Make nextcloud/onlyoffice app accept self signed certificates

akrea · May 28, 2020, 4:31pm

Hi

I have nextcloud and onlyoffice dockerized. Both on the same server and behind traefik (2.0) as reverse proxy.

Unfortunately, i cannot get onlyoffice to work via my domain. Yet I can make it accessible in my local network (http:). Again unfortunately, non-SSL connetion of apps are denied by nextcloud. So I created a certificate (selfsigned) and added it to onlyoffice. Again I get it working on https yet I have to add an exception to my browser as self-signed certs are not trusted.

Now when I want to connect to onlyoffice documentserver with onlyoffice app I get

> cURL error 60: SSL certificate problem: self signed certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html))

Is there a was to make nextcloud accept selfigned certs with a docker-compose command (I know there is sudo nextcloud.enable-https self-signed yet I couldn’t find a proper docker-compose command.

Or is there another way?

KarlF12 · May 28, 2020, 4:35pm

It’ll be more trouble to work out each piece of the puzzle accepting a self-signed certificate than it would be to set up Let’s Encrypt.

Each server, container, and client would need it installed as a trusted root certificate

akrea · June 3, 2020, 7:58pm

Thanks.

I have posted my question here then. Let’s see if there is someone who can help…

Reiner_Nippes · June 3, 2020, 10:15pm

that’s probably not the problem.

onlyoffice doesn’t accept the selfsigned cert from nextcloud. you have to set a env variable USE_UNAUTHORIZED_STORAGE=true in docker-compose file of onlyoffice.

github.com

ONLYOFFICE/Docker-DocumentServer/blob/91815ac24ac8ba5e44e201bf700dbefe03e8b258/run-document-server.sh#L32


  SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/tls.crt}
fi
if [[ -z $SSL_KEY_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/onlyoffice.key ]]; then
  SSL_KEY_PATH=${SSL_CERTIFICATES_DIR}/onlyoffice.key
else
  SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/tls.key}
fi
CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-${SSL_CERTIFICATES_DIR}/ca-certificates.pem}
SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem}
SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}
USE_UNAUTHORIZED_STORAGE=${USE_UNAUTHORIZED_STORAGE:-false}
ONLYOFFICE_HTTPS_HSTS_ENABLED=${ONLYOFFICE_HTTPS_HSTS_ENABLED:-true}
ONLYOFFICE_HTTPS_HSTS_MAXAGE=${ONLYOFFICE_HTTPS_HSTS_MAXAGE:-31536000}
SYSCONF_TEMPLATES_DIR="/app/ds/setup/config"

NGINX_CONFD_PATH="/etc/nginx/conf.d";
NGINX_ONLYOFFICE_PATH="${CONF_DIR}/nginx"
NGINX_ONLYOFFICE_CONF="${NGINX_ONLYOFFICE_PATH}/ds.conf"
NGINX_ONLYOFFICE_EXAMPLE_PATH="${CONF_DIR}-example/nginx"
NGINX_ONLYOFFICE_EXAMPLE_CONF="${NGINX_ONLYOFFICE_EXAMPLE_PATH}/includes/ds-example.conf"

example in an ansible playbook:

github.com

ReinerNippes/nextcloud/blob/508520281b126d62b3a8649fa0c28ab2e56c25f4/roles/onlyoffice/tasks/main.yml#L17


    image: onlyoffice/documentserver
    state: started
    restart: yes
    restart_policy: always
    interactive: true
    tty: yes
    ports:
     - "{{ onlyoffice_ssl_port }}:443"
    env:
      ONLYOFFICE_HTTPS_HSTS_ENABLED: "{% if (tls_certificate_type == 'selfsigned') or tls_certificate_test %}false{% else %}true{% endif %}"
      USE_UNAUTHORIZED_STORAGE: "{% if (tls_certificate_type == 'selfsigned') or tls_certificate_test %}true{% else %}false{% endif %}"
      JWT_ENABLED:  'true'
      JWT_SECRET:   "{{ lookup('password', '{{ credential_store }}/onlyoffice_secret chars=ascii_letters,digits length=32') }}"
    volumes:
    - "{{ tls_certificate_key }}:/var/www/onlyoffice/Data/certs/onlyoffice.key:ro"
    - "{{ tls_certificate_file }}:/var/www/onlyoffice/Data/certs/onlyoffice.crt:ro"
    - "{{ tls_certificate_fullchain }}:/var/www/onlyoffice/Data/certs/ca-certificates.pem:ro"
    - "{{ tls_certificate_directory }}/dhparam.pem:/var/www/onlyoffice/Data/certs/dhparam.pem:ro"

- name: prune container and images
  docker_prune:

akrea · June 4, 2020, 7:37pm

Thanks for the hint! Yet, I have CA working for nextcloud - so presumably USE_UNOTHORIZED_STORAGE is not needed. The problem is on nextclouds side - as far as I can determine.

Reiner_Nippes · June 4, 2020, 8:31pm

did you disable hsts as well? ONLYOFFICE_HTTPS_HSTS_ENABLED: false

since you run both container on the same host why do you want to use tls anyway?

in my playbook i start the onlyoffice container without any special config:

github.com

ReinerNippes/nextcloud_on_docker/blob/7ec897748adc092afecd3c97f262c22b7045479a/roles/docker_container/tasks/onlyoffice.yml#L5


---
# tasks file to start onlyoffice container

- name: "{{ 'Create' if (state is undefined or 'absent' not in state) else 'Terminate' }} the onlyoffice container"
  docker_container:
    name:           'onlyoffice_documentserver'
    image:          'onlyoffice/documentserver:{{ docker_onlyoffice_image | default("latest") }}'
    restart_policy: 'always'
    networks:
     - name:        'backend'
    networks_cli_compatible: true
    labels:
        com.centurylinklabs.watchtower.enable:            "true"
    state:          '{{ state | default("started") }}'

nginx conf:

github.com

ReinerNippes/nextcloud_on_docker/blob/7ec897748adc092afecd3c97f262c22b7045479a/roles/docker_container/templates/nginx.conf.j2#L109


            proxy_set_header Connection "upgrade";
        }

        location ^~ /hosting/capabilities {
            proxy_pass https://collabora_online:9980;
            proxy_set_header Host $http_host;
        }
{% endif %}

{% if (online_office == 'onlyoffice') and (ansible_architecture == 'x86_64') %}
        location ~* ^/ds-vpath/ {
                rewrite /ds-vpath/(.*) /$1  break;
                proxy_pass http://onlyoffice_documentserver;
                proxy_redirect     off;

                client_max_body_size 100m;

                proxy_http_version 1.1;

                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr;

and i hope you read how the nextcloud config is done:

github.com

ReinerNippes/nextcloud_on_docker/blob/7ec897748adc092afecd3c97f262c22b7045479a/roles/nextcloud_config/tasks/configure_onlyoffice.yml#L13


- name: install onlyoffice app
  shell: '{{ docker_occ_cmd }} app:install onlyoffice'
  args:
    creates: '{{ nextcloud_www_dir }}/apps/onlyoffice'
  register: install_onlyoffice_app
  
- name: enable onlyoffice app
  shell: '{{ docker_occ_cmd }} app:enable onlyoffice'
  when: install_onlyoffice_app is changed

- name: setup onlyoffice app
  shell: '{{ docker_occ_cmd }} --no-warnings config:system:set onlyoffice {{ item }}'
  loop:
    - 'DocumentServerUrl --value="/ds-vpath/"'
    - 'DocumentServerInternalUrl --value="http://onlyoffice_documentserver/"'
    - 'StorageUrl --value="http://nginx/"'
  when: install_onlyoffice_app is changed

akrea · June 5, 2020, 12:04pm

oh, I do not want to use tls at all! I just couldn’t figure out how to:

Use the 80 port with nextcloud - as nextcloud demands a SSL connection… If you can help with that I am all ears!!!
Since non-SSL is not allowed, I tried it with a selfsigned cert to use port 443. Which again - is not accepted by nextcloud.
So I got to the third option which isn’t working either: Use my default traefik 2.0 and letsencrypt setup to access onlyoffice-documentserver “from outside” (onlyoffice.mydomain.com) - getting a 504 timeout error every time I try to access it.

As you see I’ve come some way to get it working to no avail so far. If you can provide a solution to make the non-encrypted version working I would be delighted!

Thank you!

Reiner_Nippes · June 5, 2020, 2:19pm

plain vanilla nextcloud? just ignore the warnings. but nextcloud doesn’t care about tls or not.

why do you want to do this? did you go through my config? nextcloud and onlyoffice are both behind the nginx webserver. both without tls on port 80. (because it’s docker internal traffic.)

if you want to disable traefik redirect from port 80 to 443 just remove the line that looks like this:

github.com

ReinerNippes/nextcloud_on_docker/blob/df85df741716b32eda604dffe35bfb3e3765196a/roles/docker_container/tasks/nginx.yml#L36


  - name: backend
networks_cli_compatible: true
volumes:
  - "{{ nextcloud_nginx_dir }}/nginx.conf:/etc/nginx/nginx.conf"
  - "{{ nextcloud_nginx_dir }}/uploadsize.conf:/etc/nginx/conf.d/uploadsize.conf"
volumes_from:
  - nextcloud
labels:
  traefik.enable:         "true"
  traefik.docker.network: backend
  traefik.http.middlewares.nginx-https.redirectscheme.scheme: "https"
  traefik.http.routers.nginx-http.entrypoints: "web"
  traefik.http.routers.nginx-http.rule: "Host(`{{ nextcloud_server_fqdn }}`)"
  traefik.http.routers.nginx-http.middlewares: "nginx-https@docker"
  traefik.http.routers.nginx.entrypoints: "web-secure"
  traefik.http.routers.nginx.rule: "Host(`{{ nextcloud_server_fqdn }}`)"
  traefik.http.routers.nginx.middlewares: "nginx@docker,nginx-red@docker"
  traefik.http.routers.nginx.tls: "true"
  traefik.http.routers.nginx.tls.options: "TLSOptionsDefault@file"
  traefik.http.routers.nginx.tls.certresolver: "certificatesResolverDefault"
  traefik.http.middlewares.nginx.headers.referrerPolicy: "no-referrer"

Reiner_Nippes · June 5, 2020, 3:59pm

btw: that’s where i copied my settings.

akrea · June 26, 2020, 8:49pm

Hi Reiner

Thanks for your help.

