTGRES}'
- 'POSTGRES_PASSWORD=${SERVICE_PASSWORD_POSTGRES}'
- 'POSTGRES_DB=${POSTGRES_DB:-documenso-db}'
volumes:
- 'documenso_postgresql_data:/var/lib/postgresql/data'
healthcheck:
test:
- CMD-SHELL
- 'pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}'
interval: 5s
timeout: 20s
retries: 10

volumes:
documenso_certs: {}
documenso_postgresql_data: {}

Step 2: Start the Services

docker-compose up -d

Step 3: Create Certificate Inside Container

Access the container as root to create the certificate:

docker-compose exec --user root documenso sh
Navigate to the certs directory:

cd /app/certs
Create the certificate files:

Generate private key

openssl genrsa -out private.key 2048

Generate certificate (adjust the subject as needed)

openssl req -new -x509 -key private.key -out certificate.crt -days 1460

Create PKCS12 certificate with compatible format (NO PASSWORD)

openssl pkcs12 -export -out cert.p12
-inkey private.key
-in certificate.crt
-name "documenso"
-passout pass:
-keypbe PBE-SHA1-3DES
-certpbe PBE-SHA1-3DES
-macalg sha1

Set correct ownership (container runs as UID 1001)

chown 1001:1001 cert.p12 certificate.crt private.key
chmod 644 cert.p12 certificate.crt private.key

Step 4: Verify Certificate

Check the certificate was created correctly:

Check file permissions

ls -la /app/certs/cert.p12

Verify certificate structure (should show no errors)

openssl pkcs12 -info -in cert.p12 -passin pass: -noout
Expected output should show:
MAC: sha1, Iteration 2048
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Exit the container:

exit

Step 5: Restart and Test

Restart the Documenso service:

docker-compose restart documenso

Step 6: Test Document Signing

Access your Documenso web interface

Create a new document

Add recipients and signature fields

Complete the signing process

Verify the document completes without errors

Key Success Factors

Volume Persistence: Using documenso_certs:/app/certs ensures certificates survive container restarts

Correct Permissions: Creating certificates as root then changing ownership to 1001:1001 (nodejs user)

Compatible Certificate Format: Using older encryption algorithms:

PBE-SHA1-3DES instead of modern PBES2/AES-256

sha1 MAC algorithm instead of sha256

No Password: Eliminating password complexity by using empty passphrase

Production Mode: Setting NODE_ENV=production forces the app to use the certificate file path

Troubleshooting

If you still get errors:

Check file permissions:
docker-compose exec documenso ls -la /app/certs/

Verify certificate format:
docker-compose exec documenso openssl pkcs12 -info -in /app/certs/cert.p12 -passin pass: -noout

Check environment variables:
docker-compose exec documenso env | grep SIGNING

This setup ensures reliable document signing without certificate-related errors.

Additional Information & Alternatives (optional)

No response

Do you want to work on this improvement?

No

Please check the boxes that apply to this improvement suggestion.

I have searched the existing issues and improvement suggestions to avoid duplication.[x] I have provided a clear description of the improvement being suggested.[x] I have explained the rationale behind this improvement.[x] I have included any relevant technical details or design suggestions.[x] I understand that this is a suggestion and that there is no guarantee of implementation.

How do you activate the admin account? Also, I went through your process. It shows the signature and date, but it doesnt produce the certification receipt. I check the properties of the file, and it doesn't show that the pdf was signed with cert although no errors came through during the signing.

@Dvalin21 commented on GitHub (Aug 3, 2025): > ### Describe the improvement you are suggesting in detail > # Procedure > # Documenso Certificate Setup Guide - Working Solution > This guide shows how to properly set up self-signed certificates for Documenso in Docker to fix the "Failed to get private key bags" error. > > ## Problem > When deploying Documenso with Docker, documents fail to complete signing due to certificate permission/format issues > > ## Solution Overview > 1. Use Docker volumes for certificate persistence > 2. Create certificates inside the container (avoids permission issues) > 3. Use compatible certificate formats > 4. Remove password complexity > > ## Step 1: Docker Compose Setup > Create your `docker-compose.yml` file: > > services: > documenso: > image: documenso/documenso > depends_on: > database: > condition: service_healthy > ports: > - '3000:3000' > environment: > - 'NEXTAUTH_URL=your_service_FQDN > - 'NEXTAUTH_SECRET=${SERVICE_BASE64_AUTHSECRET}' > - 'NEXT_PRIVATE_ENCRYPTION_KEY=${SERVICE_BASE64_ENCRYPTIONKEY}' > - 'NEXT_PRIVATE_ENCRYPTION_SECONDARY_KEY=${SERVICE_BASE64_SECONDARYENCRYPTIONKEY}' > - 'NEXT_PUBLIC_WEBAPP_URL=your_service_FQDN > - 'NEXT_PRIVATE_SMTP_TRANSPORT=${NEXT_PRIVATE_SMTP_TRANSPORT}' > - 'NEXT_PRIVATE_SMTP_HOST=${NEXT_PRIVATE_SMTP_HOST}' > - 'NEXT_PRIVATE_SMTP_PORT=${NEXT_PRIVATE_SMTP_PORT}' > - 'NEXT_PRIVATE_SMTP_USERNAME=${NEXT_PRIVATE_SMTP_USERNAME}' > - 'NEXT_PRIVATE_SMTP_PASSWORD=${NEXT_PRIVATE_SMTP_PASSWORD}' > - 'NEXT_PRIVATE_SMTP_FROM_NAME=${NEXT_PRIVATE_SMTP_FROM_NAME}' > - 'NEXT_PRIVATE_SMTP_FROM_ADDRESS=${NEXT_PRIVATE_SMTP_FROM_ADDRESS}' > - 'NEXT_PRIVATE_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public' > - 'NEXT_PRIVATE_DIRECT_DATABASE_URL=postgresql://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_POSTGRES}@database/${POSTGRES_DB:-documenso-db}?schema=public' > - 'NODE_ENV=production' > - 'NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=/app/certs/cert.p12' > # Note: NO passphrase environment variable, You can set it but generate key with passphrase > healthcheck: > test: > - CMD-SHELL > - "wget -q -O - http://documenso:3000/ | grep -q 'Sign in to your account'" > interval: 2s > timeout: 10s > retries: 20 > volumes: > - documenso_certs:/app/certs > > database: > image: 'postgres:17' > environment: > - 'POSTGRES_USER=${SERVICE_USER_POSTGRES}' > - 'POSTGRES_PASSWORD=${SERVICE_PASSWORD_POSTGRES}' > - 'POSTGRES_DB=${POSTGRES_DB:-documenso-db}' > volumes: > - 'documenso_postgresql_data:/var/lib/postgresql/data' > healthcheck: > test: > - CMD-SHELL > - 'pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}' > interval: 5s > timeout: 20s > retries: 10 > > volumes: > documenso_certs: {} > documenso_postgresql_data: {} > ## Step 2: Start the Services > docker-compose up -d > ## Step 3: Create Certificate Inside Container > Access the container as root to create the certificate: > > docker-compose exec --user root documenso sh > Navigate to the certs directory: > > cd /app/certs > Create the certificate files: > > # Generate private key > openssl genrsa -out private.key 2048 > > # Generate certificate (adjust the subject as needed) > openssl req -new -x509 -key private.key -out certificate.crt -days 1460 > > # Create PKCS12 certificate with compatible format (NO PASSWORD) > openssl pkcs12 -export -out cert.p12 \ > -inkey private.key \ > -in certificate.crt \ > -name "documenso" \ > -passout pass: \ > -keypbe PBE-SHA1-3DES \ > -certpbe PBE-SHA1-3DES \ > -macalg sha1 > > # Set correct ownership (container runs as UID 1001) > chown 1001:1001 cert.p12 certificate.crt private.key > chmod 644 cert.p12 certificate.crt private.key > ## Step 4: Verify Certificate > Check the certificate was created correctly: > > # Check file permissions > ls -la /app/certs/cert.p12 > > # Verify certificate structure (should show no errors) > openssl pkcs12 -info -in cert.p12 -passin pass: -noout > Expected output should show: > > ``` > MAC: sha1, Iteration 2048 > PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 > Certificate bag > PKCS7 Data > Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 > ``` > > Exit the container: > > exit > ## Step 5: Restart and Test > Restart the Documenso service: > > docker-compose restart documenso > ## Step 6: Test Document Signing > 1. Access your Documenso web interface > 2. Create a new document > 3. Add recipients and signature fields > 4. Complete the signing process > 5. Verify the document completes without errors > > ## Key Success Factors > 1. **Volume Persistence**: Using `documenso_certs:/app/certs` ensures certificates survive container restarts > 2. **Correct Permissions**: Creating certificates as root then changing ownership to `1001:1001` (nodejs user) > 3. **Compatible Certificate Format**: Using older encryption algorithms: > > * `PBE-SHA1-3DES` instead of modern `PBES2/AES-256` > * `sha1` MAC algorithm instead of `sha256` > 4. **No Password**: Eliminating password complexity by using empty passphrase > 5. **Production Mode**: Setting `NODE_ENV=production` forces the app to use the certificate file path > > ## Troubleshooting > If you still get errors: > > 1. **Check file permissions**: > docker-compose exec documenso ls -la /app/certs/ > 2. **Verify certificate format**: > docker-compose exec documenso openssl pkcs12 -info -in /app/certs/cert.p12 -passin pass: -noout > 3. **Check environment variables**: > docker-compose exec documenso env | grep SIGNING > > This setup ensures reliable document signing without certificate-related errors. > > ### Additional Information & Alternatives (optional) > _No response_ > > ### Do you want to work on this improvement? > No > > ### Please check the boxes that apply to this improvement suggestion. > * [x] I have searched the existing issues and improvement suggestions to avoid duplication.[x] I have provided a clear description of the improvement being suggested.[x] I have explained the rationale behind this improvement.[x] I have included any relevant technical details or design suggestions.[x] I understand that this is a suggestion and that there is no guarantee of implementation. How do you activate the admin account? Also, I went through your process. It shows the signature and date, but it doesnt produce the certification receipt. I check the properties of the file, and it doesn't show that the pdf was signed with cert although no errors came through during the signing.

kerem commented

2026-02-26 18:47:32 +03:00

Author

Owner

@Novapixel1010 commented on GitHub (Oct 18, 2025):

Thanks for this I added this to start.sh to automatically make the cert and check /app/certs for a cert.

@Novapixel1010 commented on GitHub (Oct 18, 2025): Thanks for this I added this to `start.sh` to automatically make the cert and check `/app/certs` for a cert.

kerem referenced this issue

2026-02-26 19:31:34 +03:00

[PR #548] [MERGED] fix(pre-commit): added lint staged to install and add all packages from package.json and add to commit #1038

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/documenso#548

No description provided.

Rows
Columns