How to Setup a Leanote Server on CentOS 7

Leanote is a free, lightweight, and open source alternative to Evernote, which is written in Golang. With user experience in mind, Leanote provides users with plenty of practical features, including cross-platform support, writing in the MarkDown syntax, public or private blogging, knowledge gathering and sharing, and team collaboration.

In this article, I will guide you through Setting up a Leanote server on a CentOS 7 server instance. For security purposes, enabling HTTPS support using a Let’s Encrypt SSL certificate and Nginx will also be covered.


  • A newly deployed Vultr CentOS 7 server instance. Say its IPv4 address is
  • A sudo user named leanote.
  • All of the software packages on the machine have been updated to the latest stable status using the EPEL YUM repo. See details here.
  • A domain being pointed to the server instance mentioned above.

Step 1: Create a swap file

When firing up a new Vultr CentOS 7 server instance, it’s always recommended to setup a swap file in order to ensure the system is running smoothly. For example, creating a 2048MB-sized swap file is fit for a machine with 2GB of memory.

sudo dd if=/dev/zero of=/swapfile count=2048 bs=1Msudo chmod 600 /swapfilesudo mkswap /swapfilesudo swapon /swapfileecho '/swapfile   none    swap    sw    0   0' | sudo tee -a /etc/fstabfree -m

Note: If you are using a different server size, you may need to modify the size of the swap file.

Step 2: Obtain Leanote 2.6.1 binary files

Download and extract the latest stable release of Leanote for 64-bit Linux system:

cdwget -zxvf leanote-linux-amd64-v2.6.1.bin.tar.gz

Step 3: Install MongoDB Community Edition 4.0

As required by Leanote, the MongoDB NoSQL DBMS has to be in place before you can successfully setup a Leanote server.

Setup the MongoDB 4.0 YUM repo

Create the MongoDB 4.0 YUM repo as follows:

cat <<EOF | sudo tee /etc/yum.repos.d/mongodb-org-4.0.repo[mongodb-org-4.0]name=MongoDB Repositorybaseurl=$releasever/mongodb-org/4.0/x86_64/gpgcheck=1enabled=1gpgkey=

Install MongoDB 4.0 packages using YUM

Install all of the MongoDB components and tools using the MongoDB 4.0 YUM repo created earlier:

sudo yum install -y mongodb-org

Configure SELinux for MongoDB 4.0

By default, MongoDB would use the 27017 port when working, which is not allowed if SELinux is in the enforcing mode on the CentOS 7 machine. Use the following command to confirm the current SELinux mode:

sudo getenforce

On a Vultr CentOS 7 server instance, SELinux is disabled by default. So the output of the above command would be:


In this case, you can feel free to skip the following instructions on configuring SELinux and move on.

However, if you are running an original CentOS 7 server instance, the output of above command would be Enforcing. You need to perform any one of the three options below before you can start and enable the MongoDB service.

  • Option 1: Allow MongoDB to use the 27017 port

    sudo semanage port -a -t mongod_port_t -p tcp 27017
  • Option 2: Disable SELinux

    sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/configsudo shutdown -r now
  • Option 3: Change SELinux to permissive mode

    sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/configsudo shutdown -r now

Start the MongoDB service and make it start following a system reboot:

sudo systemctl start mongod.servicesudo systemctl enable mongod.service

Step 4: Import initial Leanote data into MongoDB

Use the commands below to import initial Leanote data into MongoDB:

rm /home/leanote/leanote/mongodb_backup/leanote_install_data/.DS_Storemongorestore --host localhost -d leanote --dir /home/leanote/leanote/mongodb_backup/leanote_install_data/

Step 5: Enable MongoDB authentication

For security purposes, you need to enable access control to MongoDB right after the MongoDB service is up and running. For this purpose, you need to create at least two MongoDB user accounts: a user administrator account and a database administrator account. You will also need to modify the MongoDB configuration.

