Collabora fails to start (systemctl start loolwsd)

uname -a:
Linux home 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Certificates from Let’sencrypt

openssl version

nginx -v
nginx version: nginx/1.10.3 (from repositories)

apache2 -v

php --version
PHP 7.2.14

Error message
loolwsd: wsd-24110-24110 2019-01-25 12:58:51.098261 [ loolwsd ] FTL Cannot load CA file/directory at /etc/loolwsd/ca-chain.cert.pem (error:0200100D:system library:fopen: Permission denied)| wsd/LOOLWSD.cpp:3334

Collabora Online Development Edition 4.0 RC2

In loolwsd.xml I set the path directly to the letsencrypt certificates. The file properties are set such, that there should be no Permission denied, especially as there is no error message related to privkey and chain.

<cert_file_path desc="Path to the cert file" relative="false">/opt/dehydrated-master/certs/>
<key_file_path desc="Path to the key file" relative="false">/opt/dehydrated-master/certs/>
<ca_file_path desc="Path to the ca file" relative="false">/opt/dehydrated-master/certs/>

I went through the forum here and als googled, but cannot find anything.

That is the reason I hope to find here a solution.

A question: Do I need a sub-domain or can i run nextcloud and collabora on the same domain?

Thanks for you help. Wolfgang

You can run them on the same server but you will need two subdomains. One for collabora and for nextcloud. Think of them as two different websites on the same server.

Your Loolwsd file ca error can be handled by doing a self assigned cert or using cetbot or the certs you created for Apache when you set up the SSL conf file. Or you can turn off ssl in the loolwsd.xml file.

To turn off ssl go to the loolwsd file then find "ssl desc=“SSL settings” header. Under this header you will find the below line. Change the default true to false. resave and run sudo systemctl restart loolwsd.

   <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">true</termination>

generate self-signed cert

openssl genrsa -out /etc/loolwsd/privatekey.pem 4096
openssl req -batch -new -x509 -sha512 -days 3650 -key /etc/loolwsd/privatekey.pem -out /etc/loolwsd/fullchain.pem
loolconfig set ssl.cert_file_path /etc/loolwsd/fullchain.pem
loolconfig set ssl.key_file_path /etc/loolwsd/privatekey.pem
loolconfig set ssl.ca_file_path ‘’
loolconfig set


Install Certbot for free certs

sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt install python-certbot-apache

Run Cert Bot

sudo certbot --apache

you will need to answer some questions

agree to Terms of Service 
Y or N to sharing your email address with the Electronic Frontier Foundation
select 2: Redirect - Make all requests redirect to secure HTTPS access.

Note the location of your cert it will be needed later.

If using these new certs for the Loolwsd file you may have to copy them to the /etc/loolwsd folder
The /etc/letsencrypt/live/ file path does not have the same permissions.
You will also need to grab the Intermediate Certificates from letsencrypt

Thanks. This was very helpful.