Access forbidden after update from NC 10.0.4 to NC 11.0.2

Hi Everybody

I’m still facing the issue where collabora shows up only with the information “access forbidden”.

I followed through my own (no, no sarcasm) published walktrough on howto get collabora running, which works perfectly fine on freshly installed nc11-instances:
https://help.nextcloud.com/t/easy-howto-collabora-ubuntu-16-04-with-docker-and-selfsigned-wildcard-certificates/5614

this is my nextcloud.conf, running on apache2, ubuntu 16.04 LTS (no worries, had to replace the <> with -, otherwise it wont show up correctly here):

-VirtualHost :80-
#### Redirect to port 443 ###
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.
) https://%{HTTP_HOST}/$1 [NC,R,L]
#### End of Redirection configuration ###
ServerName private.private.ch
ServerAdmin private@private.ch
DocumentRoot /var/www/html/nextcloud
-Directory /var/www/html/nextcloud-
Options +FollowSymlinks
AllowOverride All
-IfModule mod_dav.c-
Dav off
-/IfModule-
SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
-/Directory-
-/VirtualHost-
-VirtualHost :443-
####Configuration for SSL #####
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/private.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCertificateChainFile /etc/apache2/ssl/rapidssl_intermediate.crt
###END OF SSL CONFIGURATION###
AllowEncodedSlashes NoDecode
# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# keep the host
ProxyPreserveHost On
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet
# WOPI discovery URL
ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery
# Main websocket
ProxyPassMatch "/lool/(.
)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon
# Admin Console websocket
ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /lool https://127.0.0.1:9980/lool
ProxyPassReverse /lool https://127.0.0.1:9980/lool
ServerName private.private.ch
ServerAdmin private@private.ch
Header always add Strict-Transport-Security "max-age=15768000"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
DocumentRoot /var/www/html/nextcloud/
-Directory /var/www/html/nextcloud-
Options +FollowSymlinks
AllowOverride All
-IfModule mod_dav.c-
Dav off
-/IfModule-
SetEnv HOME /var/www/html/nextcloud
SetEnv HTTP_HOME /var/www/html/nextcloud
-/Directory-
-/VirtualHost-

and yes, the certificate mentioned above is a public-signed wildcart-certificate, which also has been added to the trusted “ca-bundle.crt” including the whole chain of sub- and root-ca-certificates.

my docker logs wont show anything useful for further debugging:

docker logs amazing_allen
Generating RSA private key, 2048 bit long modulus
.+++
…+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.0.4 - 2.0.4
office version details: { “ProductName”: “Collabora Office”, “ProductVersion”: “5.1”, “ProductExtension”: “.10.21”, “BuildId”: “e91d2c2d59b035e40bdefac5fe06fb210180ed86” }
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.0.4 - 2.0.4
office version details: { “ProductName”: “Collabora Office”, “ProductVersion”: “5.1”, “ProductExtension”: “.10.21”, “BuildId”: “e91d2c2d59b035e40bdefac5fe06fb210180ed86” }

all of the used browsers (IE 11, Opera, Firefox, Chrome) give the same error: “access forbidden”, so I hope that it has nothing to do with the browsers at all. nonetheless im posting an error which poped up whilst using the firefox console:

Content Security Policy: Die Direktive 'frame-src' sollte nicht mehr verwendet werden. Bitte verwenden Sie stattdessen die Direktive 'child-src'.

anyone having an idea where to start?

How is your nextcloud now?Mine also cannot access to the file when the collabora onlie is enable

it is not working at all, dunno where to look after or if im everything is depended from what collabora updates next in their image :confused:

:pensive:I change back to NC 10.0.4:joy:reply three times

Oh…my NC11 with collabora online work now.Check your config maybe something wrong.
Or check your SELinux config with:
/usr/sbin/getsebool -a |grep httpd_can_network_connect
if httpd_can_network_connect=off,you need to turn it on with
/usr/sbin/setsebool -P httpd_can_network_connect=1

actually I never had it activated:

/usr/sbin/getsebool: SELinux is disabled

anything else?

as a little update, im listing what seems a bit odd to me when getting the xml-entries from “/hosting/discovery”:

<app name="application/vnd.lotus-wordpro">
<action ext="lwp" name="view" urlsrc="https://office.domain.ch/loleaflet/b2e736a3/loleaflet.html?"/>
</app>

I’m not sure about this, but I was expecting some sort of a version-string after “loleaflet/” and not some random hex.

also I’ve noted that the storage driver is BTRFS, hope this doesnt affect collabora in anyways (why should it at all?):

root@office:~# docker info
Containers: 1
 Running: 1
 Paused: 0
 Stopped: 0
Images: 1
Server Version: 17.05.0-ce
Storage Driver: btrfs
 Build Version: Btrfs v4.4
 Library Version: 101
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9048e5e50717ea4497b757314bad98ea3763c145
runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
init version: 949e6fa
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-77-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.851GiB
Name: office.domain.ch
ID: 5J65:LWMM:YTGH:FPCJ:LHJF:LZUL:RSYI:236X:3UH7:FCQK:TWBI:I62I
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support
root@office:~# grep aufs /proc/filesystems
nodev   aufs

but obviously its showing now some errors in the docker logs:

docker logs elegant_ardinghelli
Generating RSA private key, 2048 bit long modulus
.+++
................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
..+++
................................................................................+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.1.0 - b2e736a3
office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.3", "ProductExtension": ".10.10", "BuildId": "77b0d93c0f6ff6490e909dbd81b1994862a31b3a" }
wsd-00024-00025 12:01:37.500018 [ prisoner_poll ] WRN  ForKit not responsive for 6246 ms forking 1 children. Resetting.| wsd/LOOLWSD.cpp:338
Generating RSA private key, 2048 bit long modulus
......+++
................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
..........................................................................................................+++
...........................................................................................+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.1.0 - b2e736a3
kit-00028-00026 12:03:06.019522 [ loolkit ] ERR  symlink("../lo","/opt/lool/child-roots/28/opt/collaboraoffice5.3") failed (errno: File exists)| kit/Kit.cpp:271
kit-00028-00026 12:03:06.019874 [ loolkit ] ERR  Poco Exception: Exception: symlink() failed| kit/Kit.cpp:1895
Generating RSA private key, 2048 bit long modulus
...............................................................................+++
......................................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
...........................+++
.......+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.1.0 - b2e736a3
office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.3", "ProductExtension": ".10.10", "BuildId": "77b0d93c0f6ff6490e909dbd81b1994862a31b3a" }

I was expecting that the xml-url would be 2.1.0 but shows instead b2e736a3 (like in loolforkit version details: 2.1.0 - b2e736a3).

still looking for any hints :frowning: