Secure OpenProject with HTTPS on TrueNAS

Truenas Scale

This guide walks you through installing OpenProject in a Docker container, configuring HTTPS with Certbot, and running it behind Apache with port forwarding (8443 → 443).

1. Prerequisites

Before starting, ensure you have:

A working TrueNAS system (Scale or with Docker support).
Docker and docker-compose installed on the TrueNAS host.
A valid DNS record pointing serverdomain.name.com to your server’s public IP.
Ports 80 and 443 accessible for initial certificate issuance.
Access to the container shell for OpenProject.

2. Obtain an SSL Certificate using Certbot

We will use Certbot in standalone mode to get a certificate from Let’s Encrypt (or InCommon if your institution provides it). Not all users will need to use the eab-kid and eab-hmac-key for their services. This is just a potential set of items for usage.

apt-get update && apt-get install -y certbot python3-certbot-apache
certbot certonly \
  --standalone \
  --non-interactive \
  --agree-tos \
  --email yo*@*****le.edu \
  --server https://acme.sectigo.com/v2/InCommonRSAOV \
  --eab-kid "<your-kid>" \
  --eab-hmac-key "<your-hmac-key>" \
  --domain serverdomain.name.com \
  --cert-name serverdomain

Note: Replace:

yo*@*****le.edu with your email

serverdomain.name.com with your server’s domain

<your-kid> and <your-hmac-key> with your ACME credentials

When complete, your certificates will be stored in:

3. Configure Apache in the OpenProject Container

Create or edit the file:

Paste the configuration:

<VirtualHost *:443>
    ServerName serverdomain.name.com:8443
    ServerAlias serverdomain.name.com
    DocumentRoot /app/public

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/serverdomain.name.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/serverdomain.name.com/privkey.pem

    ProxyRequests Off
    ProxyPreserveHost On

    # Tell the backend we're on HTTPS and the external port is 8443
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Ssl "on"
    RequestHeader set X-Forwarded-Port "8443"

    # Reverse proxy to Puma on 8080
    ProxyPass        / http://127.0.0.1:8080/ retry=0
    ProxyPassReverse / http://127.0.0.1:8080/

    # Optional: Fix cookies and absolute Location headers
    ProxyPassReverseCookieDomain 127.0.0.1 serverdomain.name.com
    ProxyPassReverseCookiePath / /

    # Logs
    ErrorLog  ${APACHE_LOG_DIR}/openproject-error.log
    CustomLog ${APACHE_LOG_DIR}/openproject-access.log combined
</VirtualHost>

Enable required Apache modules inside the container:

a2enmod ssl proxy proxy_http headers rewrite
apache2ctl -t && apache2ctl graceful

4. Commit and Tag Your Container

Once the configuration is tested and working inside your running container:

This creates a saved image with your changes and a latest tag for easy redeploys.

5. Prepare Persistent Volumes for Data

On your TrueNAS system, create directories for OpenProject’s persistent data:

These will be mounted into the container for database storage and file uploads.

6. Update TrueNAS to Use the New Container

In your TrueNAS Apps configuration:

Change the image to:

yourusername/openproject:latest
Map:
- /mnt/tank/openproject/pgdata → /var/lib/postgresql/data
- /mnt/tank/openproject/assets → /app/assets
Forward port 8443 on the host → 443 in the container.
Keep port 8080 internally for Puma.

7. Start the Updated Container

Once changes are saved, deploy the container from TrueNAS.
Visit:

You should see your OpenProject instance running over HTTPS.

8. Maintenance & Renewal

To renew your SSL certificate:

You can automate this renewal using a cron job.

Summary

You have:

Obtained and installed an SSL certificate via Certbot.
Configured Apache inside the OpenProject container with HTTPS and reverse proxying.
Committed your working container to a custom Docker image.
Set up persistent storage for PostgreSQL and assets.
Updated your TrueNAS app configuration to use the new image and port mapping.

Truenas Scale and OpenProject