Collabora Error -- Is there anywhere to file bug report

ℹ️ Support 📄 Collabora
#1

I’m trying to access collabora through a chain of two reverse proxies. I attempt to open a document and get to this point and receive this error:

Screen Shot 2020-04-21 at 7.02.43 AM
Screen Shot 2020-04-21 at 7.02.43 AM2590×1064 134 KB

I’m using the docker version of collabora and receive this error the following error from the log files

wsd-00017-00328 2020-04-21 12:00:28.975267 [ docbroker_02f ] ERR  Cannot get file info from WOPI storage uri [https://test.<redacted>.com/index.php/apps/richdocuments/wopi/files/25_ocny42d5quk3?access_token=i6xUTRFQ8CjnzkiVxGaiqzxim23GoRQu&access_token_ttl=0&permission=edit]. Error: SSL Exception: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version| wsd/Storage.cpp:504
wsd-00017-00328 2020-04-21 12:00:28.975610 [ docbroker_02f ] ERR  loading document exception: SSL Exception| wsd/DocumentBroker.cpp:1158
wsd-00017-00328 2020-04-21 12:00:28.975752 [ docbroker_02f ] ERR  Failed to add session to [/index.php/apps/richdocuments/wopi/files/25_ocny42d5quk3] with URI [https://test.<redacted>.com/index.php/apps/richdocuments/wopi/files/25_ocny42d5quk3?access_token=i6xUTRFQ8CjnzkiVxGaiqzxim23GoRQu&access_token_ttl=0&permission=edit]: SSL Exception| wsd/DocumentBroker.cpp:1120
wsd-00017-00328 2020-04-21 12:00:28.975915 [ docbroker_02f ] ERR  Error while loading : SSL Exception| wsd/LOOLWSD.cpp:2703
wsd-00017-00328 2020-04-21 12:00:28.987900 [ docbroker_02f ] WRN  Child session [01b1] not found to forward message: load url=https://test.<redacted>.com/index.php/apps/richdocuments/wopi/files/25_ocny42d5quk3?access_token=i6xUTRFQ8CjnzkiVxGaiqzxim23GoRQu&access_token_ttl=0&permission=edit readonly=0 lang=en| wsd/DocumentBroker.cpp:1770
wsd-00017-00328 2020-04-21 12:00:29.977282 [ docbroker_02f ] ERR  Invalid or unknown session [01b1] to remove.| wsd/DocumentBroker.cpp:1194kit-00325-00019 2020-04-21 12:00:29.977618 [ loolkit ] WRN  Kit connection lost without exit arriving from wsd. Setting TerminationFlag| kit/Kit.cpp:2240

wsd-00017-00328 2020-04-21 12:00:29.981846 [ docbroker_02f ] ERR  No socket associated with WebSocketHandler 0x7f5bb4001a40| ./net/WebSocketHandler.hpp:125
wsd-00017-00018 2020-04-21 12:00:29.982704 [ prisoner_poll ] WRN  Prisoner connection disconnected but without valid socket.| wsd/LOOLWSD.cpp:1799
wsd-00017-00332 2020-04-21 12:00:30.267019 [ docbroker_030 ] ERR  Cannot get file info from WOPI storage uri [https://test.<redacted>.com/index.php/apps/richdocuments/wopi/files/25_ocny42d5quk3?access_token=i6xUTRFQ8CjnzkiVxGaiqzxim23GoRQu&access_token_ttl=0&permission=edit]. Error: SSL Exception: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version| wsd/Storage.cpp:504
wsd-00017-00332 2020-04-21 12:00:30.267347 [ docbroker_030 ] ERR  loading document exception: SSL Exception| wsd/DocumentBroker.cpp:1158
wsd-00017-00332 2020-04-21 12:00:30.267672 [ docbroker_030 ] ERR  Failed to add session to [/index.php/apps/richdocuments/wopi/files/25_ocny42d5quk3] with URI [https://test.<redacted>.com/index.php/apps/richdocuments/wopi/files/25_ocny42d5quk3?access_token=i6xUTRFQ8CjnzkiVxGaiqzxim23GoRQu&access_token_ttl=0&permission=edit]: SSL Exception| wsd/DocumentBroker.cpp:1120
wsd-00017-00332 2020-04-21 12:00:30.267939 [ docbroker_030 ] ERR  Error while loading : SSL Exception| wsd/LOOLWSD.cpp:2703
wsd-00017-00332 2020-04-21 12:00:30.268191 [ docbroker_030 ] WRN  Child session [01b2] not found to forward message: load url=https://test.<redacted>.com/index.php/apps/richdocuments/wopi/files/25_ocny42d5quk3?access_token=i6xUTRFQ8CjnzkiVxGaiqzxim23GoRQu&access_token_ttl=0&permission=edit readonly=0 lang=en| wsd/DocumentBroker.cpp:1770
wsd-00017-00332 2020-04-21 12:00:31.269214 [ docbroker_030 ] ERR  Invalid or unknown session [01b2] to remove.| wsd/DocumentBroker.cpp:1194kit-00329-00019 2020-04-21 12:00:31.269482 [ loolkit ] WRN  Kit connection lost without exit arriving from wsd. Setting TerminationFlag| kit/Kit.cpp:2240

wsd-00017-00332 2020-04-21 12:00:31.273890 [ docbroker_030 ] ERR  No socket associated with WebSocketHandler 0x7f5bb4001a40| ./net/WebSocketHandler.hpp:125
wsd-00017-00018 2020-04-21 12:00:31.274701 [ prisoner_poll ] WRN  Prisoner connection disconnected but without valid socket.| wsd/LOOLWSD.cpp:1799

