Collabora private server nextcloud 26 cURL error 60: SSL certificate problem: self signed certificate

Hello,

I’m quite blocked on the final configuration of a collabora server and nextcloud. When I try to set my server I get this error:

[richdocuments] Error: GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: self signed certificate (see libcurl - Error Codes) for https://collabora.server.com/hosting/capabilities at <>

0. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 158

  • GuzzleHttp\Handler\CurlFactory::createRejection("*** sensitive parameters replaced **")
    1. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 110*
  • GuzzleHttp\Handler\CurlFactory::finishError([“GuzzleHttp\Handler\CurlHandler”], "*** sensitive parameters replaced **", [“GuzzleHttp\Handler\CurlFactory”])

Nextcloud and Collabora are on a docker image behind a nginx proxy (manager), letsencrypt works ok and certificates are ok:

curl https://collabora-server.com. → I get: OK

I have a warning about WOPI:
You have not configured the allow-list for WOPI requests. Without this setting users may download restricted files via WOPI requests to the Nextcloud server. Click here for more info

but sincerely I have no idea what do.

Thanks for your help

Are you running that cURL test from inside of the Nextcloud container?

Essentially, make sure that your Nextcloud container is not bypassing the reverse proxy to reach the Collabora container.

Depending on what instructions you followed, it is possible for the Collabora container to have HTTPS enabled on it as well, but it would not be using the LE certs deployed on your reverse proxy.

Edit: To test my theory: IIRC there’s also an app setting called disable_certificate_verification or the like (in the richdocuments app in NC). I believe something for it appears in the web UI in the settings area when you’ve set NC Office to use your own server (rather than the built in one) so you don’t need even need to do it from the CLI.

This will turn off certificate validation at the NC server level for the capabilities check. If things work you can then decide whether you’re comfortable with the two internal containers talking to each other without verification of certificates or not. If so, you’re done. If not, you’ll have to make adjustment to your environment so that NC is not bypassing the proxy.

Have you added the chain certificate as well (three certificate files).

if collabobara is set to use port 443 make sure the port is not already bound to a server.

Thank you for answering.

I’ m not running the command inside the container. This was launched outside.

I also tried to disable the certificate as you suggested but I still getting the same error.

Thank you for the support.

This is my docker file. I’m using port 9980

networks:
frontend:
# add this if the network is already existing!
external: true
backend:
external: true

services:
collabora:
image: collabora/code:22.05.12.2.1
container_name: collabora_app
networks:
- frontend
cap_add:
- MKNOD
ports:
- 9980
environment:
- domain=cloud.euredomain.com #Gebt hier eure Seafile Domain an
- username=admin #Nutzername eingeben
#- DONT_GEN_SSL_CERT=1
- password=test #Passwort eingeben
- “extra_params=–o:ssl.enable=false --o:ssl.termination=true”
restart: unless-stopped

We had to change Ngnix port from 443 since it was already occupied

Ngnix stack

version: ‘3’
services:
app:
image: ‘jc21/nginx-proxy-manager:latest’
container_name: nginx
restart: always
ports:
- ‘80:80’
- ‘81:81’
- ‘9443:443’

Collabora stack

version: ‘3’
services:
collabora:
image: collabora/code
restart: always
container_name: collabora
ports:
- ‘9980:9980’

environment:

  - aliasgroup1=https://xxx.com
  - dictionaries=en_GB
  - username=xxx
  - password=xxx
  
cap_add:
  - MKNOD
tty: true

networks:
default:
name: nginx_default
external: true

I had a similar issue, running Nextcloud on an Ubuntu server with Apache, reverse proxy, and an SSL certificate for Collabora on a Docker image. The trick for me was to add port 443.

Of course, you have to replace the nextcloud domain name with yours.

sudo docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=nextcloud\\.com:443' -e 'dictionaries=de en es sv ..' -e 'TZ=Europe/Stockholm' --restart always --cap-add MKNOD --privileged collabora/code

Thank you for all your help.

Unfortunately still getting the same error, also opening por 443 and adding “domain=nextcloud\.pippo\.com:443” in the docker-compose file.

Any other hint or debug flag that I can sue to understand better?

Thanks

Could be a number of reasons.

If you are using Let’s Encrypt, have you installed three cert files, key, cert and chain.

You should use aliasgroup1 instead of domain.

What are your Nginx proxy manager settings.

I tried also with:

no luck.

here my nginx settings


if I launch

curl -v https://collabora.com

inside the next cloud container I get this error

curl: (60) SSL certificate problem: self signed certificate

outside the next cloud container I get:

OK

Shouldn’t proxy host settings ‘Scheme’ be set to https?

I changed but still same error. One question, why I do not get the lets encrypt certificate from inside the docker container?

Thanks

I have downloaded my domain cert and set it as a custom cert in the proxy manager.

I don’t need this string…

extra_params=–o:ssl.enable=false --o:ssl.termination=true”

1 Like

“I’m not currently running the same setup, but if I were to run an Nginx reverse proxy,
it would look something similar.
In this case, if we are running Collabora as a Docker (Nginx) and Cloudflare on a separate Nginx server.
For Collabora, we set up Nginx as a reverse proxy to the Docker.
This setup is converted from my working Apache configuration. It’s important to use https.
This configuration is only for the reverse proxy, something to start from. Some adjustments will likely need to be made.”

server {
    listen 443 ssl;
    server_name collabora.com;

    # SSL configuration
    ssl_certificate /etc/ssl/cert.pem;
    ssl_certificate_key /etc/ssl/priv.key;

    # Security Headers
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    location / {
        deny all;
    }

    # static html, js, images, etc. served from coolwsd
    # browser is the client part of LibreOffice Online
    location /browser {
        proxy_pass https://127.0.0.1:9980/browser;
        proxy_set_header Host $host;
    }

    # WOPI discovery URL
    location /hosting/discovery {
        proxy_pass https://127.0.0.1:9980/hosting/discovery;
        proxy_set_header Host $host;
    }

    # Main websocket
    location ~ /cool/(.*)/ws$ {
        proxy_pass https://127.0.0.1:9980/cool/$1/ws;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }

    # Admin Console websocket
    location /cool/adminws {
        proxy_pass https://127.0.0.1:9980/cool/adminws;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }

    # Download as, Fullscreen presentation and Image upload operations
    location /cool {
        proxy_pass https://127.0.0.1:9980/cool;
        proxy_set_header Host $host;
    }

    # Endpoint with information about availability of various features
    location /hosting/capabilities {
        proxy_pass https://127.0.0.1:9980/hosting/capabilities;
        proxy_set_header Host $host;
    }
}

Do you guys think I’m having the same problem? Despite every effort I cannot get NC Office to load at all.