Connecting to Collabora Online Server: Could not establish connection to the Collabora Online server

Amanuel_Elhanan · June 3, 2022, 9:13pm

Hello friends,
I am trying to set up Collabora online server on a dedicated server which is different from where am running nextcloud. Here is what I did on a server I installed Collabora online server.

Installed native collabora package | sudo dnf install coolwsd CODE-brand collaboraoffice
Edited coolwsd.xml | disabled SSL and enabled SSL termination
Installed Apache and mod_ssl | sudo dnf install httpd mod_ssl
Configured reverse proxy for collabora | reverse proxy for ssl termination (Proxy settings — SDK https://sdk.collaboraonline.com/ documentation) | collabora.conf
Installed certbot to certify my domain | Used generated key and cert in collabora.conf <VirtualHost *:443> section.

That’s what I have done so far, now I have tested to connect to Collabora place from Nextcloud and browser (to access admin panel), Here are the errors am getting:

Trying to connect from Nextcloud, as https://office.mydomain.com:443
Error: Could not establish connection to the Collabora Online server.
Trying to access admin panel from Browser (FIrefox)
Error: Secure Connection Failed, Error code: SSL_ERROR_RX_RECORD_TOO_LONG

Coolwsd.service showed me this as I try to connect from browser
[ websrv_poll ] ERR Looks like SSL/TLS traffic on plain http port| wsd/COOLWSD.cpp:3373

This is the way am trying to set up a dedicated Collabora online server:

Here is my collabora.conf configuration:



        # generated 2021-06-12, Mozilla Guideline v5.6, Apache 2.4.48, OpenSSL 1.1.1d, intermediate configuration, no OCSP
         
        # https://ssl-config.mozilla.org/#server=apache&version=2.4.48&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6
         
         
        # this configuration requires mod_ssl, mod_rewrite, and mod_headers
         
        <VirtualHost *:80>
            RewriteEngine On
            RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
            RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
        </VirtualHost>
         
        <VirtualHost *:443>
           
            SSLEngine on
            # curl https://ssl-config.mozilla.org/ffdhe2048.txt >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
            SSLCertificateFile      /etc/letsencrypt/live/mydomain.com/fullchain.pem
            SSLCertificateKeyFile   /etc/letsencrypt/live/mydomain/privkey.pem
            ServerName mydomain.com
            # enable HTTP/2, if available
         
            Protocols h2 http/1.1
            # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
         
            Header always set Strict-Transport-Security "max-age=63072000"
                 
         
         
         ########################################
         
         # Reverse proxy for Collabora Online
         #
         
         ########################################
         
         
           AllowEncodedSlashes NoDecode
           ProxyPreserveHost On
         
         
         # static html, js, images, etc. served from coolwsd
         
         # browser is the client part of Collabora Online
         
           ProxyPass           /browser http://127.0.0.1:9980/browser retry=0
           ProxyPassReverse    /browser http://127.0.0.1:9980/browser
         
         
         
         # WOPI discovery URL
         
           ProxyPass           /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
           ProxyPassReverse    /hosting/discovery http://127.0.0.1:9980/hosting/discovery
         
         
         # Capabilities
         
           ProxyPass           /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
           ProxyPassReverse    /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities
         
         # Main websocket
         
           ProxyPassMatch      "/cool/(.*)/ws$"      ws://127.0.0.1:9980/cool/$1/ws nocanon
         
         
         
         # Admin Console websocket
         
           ProxyPass           /cool/adminws ws://127.0.0.1:9980/cool/adminws
         
         
         # Download as, Fullscreen presentation and Image upload operations
         
           ProxyPass           /cool http://127.0.0.1:9980/cool
           ProxyPassReverse    /cool http://127.0.0.1:9980/cool
         
         # Compatibility with integrations that use the /lool/convert-to endpoint
         
           ProxyPass           /lool http://127.0.0.1:9980/cool
           ProxyPassReverse    /lool http://127.0.0.1:9980/cool
         
         
        </VirtualHost>
         
         
        # intermediate configuration
         
        SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
         
        SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
         
        SSLHonorCipherOrder     off
         
        SSLSessionTickets       off

I have been struggling with this issue for like 4 days, Please help.

wwe · June 4, 2022, 1:05pm

Your post is missing relevant information about were and how your reverse proxy is setup and how it’s configured, from the config if looks like collabora is expected to run on the same host as reverse proxy… what is about Nextcloud?

Most likely your systems can’t reach each other using proper https URI … Please carefully review this thread - and linked references - WOPI protocol requires some communications you might not have expected…

Amanuel_Elhanan · June 4, 2022, 4:23pm

@wwe thank you so much for replying. Sorry that I didn’t clarify that very well.

were and how your reverse proxy is setup

I set up a dedicated server for Collabora online server. Nextcloud is on another server. Therefore when I configured reverse proxy as you can see above I used localhost (127.0.0.1) since am running Collabora online server on the same server in which I configured a reverse proxy. I tried to state above, am running a native package, not in a docker environment.

from the config if looks like Collabora is expected to run on the same host as a reverse proxy

yes, that’s correct, and nextcloud is running on another server with a different domain.

wwe · June 4, 2022, 5:03pm

@Amanuel_Elhanan in fact your drawing is includes the information Collabora and Reverse Proxy are running on the same host but I’ve missed it…

Take a look at this drawing - it’s for both systems running on the same host but general picture remain unchanged - systems must be able to talk with each other (double check DNS/TLS from each point of view). Depending on you systems are connected there might be unexpected interaction with reverse proxy/firewalls etc as well.

Amanuel_Elhanan · June 4, 2022, 11:54pm

@wwe Thanks again
Currently, am not even able to access the admin panel, at least that should work first right?
I am trying to access the admin panel through this URL https://mydomain:9980/browser/dist/admin/admin.html before proceeding to another staff am I right on the URL?

I am just thinking that Coolwsd is requiring path to public and private key, is there any config file in addtion to coolwsd.xml where I might deal with SSL? Because the error seems related to SSL, both from browser log and coolwsd.service

Amanuel_Elhanan · June 5, 2022, 1:58am

Hello, @wwe I finally fixed a minor mistake I have made.
For these whole issues the case is I didn’t know that when I installed coolwsd, default apache configuration file would be created inside /etc/http/conf/ . I created my own config file inside /etc/httpd/conf.d/.
Now I just copy-pasted contents from my custom config file to the default one and it worked fine.
Than you