Enter the MongoDB shell:

mongo --host

Switch to the admin database:

use admin

Create a user administrator named useradmin that uses a password useradminpassword:

db.createUser({ user: "useradmin", pwd: "useradminpassword", roles: [{ role: "userAdminAnyDatabase", db: "admin" }] })

Note: The user administrator useradmin is supposed to manage all MongoDB users, so it’s wise to choose a strong password. Of course, a more secure tip is to replace useradmin with a hard-to-guess user name.

Switch to the leanote database:

use leanote

Create a database administrator named leanoteadmin that uses a password leanoteadminpassword:

db.createUser({ user: "leanoteadmin", pwd: "leanoteadminpassword", roles: [{ role: "dbOwner", db: "leanote" }] })

Note: Again, it’s recommended to choose a lesser-known user name and a hard-to-guess password.

Having the MongoDB users created, you can confirm the results:

use admindb.auth("useradmin", "useradminpassword")

Confirm the database admin:

use leanotedb.auth("leanoteadmin", "leanoteadminpassword")

Both will output 1 as confirmation.

Exit the MongoDB shell:


In order to enable access control to MongoDB, you also need to append two lines to the MongoDB config file /etc/mongod.conf, as follows:

sudo bash -c "echo 'security:' >> /etc/mongod.conf"sudo bash -c "echo '  authorization: enabled' >> /etc/mongod.conf"

Restart the MongoDB service in order for the modifications to take effect:

sudo systemctl restart mongod.service

From now on, you can only use the two user accounts to access and manage MongoDB, useradmin for managing all MongoDB users and leanoteadmin for managing the leanote database only.

Step 6: Configure Leanote

Backup the Leanote config file /home/leanote/leanote/conf/app.conf:

cd /home/leanote/leanote/conf/cp app.conf app.conf.bak

Use the vi editor to open the Leanote config file:

vi app.conf

Find the following lines one by one:

site.url=http://localhost:9000db.username= # if not exists, please leave it blankdb.password= # if not exists, please leave it blankapp.secret=V85ZzBeTnzpsHyjQX4zukbQ8qqtju9y2aDM55VWxAH9Qop19poekx3xkcDVvrD0y

Replace them, respectively, as shown below:


Note: For security purposes, the value of the app.secret parameter MUST be a 64-bit random string that is different from the original one. Make sure to replace the value E52tyCDBRk39HmhdGYJLBS3etXpnz7DymmxkgHBYxd7Y9muWVVJ5QZNdDEaHV2sA with your own 64-bit random value.

Save and quit:


Step 7: Start Leanote

Modify firewall rules in order to allow inbound TCP traffic on port 9000:

sudo firewall-cmd --permanent --add-port=9000/tcpsudo systemctl reload firewalld.service

Start Leanote using the official script:

cd /home/leanote/leanote/binbash

Upon seeing Listening on.., point your favorite web browser to to start using the Leanote site.

Use the default Leanote admin account to sign in:

  • Username: admin
  • Password: abc123

For security purposes, you should change the default password immediately after signing in.

Step 8: Enable HTTPS access

For now, you can already access the Leanote server using the HTTP protocol, a less secure protocol. In order to improve system security, you can enable HTTPS by deploying both a Let’s Encrypt SSL certificate and the Nginx reverse proxy on your machine.

Properly setup a hostname and fully qualified domain name (FQDN)

Before you can obtain the Let’s Encrypt SSL certificate, you need to properly setup the hostname and FQDN on your machine.

First, press CTRL+C to stop the Leanote script

Next, setup the hostname and FQDN as follows:

sudo hostnamectl set-hostname leanotecat <<EOF | sudo tee /etc/hosts127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4::1         localhost localhost.localdomain localhost6 localhost6.localdomain6203.0.113.1 leanoteEOF

You can confirm the results, as well:

hostnamehostname -f

Modify firewall rules

Block inbound traffic on port 9000 and allow inbound traffic on ports for HTTP and HTTPS services:

sudo firewall-cmd --permanent --remove-port=9000/tcpsudo firewall-cmd --permanent --add-service=httpsudo firewall-cmd --permanent --add-service=httpssudo systemctl reload firewalld.service

