3.9 KiB
Document Signing — DocuSeal Deployment
Deploy
# docker-compose.yml — deployed at /root/docker/docuseal/
services:
docuseal:
image: docuseal/docuseal:latest
container_name: docuseal
restart: always
ports:
- "127.0.0.1:3000:3000"
volumes:
- ./data:/data
environment:
- HOST=http://localhost:3000
- FORCE_SSL=false
Deploy:
docker compose -f /root/docker/docuseal/docker-compose.yml up -d
Live Status (Jul 7, 2026)
- URL: https://sign.itpropartner.com — LIVE with HTTPS via Caddy
- Caddy config:
/etc/caddy/Caddyfile— reverse proxy to 127.0.0.1:3000 - Admin: info@itpropartner.com (Germaine Brown)
- API Token: yyQ39y1fPtvWzUzFPZXfGBJhGD9ko3o7ACZLc3388sz
- Docker: docuseal/docuseal:latest on Core (netcup)
- Data:
/root/docker/docuseal/data/(SQLite) - Port 443 freed by: Stopping Tailscale Serve (which was serving portal mockups)
API Usage
curl -s -H "X-Auth-Token: <token>" https://sign.itpropartner.com/api/user
Why DocuSeal over Documenso
| Factor | Documenso | DocuSeal |
|---|---|---|
| Docker image | 690 MB | 227 MB |
| Database | PostgreSQL required | SQLite (no extra service) |
| Embed SDK | Paid (~$300/yr) | Free (React, Vue, Angular, JS) |
| Webhooks | Basic | Auto-retry |
| Features | Core signing | Bulk CSV send, conditional fields, SMS |
Usage across entities
- Debt Recovery Experts — LPOA notarization via Proof API + service agreements via DocuSeal
- Forefront Wireless — customer service agreements, waivers
- BoxPilot Logistics — intake forms, LPOA
- Apex Track Experience — liability waivers (alternative to WPForms)
Planned Webhook (DRE)
When the DRE portal builds: https://debtrecoveryexperts.com/api/webhooks/docuseal — events: document signed, completed, signer link opened.
Note on Notarized Documents (LPOA)
DocuSeal handles digital signatures (ESIGN/UETA compliant). For Remote Online Notarization (RON) of Limited Power of Attorney forms, use Proof (formerly Notarize) API — ~$25-35 per notarization, with on-demand notaries 24/7. Texas RON compliant (HB 3496, SB 1624).
Digest timestamp server
In DocuSeal e-signature settings, set the RFC 3161 timestamp server to: http://timestamp.digicert.com (DigiCert, free, no auth, universally trusted). This embeds a cryptographic timestamp in every signed document for long-term verification validity. Backup option: http://timestamp.sectigo.com.
TLS setup (blocked port 443)
Tailscale Serve uses port 443 for tailnet HTTPS. To run a public-facing web service on port 443 alongside Tailscale, either:
- Stop Tailscale Serve (
tailscale serve --https=443 off) — frees port 443 for Caddy/nginx. The portal mockups will lose their tailscale URL until re-served on a different port or redirected. - Or use Cloudflare Tunnel (cloudflared) — creates an outbound-only tunnel to Cloudflare's edge, lives on an ephemeral port, never conflicts with other services. Requires
cloudflared tunnel login(browser-based OAuth to Cloudflare account). The tunnel cert file is created in~/.cloudflared/. After auth, create the tunnel, route the DNS, and configure ingress.
Pitfall: cloudflared tunnel login prints a URL that must be opened in a browser OUTSIDE the terminal — it's an OAuth flow. If there's no browser available (headless server), use a different approach.
DocuSeal auth setup
After first deployment at https://sign.itpropartner.com, the initial visit redirects to /setup — create the admin account (name, email, password, company). After setup, generate an API token from Settings → API tokens. Token format: yyQ39y... (JWT-like string). The token read-only endpoint: GET /api/user with X-Auth-Token header.
Backup Required
/root/docker/docuseal/data/ contains the SQLite DB (all users, templates, signed documents). NOT yet in the nightly S3 backup rotation — needs to be added.