Libreoffice Nextcloud - Access Forbidden Issue

This is what I think happened.

1. it only accepts port 443, so you link has to be in this format: https://office.foo.com (even though in description it says “URL (and port)” – it’s a lie, it won’t work on a custom port, will throw this " access forbidden" error.
2. Try entering some other, wrong, address there. For example http://office.nextcloud.com then apply, then fix it back to your, correct, address.

hopefully it’ll help. Other than that I had the same problem on NC11 but I fixed it by rolling back to NC10, then updating to NC10.0.2 then NC11 and it sort of worked.

No dice for me… other than the fact that I didn’t roll back to 10 then back to 11 as backing up my NC takes quite awhile (the data folder specifically, not that you NEED to do this when it’s in a different location than the www HC folder, but I have way too important of stuff in there to not do so). I did however delete the Collabora container and redo all of that, to no avail such is life I guess, if I get the energy over the long weekend I may do that, was just really hoping not to, especially since this should really work as-is.

If I do get the energy than more than likely I’ll actually review all of the code to see what’s happening so it can be fixed for good and for everyone, there’s no reason why reverting back then up again should be the answer.

Edit: forgot to say thanks for the info depawlur

Edit 2: is anyone having this trouble that doesn’t have Strict Transport Security enabled? I always have mine on, and I’m now wondering if that’s the issue, which I will also test when I have time to change settings

I had/have my Strict Transport Security ON since day one.

Below is the log of when I had access forbidden, office.nextcloud.com was my correct address though.

/var/www/files.nexcloud.com/3rdparty/guzzlehttp/guzzle/src/RequestFsm.php - line 103: GuzzleHttp\Exception\RequestException wrapException(Object(GuzzleHttp\Message\Request), Object(GuzzleHttp\Ring\Exception\ConnectException))
/var/www/files.nexcloud.com/3rdparty/guzzlehttp/guzzle/src/RequestFsm.php - line 132: GuzzleHttp\RequestFsm->__invoke(Object(GuzzleHttp\Transaction))
/var/www/files.nexcloud.com/3rdparty/react/promise/src/FulfilledPromise.php - line 25: GuzzleHttp\RequestFsm->GuzzleHttp\{closure}(Array)
/var/www/files.nexcloud.com/3rdparty/guzzlehttp/ringphp/src/Future/CompletedFutureValue.php - line 55: React\Promise\FulfilledPromise->then(Object(Closure), NULL, NULL)
/var/www/files.nexcloud.com/3rdparty/guzzlehttp/guzzle/src/Message/FutureResponse.php - line 43: GuzzleHttp\Ring\Future\CompletedFutureValue->then(Object(Closure), NULL, NULL)
/var/www/files.nexcloud.com/3rdparty/guzzlehttp/guzzle/src/RequestFsm.php - line 134: GuzzleHttp\Message\FutureResponse proxy(Object(GuzzleHttp\Ring\Future\CompletedFutureArray), Object(Closure))
/var/www/files.nexcloud.com/3rdparty/guzzlehttp/guzzle/src/Client.php - line 165: GuzzleHttp\RequestFsm->__invoke(Object(GuzzleHttp\Transaction))
/var/www/files.nexcloud.com/3rdparty/guzzlehttp/guzzle/src/Client.php - line 125: GuzzleHttp\Client->send(Object(GuzzleHttp\Message\Request))
/var/www/files.nexcloud.com/lib/private/Http/Client/Client.php - line 137: GuzzleHttp\Client->get('https //office....', Array)
/var/www/files.nexcloud.com/apps/richdocuments/lib/WOPI/DiscoveryManager.php - line 84: OC\Http\Client\Client->get('https //office....')
/var/www/files.nexcloud.com/apps/richdocuments/lib/WOPI/Parser.php - line 41: OCA\Richdocuments\WOPI\DiscoveryManager->get()
/var/www/files.nexcloud.com/apps/richdocuments/lib/Controller/DocumentController.php - line 233: OCA\Richdocuments\WOPI\Parser->getUrlSrc('application/vnd...')
[internal function] OCA\Richdocuments\Controller\DocumentController->create('application/vnd...', '\xD0\xB2\xD1\x84\xD1\x8B\xD0\xB2\xD1\x8B\xD1\x84\xD0\xB2\xD1...', '/')
/var/www/files.nexcloud.com/lib/private/AppFramework/Http/Dispatcher.php - line 160: call_user_func_array(Array, Array)
/var/www/files.nexcloud.com/lib/private/AppFramework/Http/Dispatcher.php - line 90: OC\AppFramework\Http\Dispatcher->executeController(Object(OCA\Richdocuments\Controller\DocumentController), 'create')
/var/www/files.nexcloud.com/lib/private/AppFramework/App.php - line 114: OC\AppFramework\Http\Dispatcher->dispatch(Object(OCA\Richdocuments\Controller\DocumentController), 'create')
/var/www/files.nexcloud.com/lib/private/AppFramework/Routing/RouteActionHandler.php - line 47: OC\AppFramework\App main('OCA\\Richdocumen...', 'create', Object(OC\AppFramework\DependencyInjection\DIContainer), Array)
[internal function] OC\AppFramework\Routing\RouteActionHandler->__invoke(Array)
/var/www/files.nexcloud.com/lib/private/Route/Router.php - line 299: call_user_func(Object(OC\AppFramework\Routing\RouteActionHandler), Array)
/var/www/files.nexcloud.com/lib/base.php - line 1010: OC\Route\Router->match('/apps/richdocum...')
/var/www/files.nexcloud.com/index.php - line 40: OC handleRequest()
{main}

What is the

output of sudo docker ps -a

Output of sudo journalctl -u docker

Output of sudo systemctl status docker
Or sudo service docker status

I am using my own CA certificates and was having the same problem with the “Access Forbidden” message. I was able to get it working by adding my root CA certificate to the following file:

nextcloud/resources/config/ca-bundle.crt

You have to add the CA cert manually to ownCloud trusted cert storage:

cat ca-chain.cert.pem >> owncloud/resources/config/ca-bundle.crt

Reference: https://github.com/owncloud/richdocuments

I hope this fix works for others.

