Collabora ssl certification error

šŸš§ Installation
1

Hello,

Iā€™ve been finding many issues similar to mine on this forum, but none has been able to resolve mine so here goes -
Running a nextcloud + collabora instance via docker-compose from an Ubuntu 20.04 system. Both NC and collabora are meant to run behind a reverse proxy (which is running on another machine). NC runs fine, but -

  • when I enter the collabora fqdn into ā€˜use your own serverā€™ option, I get a ā€˜could not establish connectionā€™ error
  • instead, when I enter the collabora local ip + port instead, the server becomes reachable but I get an ssl error if i try to create a doc.

I know that its some kind of ssl setup issue, but I canā€™t get to the root of it. Here is my docker-compose.yml -

version: '3.7'

networks:
 nextcloud:

services:
  nextcloud:
    image: nextcloud
    container_name: nextcloud
    networks:
      - nextcloud
    ports:
      - "192.168.0.150:8080:80"
    volumes:
      - ${NEXTCLOUD_ROOT}/html:/var/www/html
      - ${NEXTCLOUD_ROOT}/data:/srv/nextcloud/data
    extra_hosts:
      - "${NEXTCLOUD_FQDN}:${NEXTCLOUD_IPADDRESS}"
      - "${COLLABORA_FQDN}:${NEXTCLOUD_IPADDRESS}"
    depends_on:
      - mariadb
      - redis
    environment:
      - NEXTCLOUD_TRUSTED_DOMAINS='${NEXTCLOUD_FQDN}'
      - NEXTCLOUD_DATA_DIR=/srv/nextcloud/data
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
      - MYSQL_HOST=nextcloud-mariadb
      - REDIS_HOST=nextcloud-redis
    restart: always

  mariadb:
    image: mariadb
    container_name: nextcloud-mariadb
    restart: always
    volumes:
      - ${NEXTCLOUD_ROOT}/mariadb:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
    networks:
      - nextcloud

  redis:
    image: redis
    container_name: nextcloud-redis
    networks:
      - nextcloud
    restart: always

  coturn:
    image: instrumentisto/coturn
    container_name: nextcloud-coturn
    restart: always
    ports:
 - "3478:3478/tcp"
      - "3478:3478/udp"
    networks:
      - nextcloud
    command:
      - -n
      - --log-file=stdout
      - --min-port=49160
      - --max-port=49200
      - --realm=${NEXTCLOUD_FQDN}
      - --use-auth-secret
      - --static-auth-secret=${COTURN_SECRET}

  collabora:
    image: collabora/code
    container_name: nextcloud-collabora
    restart: always
    networks:
      - nextcloud
    ports:
      - "192.168.0.150:9980:9980"
    extra_hosts:
      - "${NEXTCLOUD_FQDN}:${NEXTCLOUD_IPADDRESS}"
      - "${COLLABORA_FQDN}:${NEXTCLOUD_IPADDRESS}"
    environment:
      - 'domain=${NEXTCLOUD_FQDN}'
      - 'dictionaries=en'
      - "extra_params=--o:ssl.enable=false --o:ssl.termination=true"
    cap_add:
      - MKNOD
    tty: true

Iā€™ve added the ā€œextra_params=ā€“o:ssl.enable=false --o:ssl.termination=trueā€ line to reflect that the ssl for my collabora fqdn terminates at the reverse proxy, which communicates with the local ip and port of collabora

This is my conf file for the collabora fqdn reverse proxy. Note that this conf file resides on another machine that acts as a proxy server -

server {
    if ($host = scribble.domain.name) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name scribble.domain.name;
    return 404; # managed by Certbot

}


server {
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/domain.name/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain.name/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    access_log            /var/log/nginx/scribble.access.log;
    error_log             /var/log/nginx/scrib.error.log;



# static files
    location ^~ /loleaflet {
        proxy_pass http://192.168.0.150:9980;
        proxy_set_header Host $http_host;
    }


 # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass http://192.168.0.150:9980;
        proxy_set_header Host $http_host;
    }

    # Capabilities
    location ^~ /hosting/capabilities {
        proxy_pass http://192.168.0.150:9980;
        proxy_set_header Host $http_host;
    }

    # main websocket
    location ~ ^/lool/(.*)/ws$ {
        proxy_pass http://192.168.0.150:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ ^/lool {
        proxy_pass http://192.168.0.150:9980;

scribble.domain.name redirects to nextcloud access to untrusted domain page. Essentially, collabora is set up and good to go locally but is unreachable by its fqdn.

Also, /var/log/nginx/scribble.access.log and scribble.error.log are virtually empty.

Please help me out! Iā€™ll post other debug logs as required :slight_smile: