[CODE3.0] WOPI permission issue

Hello

OS : debian buster
reverse proxy : nginx 1.13.8
docker image : NO
ii loolwsd 3.0.0-4 amd64 LibreOffice Online WebSocket Daemon
ii code-brand 3.0-2 all Collabora Online Development Edition (CODE) branding

Nextcloud server :
debian 8.10
nextcloud : 12.0.4 stable

debian : 7.11
DB : postgres 9.4.15

logs :
=> syslog :
Jan 4 18:48:53 docker loolwsd[872]: wsd-00872-00880 17:48:53.346349 [ websrv_poll ] WRN WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:471
Jan 4 18:48:53 docker loolwsd[872]: wsd-00872-00956 17:48:53.804951 [ docbroker_007 ] ERR Failed to add session to [/apps/richdocuments/wopi/files/54777_ocw4k21t272y] with URI [https://tools.pra.rip/apps/richdocuments/wopi/files/54777_ocw4k21t272y?access_token=U9nFj6F69G6PTNz6vSZKqboLjeLonpFx&access_token_ttl=0&permission=edit]: No acceptable WOPI hosts found matching the target host [tools.pra.rip] in config.| wsd/DocumentBroker.cpp:958
Jan 4 18:48:53 docker loolwsd[872]: wsd-00872-00956 17:48:53.805584 [ docbroker_007 ] ERR Unauthorized Request while loading session for /apps/richdocuments/wopi/files/54777_ocw4k21t272y: No acceptable WOPI hosts found matching the target host [tools.pra.rip] in config.| wsd/LOOLWSD.cpp:2275
Jan 4 18:48:53 docker loolwsd[872]: wsd-00872-00956 17:48:53.864833 [ docbroker_007 ] WRN Child session [004b] not found to forward message: load url=https://tools.pra.rip/apps/richdocuments/wopi/files/54777_ocw4k21t272y?access_token=U9nFj6F69G6PTNz6vSZKqboLjeLonpFx&access_token_ttl=0&permission=edit readonly=0 lang=fr| wsd/DocumentBroker.cpp:1448
Jan 4 18:48:53 docker loolwsd[872]: wsd-00872-00956 17:48:53.865515 [ docbroker_007 ] WRN Attempted ping on non-upgraded websocket!| ./net/WebSocketHandler.hpp:280
Jan 4 18:48:53 docker loolwsd[872]: wsd-00872-00956 17:48:53.877443 [ docbroker_007 ] ERR Socket #21 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
Jan 4 18:48:53 docker loolwsd[872]: wsd-00872-00956 17:48:53.878032 [ docbroker_007 ] ERR Socket #21 SSL BIO error: error:140D00CF:SSL routines:SSL_write:protocol is shutdown (errno: Success)| ./net/SslSocket.hpp:273
Jan 4 18:48:53 docker loolwsd[872]: wsd-00872-00956 17:48:53.878477 [ docbroker_007 ] WRN ToClient-004b: Exception while closing socket for docKey [/apps/richdocuments/wopi/files/54777_ocw4k21t272y]: error:140D00CF:SSL routines:SSL_write:protocol is shutdown| wsd/ClientSession.cpp:919
Jan 4 18:48:54 docker loolwsd[872]: wsd-00872-00873 17:48:54.807397 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_007], started: true, finished: true| ./net/Socket.hpp:507
Jan 4 18:48:54 docker loolwsd[872]: wsd-00872-00873 17:48:54.809359 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_007], started: true, finished: true| ./net/Socket.hpp:507
Jan 4 18:48:54 docker loolwsd[872]: wsd-00872-00873 17:48:54.809787 [ prisoner_poll ] WRN Prisoner connection disconnected but without valid socket.| wsd/LOOLWSD.cpp:1523
Jan 4 18:48:54 docker loolwsd[872]: wsd-00872-00873 17:48:54.810163 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_007], started: false, finished: true| ./net/Socket.hpp:507
Jan 4 18:48:54 docker loolwsd[872]: wsd-00872-00873 17:48:54.810518 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_007], started: false, finished: true| ./net/Socket.hpp:507

=> nginx :
192.168.123.75 - - [04/Jan/2018:18:48:53 +0100] “POST /loleaflet/81c8935/loleaflet.html?WOPISrc=https%3A%2F%2Ftools.pra.rip%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F54777_ocw4k21t272y&title=croquettes-JolyLady.odt&lang=fr&closebutton=1&revisionhistory=1 HTTP/1.1” 200 1699 “-” "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
192.168.123.75 - - [04/Jan/2018:18:48:53 +0100] “GET /lool/https%3A%2F%2Ftools.pra.rip%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F54777_ocw4k21t272y%3Faccess_token%3DU9nFj6F69G6PTNz6vSZKqboLjeLonpFx%26access_token_ttl%3D0%26permission%3Dedit/ws?WOPISrc=https%3A%2F%2Ftools.pra.rip%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F54777_ocw4k21t272y&compat=/ws HTTP/1.1” 101 358 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36”

config :
=> /etc/loolwsd/loolwsd.xml

localhost
10.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}
172.1[6789].[0-9]{1,3}.[0-9]{1,3}
172.2[0-9].[0-9]{1,3}.[0-9]{1,3}
172.3[01].[0-9]{1,3}.[0-9]{1,3}
192.168.[0-9]{1,3}.[0-9]{1,3}
192.168.1.1
<max_file_size desc=“Maximum document size in bytes to load. 0 for unlimited.” type=“uint”>0</max_file_size>

=> /etc/nginx/sites-available/collabora (vhost)
server {
listen 443 ssl;
server_name docker-ipv4.pra.rip;

include includes/ssl.cfg;
ssl_certificate /etc/nginx/ssl/cert-pra.rip.crt;
ssl_certificate_key /etc/nginx/ssl/pra.rip.key;

access_log /var/log/nginx/collabora.log;
error_log /var/log/nginx/collabora-error.log;

# static files
location ^~ /loleaflet {
    proxy_pass https://localhost:9980;
    proxy_set_header Host $http_host;
    proxy_ssl_server_name on;
}

# WOPI discovery URL
location ^~ /hosting/discovery {
    proxy_pass https://localhost:9980;
    proxy_set_header Host $http_host;
    proxy_ssl_server_name on;
}

main websocket

location ~ ^/lool/(.*)/ws$ {
proxy_pass https://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “Upgrade”;
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
proxy_ssl_server_name on;
}

download, presentation and image upload

location ~ ^/lool {
proxy_pass https://localhost:9980;
proxy_set_header Host $http_host;
proxy_ssl_server_name on;
}

Admin Console websocket

location ^~ /lool/adminws {
proxy_pass https://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “Upgrade”;
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
proxy_ssl_server_name on;
}
}

error message in nextcloud :

network info
tools.pra.rip (nextcloud) public access communicate with docker-ipv4.pra.rip via vpn(openvpn)
netstat -latupen on CODE3.0 side give :
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 15124 643/nginx: master p
tcp 0 0 0.0.0.0:9980 0.0.0.0:* LISTEN 106 30717 872/loolwsd
tcp 0 0 127.0.0.1:9981 0.0.0.0:* LISTEN 106 30693 872/loolwsd
tcp 0 0 127.0.0.1:9981 127.0.0.1:59250 ESTABLISHED 106 31862 872/loolwsd
tcp 0 0 127.0.0.1:59250 127.0.0.1:9981 ESTABLISHED 106 31861 993/loolforkit

what is wrong?
thank you for your help

assuming your reverse proxy is working correctly, pretty sure I’ve had this and had to adjust the ssl settings in loolwsd.xml to include the path to the cert file, key file and chain file and make sure your chain file has all the certificates in it in the right order

Hello

@Dan_Smith, all seems good about certificates but they are generated by collabora:
=>l
total 36K
-rw-r–r-- 1 root root 591 déc. 18 21:20 loolkitconfig.xcu
drwxr-xr-x 88 root root 4,0K janv. 4 18:10 …
-rw-r–r-- 1 root root 1,3K janv. 4 18:20 ca-chain.cert.pem
-rw-r–r-- 1 root root 1,7K janv. 4 18:21 key.pem
-rw-r–r-- 1 root root 1,2K janv. 4 18:22 cert.pem
-rw-r----- 1 lool lool 9,2K janv. 6 18:11 loolwsd.xml

=>openssl x509 -in cert.pem -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
8a:da:ed:e2:ea:b1:9b:03
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, ST = BW, L = Stuttgart, O = Dummy Authority, CN = Dummy Authority
Validity
Not Before: Jan 4 16:49:43 2018 GMT
Not After : Jan 4 16:49:43 2043 GMT
Subject: C = DE, ST = BW, L = Stuttgart, O = Dummy Authority, CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:14:2b:6d:d5:a2:ff:33:83:a7:43:42:53:70:
1f:64:60:5b:b6:e9:d4:70:5f:4b:e2:96:d5:ef:b6:
b0:55:21:c6:3d:c9:42:0a:f8:b2:80:83:c7:8e:fd:
11:3b:1b:35:36:eb:2c:c1:1e:2a:dd:7e:dc:35:f1:
a3:6c:08:b0:b7:82:ba:8d:47:ad:24:60:4e:da:ec:
3a:a2:e3:9b:d7:9f:59:74:6a:0d:d0:fb:ca:4d:31:
e3:3a:5b:7d:cc:8e:fe:13:c4:6b:d2:e0:54:44:f3:
aa:f9:6f:e9:d0:fb:44:69:e8:8a:4d:45:4f:72:54:
e5:92:c7:de:76:e0:43:67:77:f2:d3:83:86:09:85:
9e:76:07:34:62:8b:24:8e:a6:f7:f0:bd:df:e3:02:
51:19:67:ab:5c:0c:7d:23:d5:ea:c6:00:26:04:57:
a2:ca:c2:22:a0:8b:ca:d5:d6:dd:e7:de:3a:03:81:
ce:7a:ff:d1:b7:de:88:1c:11:81:04:25:b5:95:66:
f2:e3:69:87:fd:b3:bc:38:9a:a3:2e:85:7e:94:e9:
5f:a0:59:41:95:8e:9a:fd:9e:a8:88:64:d9:83:b4:
ec:28:d8:c7:82:ff:66:e9:3b:72:f0:a7:a6:12:ee:
37:b4:7e:45:f7:53:e6:3d:37:9f:f5:45:ca:24:5a:
55:51
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
9b:d0:a5:9b:a2:a3:4a:4f:ec:5f:38:03:3d:74:c9:ff:1d:3f:
ef:f0:2e:3b:00:74:ef:52:35:fb:18:fa:25:ae:8d:81:d0:9b:
e2:27:43:36:72:64:64:9a:ec:1c:c7:23:85:c8:17:5b:31:38:
96:3b:76:15:62:a4:37:27:f1:1a:65:0f:41:f5:5e:3a:90:70:
3f:71:62:75:26:e1:42:75:d5:11:00:65:40:b4:9a:5e:ec:19:
e9:a4:5c:bc:12:9f:b4:b3:aa:81:51:00:ac:db:30:03:4e:b7:
8f:09:ff:5d:16:6f:7c:12:c4:ae:30:ee:57:0f:4c:f0:c4:e9:
bb:7f:36:72:bb:e9:66:63:00:a3:0c:b3:12:d9:04:58:af:57:
c5:a9:da:fe:e4:7b:40:4f:ee:71:a4:1c:32:49:5b:46:31:03:
6d:78:87:61:8d:97:bd:54:55:b8:06:91:99:c0:fc:8c:b2:66:
7f:fc:14:bc:9d:50:dc:8a:87:51:da:87:b1:72:91:be:25:69:
09:6d:97:bd:2d:fd:b3:5e:f9:7a:8b:6f:89:8e:05:da:73:79:
ce:3e:70:dd:aa:b1:7c:0c:14:8c:7f:95:51:5e:8e:bf:a6:bb:
b6:f2:fb:62:6f:33:1c:f1:ac:e8:55:ef:23:68:c8:5c:c5:fa:
78:a0:3e:15

=>openssl x509 -in ca-chain.cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
93:72:1b:96:c0:cb:67:09
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, ST = BW, L = Stuttgart, O = Dummy Authority, CN = Dummy Authority
Validity
Not Before: Jan 4 16:49:42 2018 GMT
Not After : Jan 4 16:49:42 2043 GMT
Subject: C = DE, ST = BW, L = Stuttgart, O = Dummy Authority, CN = Dummy Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c0:f3:89:5a:7e:2e:9a:c2:c3:7d:63:c4:ff:c7:
f3:d0:1b:97:b3:de:22:02:48:47:2d:d7:81:b2:95:
65:05:82:1f:6a:8e:06:1e:0a:5f:fe:7a:c4:89:76:
88:3b:a4:a1:04:22:59:2f:35:a8:5a:95:89:01:98:
b7:30:af:8d:84:71:2e:57:63:55:a9:67:4a:cd:f3:
a4:65:55:fb:ee:17:27:21:3c:b5:06:ae:83:49:b4:
f8:6b:14:e7:40:63:a3:4e:81:a5:46:f0:e9:86:fa:
49:8e:3a:b9:ea:7c:f5:3c:e4:08:45:fe:02:f3:06:
96:26:b3:ee:61:bf:10:40:e5:40:17:bb:db:13:fd:
13:b4:22:b0:26:d3:6a:f7:cb:11:86:bb:d3:77:26:
50:5e:c4:35:f4:4a:62:b0:e7:d7:32:92:8e:bd:55:
a1:84:09:df:ad:31:20:18:80:ce:b9:32:74:f1:a9:
67:b0:f7:81:9f:ca:80:14:03:74:18:32:54:a3:aa:
5f:7a:e4:42:8c:9a:e4:80:b8:81:cf:6a:63:ed:26:
49:5a:5e:58:93:18:45:92:54:eb:e5:6f:ff:c0:52:
13:00:31:23:6b:4e:8b:25:f3:17:8b:9a:aa:fd:31:
a5:17:71:0a:ef:df:35:1b:2e:04:c9:41:1f:c8:99:
26:8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
93:72:05:0B:0B:2F:4D:89:C5:E4:30:38:88:99:C7:43:BF:EA:07:35
X509v3 Authority Key Identifier:
keyid:93:72:05:0B:0B:2F:4D:89:C5:E4:30:38:88:99:C7:43:BF:EA:07:35

        X509v3 Basic Constraints: 
            CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
     9f:1a:57:ec:f5:27:71:a5:d7:3c:52:f0:68:ed:14:26:db:77:
     2d:b3:ad:37:f5:02:1e:7d:ad:aa:31:b1:98:1e:64:13:b5:8d:
     13:4d:42:f4:30:e5:3e:1f:ae:af:3b:b4:d0:09:b4:4a:ff:ee:
     b9:54:49:33:8b:88:91:f3:0f:c9:9a:83:74:b3:ed:e4:7e:90:
     27:38:d2:86:fd:8f:2f:e3:5e:7c:8e:0f:d6:92:d0:73:68:e9:
     7f:79:bb:b8:e6:47:e5:4e:82:ab:27:0d:ac:b9:f6:39:5a:0c:
     59:55:a3:59:c1:03:e7:6c:09:26:98:ab:42:14:77:04:23:1c:
     00:3e:73:0f:b1:9e:93:bc:3f:a6:d3:c5:32:50:c6:b0:cc:4c:
     81:7e:27:5a:f2:5d:b7:17:e8:0f:7b:c3:0a:42:8b:c2:4c:dc:
     b3:5e:f7:ea:ac:90:75:a5:21:32:2f:a0:7c:b4:f0:7c:17:e5:
     e4:7e:37:a6:7e:65:b2:f3:86:d7:c5:a9:91:dd:88:b7:c2:4f:
     d4:69:78:ab:1a:c1:90:26:aa:0f:09:fb:d5:97:1f:4b:bd:02:
     73:17:8b:ff:89:f8:88:e2:c4:d5:6c:bf:c3:6e:6a:46:72:37:
     f7:8b:6f:45:62:e2:4e:dd:69:a2:87:d3:1d:37:b8:c0:9e:da:
     e2:84:77:89

need i use my certificates?

I try to change but i have the same result.
my certificates :
=>openssl x509 -in GandiStandardSSLCA2-1.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
05:e4:dc:3b:94:38:ab:3b:85:97:cb:a6:a1:98:50:e3
Signature Algorithm: sha384WithRSAEncryption
Issuer: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
Validity
Not Before: Sep 12 00:00:00 2014 GMT
Not After : Sep 11 23:59:59 2024 GMT
Subject: C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:94:04:2d:a6:79:95:74:ff:d5:00:3c:f5:ae:d8:
94:b1:29:7c:c0:8f:0b:0b:89:b9:82:83:97:6e:37:
28:f5:a2:1a:cf:d2:92:0b:9b:a8:d3:87:94:73:84:
10:9f:dc:35:cb:c2:2d:92:ac:21:b9:cb:3b:fc:40:
c1:c1:83:21:f0:bf:f8:f6:9c:fa:9c:82:10:c0:d0:
8e:4e:e5:0d:4c:b0:91:5c:90:b4:a4:40:51:16:da:
e4:84:12:2d:05:5c:a1:1f:17:19:24:51:aa:7a:ea:
e1:07:1b:86:8d:01:72:f2:e7:d4:83:23:39:9e:e0:
e1:4c:1f:6b:22:a3:b4:10:66:b0:ed:82:96:d7:6e:
6a:b4:f2:3f:b5:42:fc:dd:8a:b5:ab:ba:2d:1d:3a:
75:9b:31:dc:3e:9d:ac:5b:d3:41:0d:6c:b0:1b:f5:
3a:f5:79:ea:21:a2:f8:f4:33:52:4b:24:2d:1e:a4:
99:b1:6d:48:bc:b8:12:fe:72:70:7c:f7:fb:02:75:
f4:8d:de:d6:da:c0:a0:32:1a:52:df:38:6b:2e:45:
38:3f:3f:04:96:00:fd:a1:f4:a2:bb:d5:17:d6:27:
7c:1b:58:59:95:5e:8a:12:fd:9c:ab:81:3e:52:28:
48:51:85:6b:f3:91:b2:86:3f:29:b5:6e:03:62:ee:
d6:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB

        X509v3 Subject Key Identifier: 
            B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA
        X509v3 Key Usage: critical
            Digital Signature, Certificate Sign, CRL Sign
        X509v3 Basic Constraints: critical
            CA:TRUE, pathlen:0
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication, TLS Web Client Authentication
        X509v3 Certificate Policies: 
            Policy: 1.3.6.1.4.1.6449.1.2.2.26
            Policy: 2.23.140.1.2.1

        X509v3 CRL Distribution Points: 

            Full Name:
              URI:http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl

        Authority Information Access: 
            CA Issuers - URI:http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
            OCSP - URI:http://ocsp.usertrust.com

Signature Algorithm: sha384WithRSAEncryption
     58:67:fd:72:b2:6a:d7:7c:61:96:19:7e:d9:43:46:d1:26:7d:
     c8:53:fa:66:b0:6b:2d:a7:d3:aa:56:f7:3a:88:d0:3b:72:c9:
     50:fd:f7:59:b2:aa:68:f5:8c:73:03:bb:95:65:17:ce:2f:1c:
     dd:98:13:a2:91:c9:ee:a1:40:6e:3c:98:d6:5c:f3:b2:22:3c:
     2d:ee:1b:a4:e1:de:20:24:16:f2:8c:11:73:91:3a:f6:fa:ce:
     24:02:87:ca:93:ec:b4:b6:c8:16:17:c5:72:fc:27:40:f6:13:
     fe:93:a6:9d:51:ef:3c:2b:d8:77:57:9b:8c:65:3a:35:25:36:
     b7:b5:8a:63:6f:07:27:93:b1:60:8d:80:db:96:d4:7a:8f:2d:
     ab:1c:88:c9:6e:7e:d6:65:1f:af:5d:ca:16:3f:28:46:dc:a0:
     35:e5:f9:e9:e5:d5:96:88:0c:4f:c6:b7:77:67:48:84:27:b6:
     1f:b0:68:db:ac:bf:77:b0:90:b8:a2:c9:1c:32:5d:02:ba:25:
     43:81:42:47:bb:d8:e1:8f:0c:0c:46:5f:ee:46:33:6b:03:14:
     82:d3:7e:cd:8f:af:90:d6:8e:24:7d:40:42:b4:6a:6a:17:c6:
     95:97:e1:f2:38:cd:a7:ed:b4:27:40:93:df:72:a9:b8:c6:66:
     63:37:38:64:22:30:a2:3b:f1:b9:c8:7b:c8:fb:29:3a:ab:1a:
     72:d2:06:12:4e:f6:82:d4:23:6f:3e:c3:93:e5:d8:b6:c0:de:
     dc:23:16:d6:13:30:b7:a0:9a:0e:2c:55:06:00:70:01:cf:ea:
     39:1d:80:db:88:f7:a5:20:b8:5b:fd:31:26:69:8f:2d:0a:61:
     83:3a:47:a6:13:54:2c:1e:e3:ed:44:ca:bc:6a:1f:28:0e:51:
     d9:de:0e:9f:75:cd:0e:03:95:ca:f9:c5:a9:2a:2d:fe:41:a4:
     a1:47:ae:0d:c2:f9:39:66:33:4a:5b:e1:84:28:59:6c:7d:94:
     17:76:e4:45:82:ad:70:20:fd:d2:6f:63:a8:d7:fa:a0:33:fa:
     37:cb:f7:b2:65:9e:da:50:6f:3f:e4:a7:f3:8e:5d:58:32:97:
     70:23:2e:e7:fd:c4:15:9b:9c:27:8f:32:ed:17:ad:58:81:31:
     29:11:1a:9b:d4:fc:6c:95:28:c7:4e:05:07:a6:fd:1d:bc:19:
     e2:e8:b7:b9:11:8a:2d:70:12:52:85:8d:8c:33:4a:0f:fc:99:
     92:e0:63:70:da:a5:94:47:63:07:e7:58:c7:31:5f:05:3d:36:
     55:fe:83:b2:e8:a6:ad:d7:e9:e6:02:74:88:74:5c:da:34:db:
     90:d2:6d:51:0a:23:d6:23

=>openssl x509 -in certificate-426453.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
36:ab:91:e2:f7:56:64:83:a8:21:d1:06:4d:b9:12:91
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2
Validity
Not Before: Mar 19 00:00:00 2017 GMT
Not After : Apr 6 23:59:59 2018 GMT
Subject: OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.pra.rip
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a8:10:b2:76:1f:64:ee:ac:2d:ab:69:4d:fa:14:
b8:2c:1f:28:a3:85:94:e0:5d:68:1b:8c:84:9d:ba:
04:73:d7:5c:2b:14:62:e5:b3:c7:c0:79:e8:20:e1:
b1:03:8b:ba:0d:e0:2b:7c:db:59:34:58:b5:9f:18:
16:e9:a5:fa:d9:8a:74:d9:5f:0e:50:7c:7c:10:5a:
2a:9e:fc:6e:4c:c5:4b:33:e7:03:a5:11:5d:c7:d8:
a8:f4:8f:4a:8e:8f:5e:1d:48:73:53:e8:f0:e0:67:
d6:27:27:37:36:b4:e2:92:91:6d:13:1c:12:9d:d7:
3e:f0:75:1e:47:4e:9e:1c:6b:94:42:7b:93:88:4a:
0f:a9:36:6c:8d:2c:27:c0:ed:18:cb:8a:a8:58:51:
38:9d:07:6d:dc:cb:2f:3b:bf:c4:d9:49:00:74:e5:
64:c2:46:56:82:dd:2e:e1:be:a5:cf:82:3e:f9:a8:
57:42:13:4e:2a:7e:d5:cb:c7:5f:86:d4:d8:1c:8d:
71:59:93:d2:16:5f:ba:9a:d2:67:f4:0e:9b:6b:f0:
71:d9:13:b0:3e:2f:05:44:43:0f:07:ec:8f:8e:fb:
0c:e9:4e:8e:b8:c0:6f:5d:a9:3c:72:ad:3e:ff:76:
ce:3b:3e:05:7b:7b:ce:ab:85:a2:1a:5e:c5:0b:62:
cf:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA

        X509v3 Subject Key Identifier: 
            56:08:99:BE:C1:7B:60:47:90:CA:0C:21:23:03:B4:16:BB:C5:DE:41
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Basic Constraints: critical
            CA:FALSE
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication, TLS Web Client Authentication
        X509v3 Certificate Policies: 
            Policy: 1.3.6.1.4.1.6449.1.2.2.26
              CPS: https://cps.usertrust.com
            Policy: 2.23.140.1.2.1

        X509v3 CRL Distribution Points: 

            Full Name:
              URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl

        Authority Information Access: 
            CA Issuers - URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt
            OCSP - URI:http://ocsp.usertrust.com

        X509v3 Subject Alternative Name: 
            DNS:*.pra.rip, DNS:pra.rip
Signature Algorithm: sha256WithRSAEncryption
     90:a4:0d:d1:67:17:ed:54:58:4a:e9:50:b4:72:6d:80:26:d7:
     bc:64:f1:13:a4:91:ee:59:4a:d5:73:25:e7:c9:f1:b1:b5:37:
     5a:80:b0:ae:2a:15:d7:83:4d:c6:6d:e4:26:b8:e1:49:8d:78:
     c6:4a:83:63:dd:97:42:38:7c:fa:c1:10:ec:e4:94:04:33:00:
     3d:b7:2e:78:61:ae:d4:af:6c:a3:0a:db:36:4f:a4:a2:19:00:
     c4:ab:91:db:33:36:74:cc:df:e5:50:f0:c1:fc:08:c6:08:47:
     c7:64:ec:b7:d2:be:49:76:f7:b5:0e:97:89:0c:0b:d0:0c:98:
     ae:09:80:42:a3:da:41:fe:0a:d3:d5:d8:bd:e9:d9:f1:ec:7b:
     40:4b:ff:fa:72:d3:4d:92:69:11:8d:88:04:4b:4f:d2:78:e1:
     65:7f:8b:75:ab:5b:ef:a6:28:82:10:84:41:ea:31:73:1d:f5:
     c8:74:57:7d:d4:cc:c7:9f:11:6a:82:0c:ce:cd:99:4f:05:42:
     e3:4d:95:9a:45:d4:04:dc:c3:55:11:bd:b0:6a:b6:d2:72:26:
     52:36:42:a6:8b:39:4d:29:08:7f:5b:9e:6e:3c:20:75:c5:77:
     29:bd:73:6d:2e:c1:54:4f:e0:9c:c9:b1:2f:e4:0a:ef:da:81:
     ed:59:e8:9c

the conf in loolwsd.xml

<ssl desc="SSL settings">
    <enable type="bool" default="true">true</enable>
    <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination>
    <!--
    <cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/cert.pem</cert_file_path>
    <key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/key.pem</key_file_path>
    <ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/ca-chain.cert.pem</ca_file_path>
-->
    <cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/certificate-426453.crt</cert_file_path>
    <key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/pra.rip.key</key_file_path>
    <ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/GandiStandardSSLCA2-1.pem</ca_file_path>
    <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
    <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
        <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
        <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri>
        <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
        <pin></pin>
        </pins>
    </hpkp>
</ssl>

`

(original commented (<!-- -->))

`

seems something bad, because i have a zombi whe i do a ps i have :

>   =>ps -edf |grep lool |grep -v grep
> lool       1891      1  1 10:16 ?        00:00:00 /usr/bin/loolwsd --version --o:sys_template_path=/opt/lool/systemplate --o:lo_template_path=/opt/collaboraoffice5.3 --o:child_root_path=/opt/lool/child-roots --o:file_server_root_path=/usr/share/loolwsd
> lool       1893   1891  1 10:16 ?        00:00:00 /usr/bin/loolforkit --losubpath=lo --systemplate=/opt/lool/systemplate --lotemplate=/opt/collaboraoffice5.3 --childroot=/opt/lool/child-roots/ --clientport=9980 --masterport=9981 --rlimits=limit_virt_mem_mb:0;limit_stack_mem_kb:8000;limit_file_size_mb:0;limit_num_open_files:0 --version
> lool       1902   1893  0 10:16 ?        00:00:00 /usr/bin/loolforkit --losubpath=lo --systemplate=/opt/lool/systemplate --lotemplate=/opt/collaboraoffice5.3 --childroot=/opt/lool/child-roots/ --clientport=9980 --masterport=9981 --rlimits=limit_virt_mem_mb:0;limit_stack_mem_kb:8000;limit_file_size_mb:0;limit_num_open_files:0 --version
> lool       1904   1902  0 10:16 ?        00:00:00 [lo_startmain] <defunct>

for helping i expose on internet the 9980 port
you can do :

my netstat on collabora hosted:
=>netstat -latupen
Connexions Internet actives (serveurs et établies)
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat Utilisatr Inode PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 15037 477/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 15676 686/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 16221 730/nginx: master p
tcp 0 0 0.0.0.0:9980 0.0.0.0:* LISTEN 106 17638 816/loolwsd
tcp 0 0 127.0.0.1:9981 0.0.0.0:* LISTEN 106 17614 816/loolwsd
tcp 0 0 127.0.0.1:9981 127.0.0.1:44978 ESTABLISHED 106 17727 816/loolwsd
tcp 0 0 127.0.0.1:44978 127.0.0.1:9981 ESTABLISHED 106 17726 827/loolforkit
tcp6 0 0 :::22 :::* LISTEN 0 15048 477/sshd
tcp6 0 0 ::1:25 :::* LISTEN 0 15677 686/master
tcp6 0 0 2a01:e35:2e6c:f251:::22 2a01:e35:2e6c:f25:35416 ESTABLISHED 0 18701 842/sshd: root@pts/

https://collabora.pra.rip:9980/loleaflet/dist/admin/admin.html (without reverse proxy) or https://docker-ipv4.pra.rip/loleaflet/dist/admin/admin.html (with nginx reverse proxy):



if you want test please contact me in private i can give you login / password