Hi,
I am using onlyoffice with my server fine but I want to share the instance with a friend who is using a shared webhost and it fails with:
[2020-08-10T14:36:04.611] [ERROR] nodeJS - error downloadFile:url=https://cloud.DOMAIN.tl/index.php/apps/onlyoffice/empty?doc=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhY3Rpb24iOiJlbXB0eSJ9.KJnTLLg8ipSHihTzTytdrLV7gr7v3rv6LbmgemHmAao;attempt=1;code:ERR_TLS_CERT_ALTNAME_INVALID;connect:null;(id=conv_check_768309155_docx)
Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: cloud.DOMAIN.tl. is not in the cert's altnames: DNS:*.hoster.com, DNS:hoster.com
at Object.checkServerIdentity (tls.js:239:17)
at TLSSocket.onConnectSecure (_tls_wrap.js:1068:27)
at TLSSocket.emit (events.js:198:13)
at TLSSocket._finishInit (_tls_wrap.js:636:8)
As onlyoffice authenticates with the Token, the PTR check should not be necessarily as in collabora.
So is there a way to disable this feature?
You mention a reverse DNS lookup, but from the error, it appears the issue is a certificate name mismatch. I don’t see any mention of a PTR record lookup.
yes the missmatch is that the IP Address is reporting back a different domain, as the Server transmits in the first place. As you can’t change that on a shared webhost, I want to turn off that check.
I don’t think that’s what’s happening based on the error you posted. The error says the name typed in the address bar doesn’t match the name on the certificate. PTR records aren’t used in such a check.
What you need is the other domain added to the certificate’s subject alternate names, or access it with the name that’s already on it.
So how is onlyoffice getting the information to the hoster-server cert then? Is the server sending itself the other cert like a client certificate?
The cloud.domain.tl is a valid lets encrypt cert if you open the url.
The server presents the certificate when a TLS connection is made.
The error indicates two things:
The certificate presented is valid for hoster.com and any of its subdomains (wildcard)
The SNI sent to the server (URL used to access it) was of the domain cloud.DOMAIN.tl
The certificate is not valid for cloud.DOMAIN.tl. You would need to access the server using hoster.com or a subdomain thereof in order for this certificate to be valid for it.
the question is If that is even possible in the context.
the flow of onlyoffice is?:
if I set the document server in the nextclout url,
nextcloud is sending to the onlyoffice server the link with the file to get,
onlyoffice is connecting to the server first without? sni and is getting the wrong default certificate and does not attempt to do a SNI anymore, to get to the correct cert?