Configuration problems, reverse proxy and Office

ℹ️ Support
, , ,
1

I’m running Nextcloud as a Snap on Ubuntu 24.04, behind a HAProxy which is running on the same system. My instance is accessible from LAN. It is listening on ports that are not the default HTTP and HTTPS ports. I have a custom certificate for the instance, signed by my own certificate authority. That is working, as I can access my instance at https://nextcloud.tld just fine.

I have 2 problems which I believe are caused by incorrect configuration. First problem is that every client is identified as 127.0.0.1. Second problem is that Nextcloud mobile clients (both Android and iOS) are unable to open office files (ods and odt) in the app for editing.

I’m running the built-in CODE-server. On the Nextcloud Office tab in the administration settings is the following error:

Failed to connect to the remote server: cURL error 60: SSL certificate problem: self signed certificate in certificate chain (see libcurl - Error Codes) for https://nextcloud.tld/extra-apps/richdocumentscode/proxy.php?req=/hosting/discovery

I’ve configured HAProxy exactly as described here with only changing the names, IP-addresses and ports to my own.

Here are some rows from the configuration file of the Nextcloud Snap that I believe are relevant to these problems.

'trusted_domains' => array (
	0 => 'nextcloud.tld',
    1 => 'localhost',
  ),
'trusted_proxies' => array (
	0 => '127.0.0.1',
    1 => '::1',
),
'forwarded_for_headers' => array (
    0 => 'HTTP_X_FORWARDED_FOR',
    1 => 'HTTP_X_REAL_IP',
),
'overwrite.cli.url' => 'https://nextcloud.tld',

What am I doing wrong?

2

hi @temperator welcome to the community :handshake:

please review 101: reverse proxy likely you didn’t configure the “trusted proxy” trusted_proxies in a right way… maybe a restart is required…

my first guess would be you didn’t add your self-signed cert to a container Root CA store, which is required as both system must connect to each other using “public” https:// URL (see Collabora integration guide for details)

3

What is the container Root CA store in my case? I’m using the built-in CODE server.

The host system of my instance is running on bare metal. I have added the root certificate of my own certificate authority to the trust store of Ubuntu. This seems to have been successful as running curl https://nextcloud.tld/index.php/dashboard from a shell on the host system returns a proper HTML-file. Is Snap-Nextcloud somehow unable to read the trusted root certificates of the host system?

4

I’m not very familiar with Snap but suppose it is not expected to read the host CA store… in general containers are not “just another application” running on the host but more a slim VM isolated in many ways… this isolation is usually an advantage -container having access to a host file system would be huge security issue.

this is your job to find, I remember I saw the CA path shortly in the logs but I can say where/how.

In general I would recommend you stop using self-signed certificates as it is really hard to make them work (every single client, mobiles, other users - friends, family, federated, shares) - IMO it is unmanageable to use self-signed certificates even for a small device fleet like a family without introducing an MDM solution…

UPDATE: I came again across my logs again and add here for the reference: Nextcloud server is using “/var/www/html/lib/private/Http/Client/Client.php” when it connects to external systems and this one uses /var/www/html/resources/config/ca-bundle.crt in NC 30.0.4 Docker:Apache (but likely it’s generic).

1 Like
5

Don’t use the built-in code server, i found this out the hard way. It’s slow… buggy, just dies for no reason eventually wasting hours trying to figure out why, errors suddenly show up in nextcloud.log while it was working only minutes before. After a few days of fiddling around this solved it for me.

Note~ i didn’t use the full guide mentioned, for some reason that was confusing.
Use the docker image collabora/code.
Add the new DNS to your hosting/dashboard . (f.e. collabora.yoursite.com).

docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=collabora\\.yoursite\\.com' --restart always --cap-add MKNOD collabora/code

Or this if you want to add dictionary (i didn’t)

docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=collabora\\.yoursite\\.com' -e 'dictionaries=en nl ..' --restart always --cap-add MKNOD collabora/code

!!Note the \\. it’s needed!!
Run the following:

a2enmod proxy
a2enmod proxy_wstunnel
a2enmod proxy_http
a2enmod ssl

Run : certbot -d collabora.yoursite.com (Pick 1)

Create a new site sites-available\yoursite.conf

cp the example from the guide

Edit/nano your collabora.conf and add the /path/to/your/cert.pem lines

Change the line : ServerName collabora.yoursite.com

(For me it puts the new ssl/cert files into /etc/letsencrypt/live/collabora.yoursite.com, i’ve read that sometimes it’ll add a 1 behind files if all are stored in same dir?)

SSLCertificateFile /etc/letsencrypt/live/collabora.yoursite.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/collabora.yoursite.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/collabora.yoursite.com/privkey.pem

Save and restart apache2 when asked.

run : a2ensite collabora.conf 

curl -v collabora.yoursite.com

And if all turns out fine add :
https://collabora.yoursite.com to the nextcloud administration/office and select your own server.

Incase i missed something please let me know.

1 Like
6

please be aware this is wrong/useless for newer versions

use aliasgroup instead. if you only have one NC non need to bother at all, the 1st system connecting is always allowed.

7

@temperator suggest you take a close look at our Nextcloud snap wiki expecially CODE & Nextcloud Office configuration and Reverse proxy configuration once you’ve checked that out see Hosts & FQDN configuration

I personally agree with @Michiel_Breur and would suggest something like How to install and configure Collabora CODE server for Nextcloud snap with docker to save you time and hassle.

1 Like
8

I didn’t know the \. Is needed anymore, since it worked using the \. Was needed, you can ignore that then.

9

I circumvented the first problem (real IP addresses not being detected) by removing the reverse proxy alltogether and making the Snap listen the default ports 80 and 443. Apparently I would have had to terminate the TLS-connection with HAProxy to be able to set the X-Forwarded-For-header. I don’t have for that.

The second problem still remains.

My certificate isn’t self signed in the sense that I understand. It is signed by a certificate authority that just isn’t publicly know. I have installed the root certificate into multiple devices and signed multiple domain-specific certificates with it. Everything else works just fine, including the actual Snap-Nextcloud. The only problem I have is with the built-in CODE server. So no, I’m not going to stop using my own certificates.

I could deploy a separate Collabora Online server but even in that case, would my Snap-Nextcloud be able to trust the certificate of the Collabora server if the root certificate isn’t known to Snap-Nextcloud?

EDIT: I just checked /snap/core20/current/etc/ssl/certs and my root certificate is not there. I think I would somehow have to put it there. I’m trying to figure out how.

10

both systems and users accessing the system must trust the whole certificate chain of both systems. This is the reason why running self-signed certificates is difficult as long you can not manage all involved clients and servers.

11

it’s not the \. :man_facepalming:
it is the “domain=” which is replaced by “aliasgroup1=

12

All my clients (Android, iOS, Linux laptops) trust the root certificate. All my servers, Ubuntu and Raspberry Pi, trust it. I haven’t had any real difficulties with this system before this one, so I wouldn’t blame this on privately signed certificates. It’s common practise for enterprises to have private networks with private certificates.

Seems to me that this is purely a Snap problem. Everything else about Nextcloud works nicely, so I’m going to try to fix this before switching over to a separate Collabora Online.

13

probably not… Managing encryption

14

@scubamuc
I installed my certificates following those instructions.

  • cert.pem contains the certificate of my Nextcloud instance
  • chain.pem contains aforementioned certificate and my root certificate
  • privkey.pem contains the private key

I still get the following error on the settings page of Nextcloud Office.

Could not establish connection to the Collabora Online server.

Failed to connect to the remote server: cURL error 60: SSL certificate problem: self signed certificate in certificate chain (see libcurl - Error Codes) for https://nextcloud.tld/extra-apps/richdocumentscode/proxy.php?req=/hosting/discovery

Am I still doing something wrong? What exactly should chain.pem contain in my case?

15

I’m not familiar with that term. keep in mind i started doing this maybe 2 weeks ago.

It’s working for me and that’s the way i did it, i tried to put in as much as i could remember and even tried to find the exact command i used to start my docker colabora image. if i made mistakes there please correct them so we can learn from it.

16

The Snap-equivalent file seems to be /snap/nextcloud/45728/htdocs/resources/config/ca-bundle.crt but it is not writable.

17

Hi, what about security:certificates:import?

18

This nudged things forward a bit. Office settings now state that Collabora Online server is reachable. Hooray. Still can’t open Office files using either Android or iOS clients. Apparently a cURL error 28 now.

19

I have no proof but there seems self-signed certs are not supported bay iOS

… and to be honest I would expect the same for Android.

1 Like
20

One can install certificates in Android.
Settings / Network and Internet / Internet / Network preferences / Install certificates