Access forbidden after update from NC 10.0.4 to NC 11.0.2

victorbw · April 12, 2017, 1:04pm

Hi Everybody

I’m still facing the issue where collabora shows up only with the information “access forbidden”.

I followed through my own (no, no sarcasm) published walktrough on howto get collabora running, which works perfectly fine on freshly installed nc11-instances:
https://help.nextcloud.com/t/easy-howto-collabora-ubuntu-16-04-with-docker-and-selfsigned-wildcard-certificates/5614

this is my nextcloud.conf, running on apache2, ubuntu 16.04 LTS (no worries, had to replace the <> with -, otherwise it wont show up correctly here):

-VirtualHost :80-
#### Redirect to port 443 ###
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.) https://%{HTTP_HOST}/$1 [NC,R,L]
#### End of Redirection configuration ###
ServerName private.private.ch
ServerAdmin private@private.ch
DocumentRoot /var/www/html/nextcloud
-Directory /var/www/html/nextcloud-
Options +FollowSymlinks
AllowOverride All
-IfModule mod_dav.c-
Dav off
-/IfModule-
SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
-/Directory-
-/VirtualHost-
-VirtualHost :443-
####Configuration for SSL #####
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/private.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCertificateChainFile /etc/apache2/ssl/rapidssl_intermediate.crt
###END OF SSL CONFIGURATION###
AllowEncodedSlashes NoDecode
# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# keep the host
ProxyPreserveHost On
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet
# WOPI discovery URL
ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery
# Main websocket
ProxyPassMatch "/lool/(.)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon
# Admin Console websocket
ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /lool https://127.0.0.1:9980/lool
ProxyPassReverse /lool https://127.0.0.1:9980/lool
ServerName private.private.ch
ServerAdmin private@private.ch
Header always add Strict-Transport-Security “max-age=15768000”
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
DocumentRoot /var/www/html/nextcloud/
-Directory /var/www/html/nextcloud-
Options +FollowSymlinks
AllowOverride All
-IfModule mod_dav.c-
Dav off
-/IfModule-
SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
-/Directory-
-/VirtualHost-

and yes, the certificate mentioned above is a public-signed wildcart-certificate, which also has been added to the trusted “ca-bundle.crt” including the whole chain of sub- and root-ca-certificates.

my docker logs wont show anything useful for further debugging:

docker logs amazing_allen
Generating RSA private key, 2048 bit long modulus
.+++
…+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.0.4 - 2.0.4
office version details: { “ProductName”: “Collabora Office”, “ProductVersion”: “5.1”, “ProductExtension”: “.10.21”, “BuildId”: “e91d2c2d59b035e40bdefac5fe06fb210180ed86” }
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.0.4 - 2.0.4
office version details: { “ProductName”: “Collabora Office”, “ProductVersion”: “5.1”, “ProductExtension”: “.10.21”, “BuildId”: “e91d2c2d59b035e40bdefac5fe06fb210180ed86” }

all of the used browsers (IE 11, Opera, Firefox, Chrome) give the same error: “access forbidden”, so I hope that it has nothing to do with the browsers at all. nonetheless im posting an error which poped up whilst using the firefox console:

Content Security Policy: Die Direktive 'frame-src' sollte nicht mehr verwendet werden. Bitte verwenden Sie stattdessen die Direktive 'child-src'.

anyone having an idea where to start?

Walker_Wei · April 13, 2017, 2:43am

How is your nextcloud now?Mine also cannot access to the file when the collabora onlie is enable

victorbw · April 13, 2017, 6:57am

it is not working at all, dunno where to look after or if im everything is depended from what collabora updates next in their image

Walker_Wei · April 14, 2017, 1:28am

I change back to NC 10.0.4:joy:reply three times

Walker_Wei · April 14, 2017, 3:55am

Oh…my NC11 with collabora online work now.Check your config maybe something wrong.
Or check your SELinux config with:
/usr/sbin/getsebool -a |grep httpd_can_network_connect
if httpd_can_network_connect=off,you need to turn it on with
/usr/sbin/setsebool -P httpd_can_network_connect=1

victorbw · April 18, 2017, 7:41am

actually I never had it activated:

/usr/sbin/getsebool: SELinux is disabled

anything else?

victorbw · May 9, 2017, 12:18pm

as a little update, im listing what seems a bit odd to me when getting the xml-entries from “/hosting/discovery”:

<app name="application/vnd.lotus-wordpro">
<action ext="lwp" name="view" urlsrc="https://office.domain.ch/loleaflet/b2e736a3/loleaflet.html?"/>
</app>

I’m not sure about this, but I was expecting some sort of a version-string after “loleaflet/” and not some random hex.

also I’ve noted that the storage driver is BTRFS, hope this doesnt affect collabora in anyways (why should it at all?):

root@office:~# docker info
Containers: 1
 Running: 1
 Paused: 0
 Stopped: 0
Images: 1
Server Version: 17.05.0-ce
Storage Driver: btrfs
 Build Version: Btrfs v4.4
 Library Version: 101
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9048e5e50717ea4497b757314bad98ea3763c145
runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
init version: 949e6fa
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-77-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.851GiB
Name: office.domain.ch
ID: 5J65:LWMM:YTGH:FPCJ:LHJF:LZUL:RSYI:236X:3UH7:FCQK:TWBI:I62I
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support
root@office:~# grep aufs /proc/filesystems
nodev   aufs

but obviously its showing now some errors in the docker logs:

docker logs elegant_ardinghelli
Generating RSA private key, 2048 bit long modulus
.+++
................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
..+++
................................................................................+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.1.0 - b2e736a3
office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.3", "ProductExtension": ".10.10", "BuildId": "77b0d93c0f6ff6490e909dbd81b1994862a31b3a" }
wsd-00024-00025 12:01:37.500018 [ prisoner_poll ] WRN  ForKit not responsive for 6246 ms forking 1 children. Resetting.| wsd/LOOLWSD.cpp:338
Generating RSA private key, 2048 bit long modulus
......+++
................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
..........................................................................................................+++
...........................................................................................+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.1.0 - b2e736a3
kit-00028-00026 12:03:06.019522 [ loolkit ] ERR  symlink("../lo","/opt/lool/child-roots/28/opt/collaboraoffice5.3") failed (errno: File exists)| kit/Kit.cpp:271
kit-00028-00026 12:03:06.019874 [ loolkit ] ERR  Poco Exception: Exception: symlink() failed| kit/Kit.cpp:1895
Generating RSA private key, 2048 bit long modulus
...............................................................................+++
......................................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
...........................+++
.......+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.1.0 - b2e736a3
office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.3", "ProductExtension": ".10.10", "BuildId": "77b0d93c0f6ff6490e909dbd81b1994862a31b3a" }

I was expecting that the xml-url would be 2.1.0 but shows instead b2e736a3 (like in loolforkit version details: 2.1.0 - b2e736a3).

still looking for any hints