OK, I may have solved this for myself.
I really think this topic is inadequately covered.
The problem as I’ve alluded to is two-fold. In order for the certs and keys to be secure and to eliminate issues with self-signed keys, there must be a way for them to be securely available to both apache2 and to the loolwsd service.
Digging around the certbot documentation, I found a section on hook scripts. This documentation can be found under https://certbot.eff.org/docs/using.html#renewing-certificates
They provide a deployment hook script for just this occasion, where a service/daemon can’t read the system ssl certs.
You will want to do these as root or with the power of sudo.
Here’s my version, modified for loolwsd:
for domain in $RENEWED_DOMAINS; do
case $domain in
# Make sure the certificate and private key files are
# never world readable, even just for an instant while
# we're copying them into daemon_cert_root.
cp "$RENEWED_LINEAGE/fullchain.pem" "$daemon_cert_root/$domain.cert"
cp "$RENEWED_LINEAGE/privkey.pem" "$daemon_cert_root/$domain.key"
# Apply the proper file ownership and permissions for
# the daemon to read its certificate and key.
chown lool "$daemon_cert_root/$domain.cert" \
chmod 400 "$daemon_cert_root/$domain.cert" \
service loolwsd restart >/dev/null
You will need to make an “/etc/loolwsd/certs” directory and chown it to lool and I would highly recommend changing the permissions to rw for the lool user:
chmod 700 /etc/loolwsd/certs
chown lool:lool /etc/loolwsd/certs
Then run certbot to get the letsencrypt certs for your Collabora Online domain:
certbot -d office.nextcloud.com
If you’ve run certbot before, you’ll know it wont create the cert’s unless the domain already exists and is being served by your apache server. I have the standard apache reverse proxy entry for my Collabora Online domain that can be found on both the https://www.collaboraoffice.com/code/ site as well as the https://nextcloud.com/collaboraonline/ site. The certbot script should update the SSLCert* lines for you.
Unfortunately, I haven’t been able to confirm the hook file will run on renewal, but I will try to remember to update this post when it renews.
 I forgot to mention that the SSLCert* paths have to be update in /etc/loolwsd/loolwsd.xml to reflect the path and files created above and used by the hook script.
<cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/certs/office.nextcloud.com.cert</cert_file_path>
<key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/certs/office.nextcloud.com.key</key_file_path>
It should be obvious, but I’ll mention this for completeness, use your domain for this and not “office.nextcloud.com”.