Apply for a Let’s Encrypt SSL certificate

Install the Certbot utility:

sudo yum -y install yum-utilssudo yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optionalsudo yum install -y certbot

Apply for a Let’s Encrypt SSL certificate for the domain

sudo certbot certonly --standalone --agree-tos --no-eff-email -m -d

The certificate and chain will be saved as follows:


The private key file will be saved as follows:


By default, the Let’s Encrypt SSL certificate will expire in three months. You can setup a cron job, as shown below, to auto-renew your Let’s Encrypt certificates:

sudo crontab -e

Press I to enter the insert mode, and then input the following line:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

Save and quit:


This cron job will try to renew the Let’s Encrypt certificate every day at noon.

Install Nginx as a reverse proxy

Install Nginx using the EPEL YUM repo:

sudo yum install -y nginx

Create a config file for Leanote:

cat <<EOF | sudo tee /etc/nginx/conf.d/leanote.conf# Redirect HTTP to HTTPSserver {    listen      80;    server_name;    return      301 https:///$server_name/$request_uri;}server {    # Setup HTTPS certificates    listen       443 default ssl;    server_name;    ssl_certificate      /etc/letsencrypt/live/;    ssl_certificate_key  /etc/letsencrypt/live/;    # Proxy to the Leanote server    location / {        proxy_set_header X-Real-IP         /$remote_addr;        proxy_set_header X-Forwarded-For   /$proxy_add_x_forwarded_for;        proxy_set_header X-Forwarded-Proto https;        proxy_set_header X-Forwarded-Host  /$http_host;        proxy_set_header Host              /$http_host;        proxy_max_temp_file_size           0;        proxy_pass               ;        proxy_redirect                     http:// https://;    }}EOF

Restart Nginx in order to put your modifications into effect:

sudo systemctl daemon-reloadsudo systemctl restart nginx.servicesudo systemctl enable nginx.service

Modify the site.url setting in the Leanote config file:

cd /home/leanote/leanote/conf/vi app.conf

Find the following line:


Replace it:


Save and quit:


Run the Leanote script again:

cd /home/leanote/leanote/binbash

Now, point your favorite web browser to, and you will find that the HTTPS protocol is activated automatically. Just sign in as the admin user with the new password you setup earlier or register new user accounts for team collaboration.

Again, press CTRL+C to stop the Leanote script. We will daemonize this script later.

Step 9: Install the wkhtmltopdf program

Leanote chooses to use the wkhtmltopdf program to export HTML pages as PDF files. Install wkhtmltopdf:

cdwget yum localinstall -y wkhtmltox-0.12.5-1.centos7.x86_64.rpmwhich wkhtmltopdf

Don’t forget to submit the wkhtmltopdf binary path /usr/local/bin/wkhtmltopdf in the Export PDF section in the Leanote web admin dashboard when Leanote is up and running again.

Note: If you find unreadable characters in exported PDF files, you can try to fix the issue by adding required font files to the /usr/share/fonts/ directory.

Step 10: Use Supervisor to keep the Leanote script up and running

In order to keep your Leanote site online, you can use the Supervisor utility to auto-start the Leanote script if it crashes.

Install Supervisor using YUM:

sudo yum install -y supervisor

Create a simple Supervisor .ini file for Leanote:

cat <<EOF | sudo tee /etc/supervisord.d/leanote.ini[program:leanote]command=bash /home/leanote/leanote/bin/run.shdirectory=/home/leanote/leanote/bin/priority=999autostart=trueautorestart=trueuser=leanoteredirect_stderr=trueEOF

Start the Supervisor service, as well as the Leanote service:

sudo supervisord -c /etc/supervisord.conf

Confirm the status of the Leanote service:

sudo supervisorctl status leanote

The output will resemble the following:

leanote                          RUNNING   pid 3707, uptime 0:02:36

Want to contribute?

You could earn up to $300 by adding new articles

Submit your article
Suggest an update
Request an article

No comments

Powered by Blogger.