Collabora private server nextcloud 26 cURL error 60: SSL certificate problem: self signed certificate

ccfdnum · May 24, 2023, 7:06am

Hello,

I’m quite blocked on the final configuration of a collabora server and nextcloud. When I try to set my server I get this error:

[richdocuments] Error: GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: self signed certificate (see libcurl - Error Codes) for https://collabora.server.com/hosting/capabilities at <>

0. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 158

GuzzleHttp\Handler\CurlFactory::createRejection("*** sensitive parameters replaced **")
1. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 110*
GuzzleHttp\Handler\CurlFactory::finishError([“GuzzleHttp\Handler\CurlHandler”], "*** sensitive parameters replaced **", [“GuzzleHttp\Handler\CurlFactory”])
…

Nextcloud and Collabora are on a docker image behind a nginx proxy (manager), letsencrypt works ok and certificates are ok:

curl https://collabora-server.com. → I get: OK

I have a warning about WOPI:
You have not configured the allow-list for WOPI requests. Without this setting users may download restricted files via WOPI requests to the Nextcloud server. Click here for more info

but sincerely I have no idea what do.

Thanks for your help

jtr · May 24, 2023, 9:44pm

Are you running that cURL test from inside of the Nextcloud container?

Essentially, make sure that your Nextcloud container is not bypassing the reverse proxy to reach the Collabora container.

Depending on what instructions you followed, it is possible for the Collabora container to have HTTPS enabled on it as well, but it would not be using the LE certs deployed on your reverse proxy.

Edit: To test my theory: IIRC there’s also an app setting called disable_certificate_verification or the like (in the richdocuments app in NC). I believe something for it appears in the web UI in the settings area when you’ve set NC Office to use your own server (rather than the built in one) so you don’t need even need to do it from the CLI.

This will turn off certificate validation at the NC server level for the capabilities check. If things work you can then decide whether you’re comfortable with the two internal containers talking to each other without verification of certificates or not. If so, you’re done. If not, you’ll have to make adjustment to your environment so that NC is not bypassing the proxy.

NC100 · May 25, 2023, 5:25am

Have you added the chain certificate as well (three certificate files).

if collabobara is set to use port 443 make sure the port is not already bound to a server.

ccfdnum · May 25, 2023, 10:08am

Thank you for answering.

I’ m not running the command inside the container. This was launched outside.

I also tried to disable the certificate as you suggested but I still getting the same error.

ccfdnum · May 25, 2023, 10:10am

Thank you for the support.

This is my docker file. I’m using port 9980

networks:
frontend:
# add this if the network is already existing!
external: true
backend:
external: true

services:
collabora:
image: collabora/code:22.05.12.2.1
container_name: collabora_app
networks:
- frontend
cap_add:
- MKNOD
ports:
- 9980
environment:
- domain=cloud.euredomain.com #Gebt hier eure Seafile Domain an
- username=admin #Nutzername eingeben
#- DONT_GEN_SSL_CERT=1
- password=test #Passwort eingeben
- “extra_params=–o:ssl.enable=false --o:ssl.termination=true”
restart: unless-stopped

NC100 · May 26, 2023, 6:30am

We had to change Ngnix port from 443 since it was already occupied

Ngnix stack

version: ‘3’
services:
app:
image: ‘jc21/nginx-proxy-manager:latest’
container_name: nginx
restart: always
ports:
- ‘80:80’
- ‘81:81’
- ‘9443:443’

Collabora stack

version: ‘3’
services:
collabora:
image: collabora/code
restart: always
container_name: collabora
ports:
- ‘9980:9980’

environment:

  - aliasgroup1=https://xxx.com
  - dictionaries=en_GB
  - username=xxx
  - password=xxx
  
cap_add:
  - MKNOD
tty: true

networks:
default:
name: nginx_default
external: true

cosmo_a · May 26, 2023, 10:07am

I had a similar issue, running Nextcloud on an Ubuntu server with Apache, reverse proxy, and an SSL certificate for Collabora on a Docker image. The trick for me was to add port 443.

Of course, you have to replace the nextcloud domain name with yours.

sudo docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=nextcloud\\.com:443' -e 'dictionaries=de en es sv ..' -e 'TZ=Europe/Stockholm' --restart always --cap-add MKNOD --privileged collabora/code

ccfdnum · May 30, 2023, 11:24am

Thank you for all your help.

Unfortunately still getting the same error, also opening por 443 and adding “domain=nextcloud\.pippo\.com:443” in the docker-compose file.

Any other hint or debug flag that I can sue to understand better?

Thanks

NC100 · May 31, 2023, 5:34am

Could be a number of reasons.

If you are using Let’s Encrypt, have you installed three cert files, key, cert and chain.

You should use aliasgroup1 instead of domain.

What are your Nginx proxy manager settings.

ccfdnum · May 31, 2023, 4:03pm

I tried also with:

aliasgroup1=https://nextcloud

no luck.

here my nginx settings

ccfdnum · May 31, 2023, 4:52pm

if I launch

curl -v https://collabora.com

inside the next cloud container I get this error

curl: (60) SSL certificate problem: self signed certificate

outside the next cloud container I get:

OK

NC100 · May 31, 2023, 6:10pm

Shouldn’t proxy host settings ‘Scheme’ be set to https?

ccfdnum · June 1, 2023, 1:58pm

I changed but still same error. One question, why I do not get the lets encrypt certificate from inside the docker container?

Thanks

NC100 · June 1, 2023, 4:48pm

I have downloaded my domain cert and set it as a custom cert in the proxy manager.

I don’t need this string…

extra_params=–o:ssl.enable=false --o:ssl.termination=true”