since i canât run collabora on my pi (which runs nextcloud),i installed it on my an another host, an ubuntu 16.04 pc of my internal network.
Now, how can i adapt the official instructions for linking Nexcloud & Collabora (yes iâm a newbie!)?
thanks,
first point, i didnât succeed to obtain a SSL certificate for my collabora dedicated domain, because it has the same IP address as the nextcloud domain (both free domain with no-ip). Is there a way to get a single SSL certificate for two domains on the same IP adress, or any trick to deal with this problem?
Second point, would you know a tuto to install a docker container on a vps (i never made this)?
thanks a lot for your helpp,
It is possible to get several SSL certs for the same IP.
Itâs how it is usually done to run the Nextcloud and CODE on the same machine, they have the same IP but no the same domain.
You can read it on the page: https://nextcloud.com/collaboraonline/
Instead of using lets encrypt you might wanna use cerbot standalone that way you might bypass the restriction you find.
For the second point, itâs fairly easy to install the code docker on a VPS, youâll find several online.
Some pointers:
Stick to AUFS
Use Apache2 as the proxy server
Some people find nginx hard to use
Have patience and fun, youâll need it.
You can contact me if you get stuck pretty bad.
For the certification with certbot standalone, i installed it, and then tried to run a certbot-auto standalone command but it returned an unknown command.
./path/to/certbot-auto certonly --standalone -d example.com -d www.example.com
Thus i tried to use the command âlocateâ with âcertbotâ and found nothing either.
HummmâŚany idea?
Thanks,
service apache2 stop
cd /etc
git clone https://github.com/certbot/certbot.git
cd /etc/certbot
./letsencrypt-auto certonly --agree-tos --standalone -d office.mydomain.com
service apache2 start
Well the command is correctly running but i leads to the same result, referring to the first domain for which i obtained a Letsencrypt certificate.
" Domain: mlydesk.hopto.org
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
20a0cfc0013b8931c8c7a20d7f2601de.ee075483752a74e51538fd934d448515.acme.invalid
from 87.89.70.232:443. Received 2 certificate(s), first certificate
had names âmlynuage.hopto.orgâ
I currently have one certificate running on the apache server of my pi for the nextcloud domain (mlynuage.hopto.org). My /etc/letsencrypt/live on pi mentions this certificate on the date of 19 february 2017.
My last command only tried to generate a certificate for the second domain (mlydesk.hopto.org) dedicated to collabora running on an other pc with ubuntu 16.04.
âŚ
Oh i see!!!
You need to stop the apache on the pi when you try to generate the cert on the other machine.
The line [quote=âArk74, post:6, topic:9692â]
service apache2 stop
[/quote]
Works only when both are on the same machine.
So stop apache on the pi, then stop apache on the 2nd pc for collabora, issue the cert for the 2nd pc, finally restart both apaches with the new configuration, they should work.
âSo stop apache on the pi, then stop apache on the 2nd pc for collabora,â : done
"issue the cert for the 2nd pc" : done by, "/etc/certbot# ./letsencrypt-auto certonly --agree-tos --standalone -d mlydesk.hopto.org"
It created the certificate but could not connect to the server to verify the domain : â
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for mlydesk.hopto.org
Waiting for verificationâŚ
Cleaning up challenges
Failed authorization procedure. mlydesk.hopto.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 87.89.70.232:443 for TLS-SNI-01 challengeâ
Edit I have a port forward rule that redirect 443 to my pi (for nextcloud), may be it is the reason why�
Oh!!! Man i must be tired or something, and these things are slipping away.
Iâm almost sure you have your router has open the 443 routing to your PI, not for the 2nd PC.
letâs say you open port 443 for 192.168.0.5 (which is the pi), and you have apache stop on both machines, but LetâsEncrypt wonât be able to call the 2nd PC (letâs say 192.168.0.7) since you have port 443 routed to the (192.168.0.5, the Pi).
So its kind of a messy.
Thatâs why i would recommend the VPS.
Please, with both apaches stop, route port 443 on your router to the 2nd PC (192.168.0.7) then try again.
It finally should work. But you might see the problem there even when certs are well set.
Sure, youâre right, but the pc with collabora is not permanently running, contrary to the pi.
So if i would succeed in linking now collabora and nextcloud with the current config it would be great.