I’m not certain how collabora operates or works through reverse proxies, however if I take the first line or this error log and actually within the browser try to visit the site mentioned:

ERR Cannot get file info from WOPI storage uri [https://test..com/index.php/apps/richdocuments/wopi/files/25_ocny42d5quk3?access_token=i6xUTRFQ8CjnzkiVxGaiqzxim23GoRQu&access_token_ttl=0&permission=edit]. Error: SSL Exception: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version| wsd/Storage.cpp:504

Site I’m attempting to visit:
https://test..com/index.php/apps/richdocuments/wopi/files/25_ocny42d5quk3?access_token=i6xUTRFQ8CjnzkiVxGaiqzxim23GoRQu&access_token_ttl=0&permission=edit

I get the following

Screen Shot 2020-04-21 at 7.09.26 AM
Screen Shot 2020-04-21 at 7.09.26 AM1102×978 86.4 KB

So if its reachable in the browser – how come the collabora app can not reach this page complaining of SSL error?

I did some further digging within the collabora container. The container itself runs ubuntu/xenial as a base image. The openssl version inside the container is:

OpenSSL 1.0.2g 1 Mar 2016

I have no idea if this has anything to do with the problem.

Addendum:
I’ve isolated the problem to the container. collabora is running on an Ubuntu 18.04 host.
From the docker host:

# curl https://test.<redacted>.com/index.php/apps/richdocuments/wopi/files/25_ocny42d5quk3?access_token=QAMNMk3aI3e2R7zvmmvq8otOgn4doY6L&access_token_ttl=0&permission=edit
[1] 2357
[2] 2358
root@ubuntu:/etc/nginx/snippets# {"BaseFileName":"About.odt","Size":76671,"Version":"0","UserId":"ncadmin","OwnerId":"ncadmin","UserFriendlyName":"ncadmin","UserExtraInfo":{"avatar":"https:\/\/nextcloud.<redacted>.com\/avatar\/ncadmin\/32"},"UserCanWrite":true,"UserCanNotWriteRelative":false,"PostMessageOrigin":"https:\/\/nextcloud.<redacted>.com\/","LastModifiedTime":"2019-10-06T13:12:44.000000Z","SupportsRename":true,"UserCanRename":true,"EnableInsertRemoteImage":true,"EnableShare":true,"HideUserList":"desktop","DisablePrint":"0","DisableExport":"0","DisableCopy":"0","HideExportOption":"0","HidePrintOption":"0","DownloadAsPostMessage":false}

Same statement as above from the docker container:

root@2bbbb9a893d8:/# curl https://test.<redacted>.com/index.php/apps/richdocuments/wopi/files/25_ocny42d5quk3?access_token=QAMNMk3aI3e2R7zvmmvq8otOgn4doY6L&access_token_ttl=0&permission=edit
[1] 1711
[2] 1712
root@2bbbb9a893d8:/# curl: (35) gnutls_handshake() failed: Error in protocol version
#2

There is a problem with the encryption mechanism

#3

Anywhere to debug the problem?

I ended up upgrading some packages inside the container. So this is my first error in the logs:

wsd-00017-00048 2020-04-21 22:22:52.380938 [ docbroker_003 ] ERR  Cannot get file info from WOPI storage uri [https://test.<redacted>.com/index.php/apps/richdocuments/wopi/files/25_ocny42d5quk3?access_token=4KDQpvMpUzrpBfxRh9KjxJWQsafttv14&access_token_ttl=0]. 
Error: SSL Exception: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version| wsd/Storage.cpp:564

I have no idea how websockets work. What is weird is if I enter the docker container now:

# docker exec -it collabora /bin/bash
# # curl https://test.<redacted>.com/index.php/apps/richdocuments/wopi/files/25_ocny42d5quk3?access_token=4KDQpvMpUzrpBfxRh9KjxJWQsafttv14&access_token_ttl=0
[1] 70
root@75a5a8f9ca22:/# {"BaseFileName":"About.odt","Size":76671,"Version":"0","UserId":"ncadmin","OwnerId":"ncadmin","UserFriendlyName":"ncadmin","UserExtraInfo":{"avatar":"https:\/\/nextcloud.<redacted>.com\/avatar\/ncadmin\/32"},"UserCanWrite":true,"UserCanNotWriteRelative":false,"PostMessageOrigin":"https:\/\/nextcloud.<redacted>.com\/","LastModifiedTime":"2019-10-06T13:12:44.000000Z","SupportsRename":true,"UserCanRename":true,"EnableInsertRemoteImage":true,"EnableShare":true,"HideUserList":"desktop","DisablePrint":"0","DisableExport":"0","DisableCopy":"0","HideExportOption":"0","HidePrintOption":"0","DownloadAsPostMessage":false}

So clearly this file that the web socket wants is reachable.
Can you not pass a web socket through a reverse proxy?

#openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt test.<redacted>.com:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = test.<redacted>.com
verify return:1
---
Certificate chain
 0 s:CN = test.<redacted>.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFWTCCBEGgAwIBAgISA/dh5TE7OxIK8iIu+AHn3gIvMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA0MTMxNjUyMzRaFw0y
MDA3MTIxNjUyMzRaMBwxGjAYBgNVBAMTEXRlc3QuZ29oaWx0b24uY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4SxPV8WlcC8Km2Kqmf9lqEbbRzrn
irD0vffvk6id/8bdFhfRtP+Ga9D7lJOvta0m7ZwpQA0OM2RxMOvybOCMF14hbn/k
wauJThjfmn/f2w0HWspANJueEimVnxuB8aWPDR13vRD5JJ3s3qn44qumThizCjhj
M78Y5Lt8LO4az7OG+SBfDx2jLSNtAIg6gy5rYx3Y8W24pKRlrTv3G+xBSVayyFRH
Y1SpihosocQjZcOrRjOHM4hCVKLKYepyN5TT4kVuFZjxmzGSRGionFBhCBk1WzfF
TkoVoifacIMjk1q4Lx0P2CE0nEvxki7Q/6AtoiYfejc47mPD7rXyGM769QIDAQAB
o4ICZTCCAmEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQYfKWzsC1HjsQ/WjX5rcXP
vnNPlDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMBwGA1UdEQQVMBOCEXRlc3QuZ29oaWx0b24uY29tMEwGA1UdIARFMEMw
CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAXqdz
+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFxdKvkTAAABAMARzBFAiAy
5VeVk7Tq65C3ypnaPuHC9RCOeMYA/htCCkFdBuxqSgIhALFlvbgG3z1QI/WIpd7/
4Hl/uTSWtoswowmY1cqe32g/AHUAsh4FzIuizYogTodm+Su5iiUgZ2va+nDnsklT
Le+LkF4AAAFxdKvkMwAABAMARjBEAiAH70GjTgHd5oh+XTFNahdmSfamVwn0RMZa
fLDTDBtK3wIgVXuIa1DAGlfrRe5AbdLD1NJruANIY950RTAfvp+xnygwDQYJKoZI
hvcNAQELBQADggEBACbx9o7GTHmxf49YxCLtph0RK842FK8TQy7K6o6COM70LhrN
k0PvksWMu85zZLFoDJXjzyUMrC0h56bkombnm9eTE5GuVkdGLXb+Jo9t7Nc+WSWx
T7EdtlBWeNyzWSURlAtJXUMuLC3uzn57rE9ghKHl3OQy94kJGHTXI4/uWnauLzpe
j9L5wsdQg84v45owBtmOIrO8yk7utlRqfUMfSztirLmsV0G/2DOkj1QmLAJYnKPl
TqjHgOXV74f5EZb7CnjtnSg5T6wpQNapkb5nd01Hed1qiqzHRLfplFerbeHe6MhG
iK6tth7csgVml292hZRQbxQwB7RpBENDKVzKrR8=
-----END CERTIFICATE-----
subject=CN = test.<redacted>.com

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3112 bytes and written 399 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 5641447ED023FBB4CE2D4B9DAFBB2586E658C0F7FB512103A36233CFDF0D9AB4
    Session-ID-ctx:
    Resumption PSK: 95DADF44BD8FC9123ECD8C67E01B15603DD73B6BC6C3F6CCA9982A052F9B7982F546156F0AEBD70A13D47A77E0512F0F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 3e b8 eb 5a 7c 40 a6 15-71 4c 2c bd e8 46 55 65   >..Z|@..qL,..FUe
    0010 - 44 42 b6 9b bd c3 73 e5-b5 18 ab 96 93 de 39 bc   DB....s.......9.

    Start Time: 1587508745
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 97DD461A0C9EC73C9D93233B34D459B7CD3F428BFEBDC2D8DAEFE9E4430CA652
    Session-ID-ctx:
    Resumption PSK: E905C73D1508FCF360AECB18FA2D2210F6FAC6393C820A454947532786C2A8D6EBC10CE6205C07DF35D714CBB57FE602
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - bf 07 04 01 2d 5c c5 16-81 4e 65 12 51 90 06 8d   ....-\...Ne.Q...
    0010 - f8 3b bf a8 46 05 02 41-4b 57 ea b1 e3 16 3e ef   .;..F..AKW....>.

    Start Time: 1587508745
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK