Collabora nginx letsencrypt - cURL error 60: SSL certificate problem: unable to get local issuer certificate

Hi there !
I’ve a problem with collabora with nextcloud, both behind nginx on the same machine :

nginx configuration as in examples for both collabora and nextcloud

nextcloud version : 11.0.3

docker info :

Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 1
Server Version: 17.05.0-ce
Storage Driver: devicemapper
Pool Name: docker-253:16-262176-pool
Pool Blocksize: 65.54kB
Base Device Size: 10.74GB
Backing Filesystem: xfs
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 2.19GB
Data Space Total: 107.4GB
Data Space Available: 46.04GB
Metadata Space Used: 2.028MB
Metadata Space Total: 2.147GB
Metadata Space Available: 2.145GB
Thin Pool Minimum Free Space: 10.74GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /mnt/vdb/docker/devicemapper/devicemapper/data
Metadata loop file: /mnt/vdb/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.110 (2015-10-30)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9048e5e50717ea4497b757314bad98ea3763c145
runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
init version: 949e6fa
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.0-93-generic
Operating System: Ubuntu 16.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 5.828GiB
Name: ov-eb8e77
ID: KLCT:JG7D:TE3C:F6O6:WKW5:ZJPO:BXRM:ZFLE:E2FN:TXTM:ZJ6X:SORH
Docker Root Dir: /mnt/vdb/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

WARNING: devicemapper: usage of loopback devices is strongly discouraged for production use.
Use --storage-opt dm.thinpooldev to specify a custom block storage device.
WARNING: No swap limit support

docker image ls:

REPOSITORY TAG IMAGE ID CREATED SIZE
collabora/code latest 20eeb70d9738 2 weeks ago 2.04GB

docker container inspect collabora.my.domain

[
{
“Id”: “47615f1a00e59564cb0055dd152ae475974772016b886a6dca0ad5c07653422e”,
“Created”: “2017-09-08T16:27:54.537221522Z”,
“Path”: “/bin/sh”,
“Args”: [
"-c",
“bash start-libreoffice.sh
],
“State”: {
“Status”: “running”,
“Running”: true,
“Paused”: false,
“Restarting”: false,
“OOMKilled”: false,
“Dead”: false,
“Pid”: 8470,
“ExitCode”: 0,
“Error”: “”,
“StartedAt”: “2017-09-08T16:27:55.265352657Z”,
“FinishedAt”: “0001-01-01T00:00:00Z”
},
“Image”: “sha256:20eeb70d97385774e89217bd0daed72c3e7a85372c6d1b609001fd320dd8677e”,
“ResolvConfPath”: “/mnt/vdb/docker/containers/47615f1a00e59564cb0055dd152ae475974772016b886a6dca0ad5c07653422e/resolv.conf”,
“HostnamePath”: “/mnt/vdb/docker/containers/47615f1a00e59564cb0055dd152ae475974772016b886a6dca0ad5c07653422e/hostname”,
“HostsPath”: “/mnt/vdb/docker/containers/47615f1a00e59564cb0055dd152ae475974772016b886a6dca0ad5c07653422e/hosts”,
“LogPath”: “/mnt/vdb/docker/containers/47615f1a00e59564cb0055dd152ae475974772016b886a6dca0ad5c07653422e/47615f1a00e59564cb0055dd152ae475974772016b886a6dca0ad5c07653422e-json.log”,
“Name”: “/collabora.my.domain”,
“RestartCount”: 0,
“Driver”: “devicemapper”,
“MountLabel”: “”,
“ProcessLabel”: “”,
“AppArmorProfile”: “docker-default”,
“ExecIDs”: null,
“HostConfig”: {
“Binds”: [],
“ContainerIDFile”: “”,
“LogConfig”: {
“Type”: “json-file”,
“Config”: {}
},
“NetworkMode”: “default”,
“PortBindings”: {
“9980/tcp”: [
{
“HostIp”: “127.0.0.1”,
“HostPort”: “9980”
}
]
},
“RestartPolicy”: {
“Name”: “”,
“MaximumRetryCount”: 0
},
“AutoRemove”: false,
“VolumeDriver”: “”,
“VolumesFrom”: null,
“CapAdd”: null,
“CapDrop”: null,
“Dns”: null,
“DnsOptions”: null,
“DnsSearch”: null,
“ExtraHosts”: null,
“GroupAdd”: null,
“IpcMode”: “”,
“Cgroup”: “”,
“Links”: null,
“OomScoreAdj”: 0,
“PidMode”: “”,
“Privileged”: false,
“PublishAllPorts”: false,
“ReadonlyRootfs”: false,
“SecurityOpt”: null,
“UTSMode”: “”,
“UsernsMode”: “”,
“ShmSize”: 67108864,
“Runtime”: “runc”,
“ConsoleSize”: [
0,
0
],
“Isolation”: “”,
“CpuShares”: 0,
“Memory”: 0,
“NanoCpus”: 0,
“CgroupParent”: “”,
“BlkioWeight”: 0,
“BlkioWeightDevice”: null,
“BlkioDeviceReadBps”: null,
“BlkioDeviceWriteBps”: null,
“BlkioDeviceReadIOps”: null,
“BlkioDeviceWriteIOps”: null,
“CpuPeriod”: 0,
“CpuQuota”: 0,
“CpuRealtimePeriod”: 0,
“CpuRealtimeRuntime”: 0,
“CpusetCpus”: “”,
“CpusetMems”: “”,
“Devices”: null,
“DeviceCgroupRules”: null,
“DiskQuota”: 0,
“KernelMemory”: 0,
“MemoryReservation”: 0,
“MemorySwap”: 0,
“MemorySwappiness”: -1,
“OomKillDisable”: false,
“PidsLimit”: 0,
“Ulimits”: null,
“CpuCount”: 0,
“CpuPercent”: 0,
“IOMaximumIOps”: 0,
“IOMaximumBandwidth”: 0
},
“GraphDriver”: {
“Data”: {
“DeviceId”: “13”,
“DeviceName”: “docker-253:16-262176-64b21c0425006e9effe19c4a242c3b3f0bef0a33e549be806385d05a2c7633c9”,
“DeviceSize”: “10737418240”
},
“Name”: “devicemapper”
},
“Mounts”: [],
“Config”: {
“Hostname”: “47615f1a00e5”,
“Domainname”: “”,
“User”: “”,
“AttachStdin”: false,
“AttachStdout”: false,
“AttachStderr”: false,
“ExposedPorts”: {
“9980/tcp”: {}
},
“Tty”: false,
“OpenStdin”: false,
“StdinOnce”: false,
“Env”: [
“domain=cloud\.my\.domain|cloud-formation\.my\.domain”,
“PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin”,
“LC_CTYPE=en_US.UTF-8”
],
“Cmd”: [
"/bin/sh",
"-c",
“bash start-libreoffice.sh
],
“ArgsEscaped”: true,
“Image”: “collabora/code”,
“Volumes”: null,
“WorkingDir”: “”,
“Entrypoint”: null,
“OnBuild”: null,
“Labels”: {}
},
“NetworkSettings”: {
“Bridge”: “”,
“SandboxID”: “6991dd1c53959c2b7504c8fb47e3ba35208aea6268abea037b8771c7f973fe8c”,
“HairpinMode”: false,
“LinkLocalIPv6Address”: “”,
“LinkLocalIPv6PrefixLen”: 0,
“Ports”: {
“9980/tcp”: [
{
“HostIp”: “127.0.0.1”,
“HostPort”: “9980”
}
]
},
“SandboxKey”: “/var/run/docker/netns/6991dd1c5395”,
“SecondaryIPAddresses”: null,
“SecondaryIPv6Addresses”: null,
“EndpointID”: “12446a7a3b8be7b93942342e134cac7d184463e0d2d3a3223cffa0e02d980697”,
“Gateway”: “172.17.0.1”,
“GlobalIPv6Address”: “”,
“GlobalIPv6PrefixLen”: 0,
“IPAddress”: “172.17.0.2”,
“IPPrefixLen”: 16,
“IPv6Gateway”: “”,
“MacAddress”: “02:42:ac:11:00:02”,
“Networks”: {
“bridge”: {
“IPAMConfig”: null,
“Links”: null,
“Aliases”: null,
“NetworkID”: “50e29bb73ca959aae87888cab38a9583e9a316214f0f947adf96c4c38ed2b27d”,
“EndpointID”: “12446a7a3b8be7b93942342e134cac7d184463e0d2d3a3223cffa0e02d980697”,
“Gateway”: “172.17.0.1”,
“IPAddress”: “172.17.0.2”,
“IPPrefixLen”: 16,
“IPv6Gateway”: “”,
“GlobalIPv6Address”: “”,
“GlobalIPv6PrefixLen”: 0,
“MacAddress”: “02:42:ac:11:00:02”
}
}
}
}
]

domains in env part of docker inspect are with double back slashes.
Can anybody give me a clue ?

It seems to be a problem with using nginx as reverse proxy for collabora.
I don’t have this issue with apache.
Here is my config file model, as shown here : https://www.collaboraoffice.com/code/

server {
listen 443 ssl;
server_name collabora.example.com;

ssl_certificate /path/to/ssl_certificate;
ssl_certificate_key /path/to/ssl_certificate_key;

# static files
location ^~ /loleaflet {
    proxy_pass https://localhost:9980;
    proxy_set_header Host $http_host;
}

# WOPI discovery URL
location ^~ /hosting/discovery {
    proxy_pass https://localhost:9980;
    proxy_set_header Host $http_host;
}

# main websocket
location ~ ^/lool/(.*)/ws$ {
    proxy_pass https://localhost:9980;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $http_host;
    proxy_read_timeout 36000s;
}

# download, presentation and image upload
location ~ ^/lool {
    proxy_pass https://localhost:9980;
    proxy_set_header Host $http_host;
}

# Admin Console websocket
location ^~ /lool/adminws {
    proxy_pass https://localhost:9980;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $http_host;
    proxy_read_timeout 36000s;
}

}

Does somebody have an instance working with nginx and this config ?

GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: unable to get local issuer certificate

solved by passing the full chain instead or certificate in nginx configuration :

ssl_certificate /etc/letsencrypt/live/my.domain/fullchain.pem;

Hope it can help !

3 Likes

THANKS a lot !!! it’s works now !

My config for people interested in

server {
    listen       443 ssl http2;
    listen [::]:443 ssl http2;
    server_name  collabora.X.org;

    ssl_certificate /etc/letsencrypt/live/collabora.X.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/collabora.X.org/privkey.pem;

    # static files
    location ^~ /loleaflet {
      proxy_pass https://localhost:9980;
      proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
      proxy_pass https://localhost:9980;
      proxy_set_header Host $http_host;
    }

    # Main websocket
    location ~ /lool/(.*)/ws$ {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_read_timeout 36000s;
    }

   # Admin Console websocket
   location ^~ /lool/adminws {
       proxy_buffering off;
       proxy_pass https://localhost:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $http_host;
       proxy_read_timeout 36000s;
   }

   # download, presentation and image upload
   location ~ ^/lool {
     proxy_pass https://localhost:9980;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
     proxy_set_header Host $http_host;
   }
}