I found this tuto, do you thinks it could work in my case?
Ok. I wonât use collabora.
Hum, little trouble going back to the normal situation, i canât access to nextcloud.
Running netstat shows that the apache to server is not running after reboot.
âFailed to start apache.service: Unit apache.service failed to load: No such file or directory.â
âŚ
Edit
systemctl status apache2.service
â apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled)
Active: failed (Result: exit-code) since dim. 2017-03-05 22:28:24 CET; 39s ago
Process: 8995 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
One domain for collabora (ref by DOM2)( like office.mlydesk.hopto.org ) ==> you must check if NOIP allows you to add subdomains per host/domain or declare a new domain for the same host.
Certificate(s) for DOM1 & DOM 2 ( 1 per domain or one for both ) - preferably signed by an authority ===> Check if Noip provides you letâsencrypt certificates
Static IP for host1 & host2
Properly configured Network address translation (NAT) on your ISP router: port 80 (http) &/or port 443 (https) translated to host1 (you can skip port 80 if you intend to use ONLY https)
A working Apache2 service (following your last port, you may need to check the logs in /var/logs/apache2 or run journalctl -u apache2.service)
###2 Configuration overview:
Follow Nextcloud installation instructions. Assign certificate for DOM1 in the apache configuration.
create the docker with docker run -t -d -p 9980:9980 -e 'domain=DOM1' --restart always --cap-add MKNOD collabora/code (replace DOM1 obviously, and escape each dots with \\) - note that I have purposely removed 127.0.0.1 from the command for the docker host to listen on every ethernet on port 9980
Replace the example domain (office.nextcloud.com) by DOM2 in the apache proxy configuration
Assign the certificate for DOM2 in the apache proxy configuration.
In the apache proxy configuration, replace ALL the proxy target (127.0.0.1) by your host2âs ip: https://127.0.0.1:9980 become https://yourhost2IP:9980
Restart apache2
Install the collabora app in your nextcloud and configure it in the admin panel with âhttps://DOM2â
Enjoy !
###Notes:
It doesnt matter to use the same certificate in 2 configuration files as long as the certificate is signed for the appropriated domains
You are REALLY dependant of the quality of your ISP router:
In some bad quality routers, the OS fails to NAT a connexion to it-self (using collabora & nextcloud from inside) . What i mean here is that your Router will be used every time to access your nextcloud & collabora website, even when you are inside your private network, if you use DOM1 to access your nextcloud. Because it the public IP that is resolved by DNS. If it failed to NAT, you may have to use a different Domain only available inside your private network (but this requires more configuration in apache2 ) ORyou override the DNS to point DOM1 & DOM2 to Host1 in every desktop or in your router (if you can).
âŚunless you have your custom router.
Iâm available if you have questions
Regards,
Aal.
Well, i think i have met all the requirements, but maybe not configured correctly
when i run âhttps://DOM2â i have the default apache2 page. Before this i have warning concerning the certificate, that are installed standalone as mentionned above.
Any Idea?
Here is my vhost config file in /etc/apache2/sites-available
# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/mlydesk.hopto.org/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/mlydesk.hopto.org/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mlydesk.hopto.org/privkey.pem
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-S$
SSLHonorCipherOrder on
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode
# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# keep the host
ProxyPreserveHost On
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass /loleaflet https://192.168.1.55:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://192.168.1.55:9980/loleaflet
# WOPI discovery URL
ProxyPass /hosting/discovery https://192.168.1.55:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://192.168.1.55:9980/hosting/discovery
# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://192.168.1.55:9980/lool/$1/ws nocanon
# Admin Console websocket
ProxyPass /lool/adminws wss://192.168.1.55:9980/lool/adminws
keep the host
ProxyPreserveHost On
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass /loleaflet https://192.168.1.55:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://192.168.1.55:9980/loleaflet
# WOPI discovery URL
ProxyPass /hosting/discovery https://192.168.1.55:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://192.168.1.55:9980/hosting/discovery
# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://192.168.1.55:9980/lool/$1/ws nocanon
# Admin Console websocket
ProxyPass /lool/adminws wss://192.168.1.55:9980/lool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /lool https://192.168.1.55:9980/lool
ProxyPassReverse /lool https://192.168.1.55:9980/lool
</VirtualHost>