WOW!! For me the Access Forbidden is SOLVED!

@pmyork you are a great man! Your post has definitively solved my problem!!
I look for a solution from 1 week

1. I have installed nextcloud 11 into my home server openmediavault
2. I follow the official installation tutorial and a nginx conf guide
3. I use differents ports for my server, not standard ports 80 and 443 (port forward from my home router)
4. the collabora docker seems to be ok, it responds correctly from a browser, example: https://mynextcloud.exampl.com//hosting/discovery
5. installed and configured collabora plugin with my non standard https port
6. the collabora plugin it’s ok, I created a .odt file from button menu +
7. when I start to open the .odt document from nextcloud, I have an Access Forbidden (Accesso Negato) message, nothing appears into docker logs or nginx logs or nextcloud logs, apparently no errors…
8. now adding my selfsigned opemediavault.crt into nextcloud/resources/config/ca-bundle.crt I’m able to edit the .odt doc from nextcloud

@pmyork Thanx a lot for have shared your solution!

You’re welcome! I’m so glad to hear it worked for you. I hope the post helps many others as well.

Hi there !
It seems I had the same problem about “forbidden access”… But i can’t make it work .

About this file you put in the nextcloud/resources/config/ , i tried to put all the files i’ve created with let’sencrypt, but neither of them work. (cert.pem, chain.pem, fullchain.pem, privkey.pem).

Or maybe it’s the nextcloud’s certificat i have to put here ?

Finally, all i can see now is an apache server error :
Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request.

Am I wrong somewhere ?

ho… and I can see my nextcloud apache logs :
[Sat Jan 07 20:35:29.011442 2017] [fastcgi:error] [pid 11693] [client x.x.x.x:51948] FastCGI: incomplete headers (0 bytes) received from server "/usr/lib/cgi-bin/php5-fcgi"

and this in my collaboraonline apache logs :
[Sat Jan 07 20:29:52.164186 2017] [proxy_http:error] [pid 10403] (103)Software caused connection abort: [client 5.196.95.235:58851] AH01102: error reading status line from remote server 127.0.0.1:9980 [Sat Jan 07 20:29:52.164499 2017] [proxy:error] [pid 10403] [client 5.196.95.235:58851] AH00898: Error reading from remote server returned by /hosting/discovery

Edit: sorry, I forgot to speak english

Hi,

I had the same problem next to update from Nextcloud 11 to 11.0.1. I solved it like that:

1. Kill the docker container of collabora
2. Restart it with the command from the official doc
3. Restart apache (service apache2 restart)
4. Login and logout from Nextcloud

And then all works for me

Hope I have help someones !

Floréal

Awesome solution. I totally understood everything!

Hi,

I use a selfsigned crt and for me is not sufficient.
The nextcloud update has installed a new file nextcloud/resources/config/ca-bundle.crt.
I solved re-adding my selfsigned opemediavault.crt into nextcloud/resources/config/ca-bundle.crt

I hope this help someone

Ciao

I just got the trouble,too.Have you sovle it?

for me, this is the solution:
solution

I had the same issue and solution was adding “127.0.0.1 office.mydomain.com” to hosts file.
Then i had problem with "Well, this is embarrassing, we cannot connect to your document. Please try again."
And i changed docker start command to this “docker run --add-host=“cloud.mydomain.com:172.20.20.3” -t -d -p 127.0.0.1:9980:9980 -e ‘domain=cloud\.mydomain\.com’ --restart always --cap-add MKNOD collabora/code”.
And all my troubles has gone =)

I have tried all of the solutions here and cannot get this working. I am using a Let’s Encrypt cert.
I imported the cert into the ca-bundle.crt for Nextcloud. I even tried to import using occ:
sudo -u apache php occ security:certificates:import /usr/share/nextcloud/resources/config/ca-bundle.crt (just in case?) and I also tried @Brabus solution. No joy. Still Access Denied. Any chance there is something else that changed in recent releases?

Hello,
I’m having the same issue, and tried all solutions without success.
As @metalcated, I’m using Let’s Encrypt certificated and I tried
cat /etc/letsencrypt/live/cert.pem >> /nextcloud/resources/config/ca-bundle.crt, with no luck.

Any advice? I really don’t know where to look now.

Thanks

I have tried everything I can think of. I even tried replacing the certs in the container with the ones I generated for the office.domain.com link that is used in Apache. Same issue.

I had the same problem after updating to collabora 2.1. For me the solution was:

sudo docker exec Container-ID sed -i ‘s/collaboraoffice5.1/collaboraoffice5.3/’ start-libreoffice.sh

cheers

curl helped me to lacate the problem. Try in console curl https://office.yourdomain.com and see the answer.

curl returns a 200 without any content. Can you be more specific? No idea how to fix this. Using the Apache proxy vhost config from https://www.collaboraoffice.com/code/