I first had to figure out what an Ansible is. While I am sure, this is a very helpful - for me right now not an option - too little time to learn new stuff with two little kiddies at home for the next two years…

Some additional research brought me one step closer to the solution from https://github.com/ONLYOFFICE/onlyoffice-nextcloud#known-issues check the last point. Follow the instructions on the last issue and tataaaaa. Nextcloud is willing to connect yet throws another errormessage at me:

Fehler beim Anschließen (Im Dokumentenservice ist ein Fehler aufgetreten: Error while downloading the document file to be converted.) (version 5.5)

Any ideas on that one?

Further info:
In the onlyoffice app on nextcloud I tried pointing documentserver to the local ssl port of nextcloud as well as the nexcloud.mydomain.com adress. Since at least the later one is signed with certs traefik gets via let’s encrypt. Hence this should not be an issue. Am I right?

My certs are issued to *.mydomain.com and not to every single subdomain - is that a problem for onlyoffice?

BTW: ONLYOFFICE_HTTPS_HSTS_ENABLED=false is set now in docker-compose.

I’ll keep looking and update the thread if I find something. If you can provide some insights I would very much appreciate it.

akrea · June 28, 2020, 8:24pm

Update: I managed to get it working - a simple typo prevented proper working.

YET NEXT PROBLEM: When I want to edit a document it only works when I first add an exception to the browser for my documentserver, due to self signed certs. I can connect and change settings with any browser and from everywhere. Error message was: ONLYOFFICE not reachable. Contact admin

Hence, no one but myself can edit documents as one needs to be within my LAN to be able to access documentserver-IP and add that exception.

Any idea how to somehow mask the different containers for borwsers so that the browser assumes everything is coming form nextcloud?

Btw. I also tried to use the nextcloud internal document_community (server) app - with exactly the same error message. Of course after pointing the onlyoffice app to the internal server app…

akrea · June 28, 2020, 9:06pm

Woohoooooooooo I made it - across the board! Here is my working environment. I will summarize everything I know below for others to check. I don’t know if all set parameter/variable are necessary (made a remark when unsure).

Software used
As of today I use the latest

UbuntuServer 18.04
docker
docker-compose
nextcloud image for docker
onlyoffice image for docker
traefik 2.0 image for docker

Design/Goal
Nextcloud and Onlyoffice document server in seperate containers on the same host system. Make Nextcloud use Onlyoffice document server from the seperate container. I will not go into the detail of the problem as it is described above. In essence: get an CA certificate for onlyoffice.

Solution
Get the certificate: As for some reason onlyoffice cannot directly use letsencrypt certificates, which traefik is pulling (*.mydomain.com). I manually created a onlyoffice.pem file from the traefik acme.json file (to be found in the acme-folder in traefik container). Put it in the right folder in the onlyoffice container and ready you are.

docker-compose.yml sinppets (except for traefik)

nextcloud:
    image: linuxserver/nextcloud
    container_name: nextcloud
    hostname: nextcloud
    environment:
        - PUID=$PUID8
        - PGID=$PGID
        - TZ=${TZ}
    volumes:
        - $USERDIR/nextcloud/config:/config
        - $USERDIR/nextcloud/data:/data
        - $USERDIR/Docs:/var/hda/files/Docs
        - $USERDIR/Pictures:/var/hda/files/Pictures
        - $USERDIR/Music:/var/hda/files/Music
    networks:
        - default
        - t2_proxy
    ports:
        - $NEXTCLOUD_PORTS:443 #for LAN use only            
    depends_on:
        - "mariadb"
    labels:
        - "traefik.enable=true"
        ## TCP Routers
        - "traefik.tcp.routers.nextcloud-tcp.entrypoints=https"
        - "traefik.tcp.routers.nextcloud-tcp.rule=HostSNI(`nextcloud.$DOMAINNAME`)"
        - "traefik.tcp.routers.nextcloud-tcp.tls=true"
        - "traefik.tcp.routers.nextcloud-tcp.tls.passthrough=true"
        ## TCP Services
        - "traefik.tcp.routers.nextcloud-tcp.service=nextcloud-tcp-svc"
        - "traefik.tcp.services.nextcloud-tcp-svc.loadbalancer.server.port=443"
    restart: unless-stopped

   .....


  onlyoffice-documentserver:
    container_name: onlyoffice-documentserver
    image: onlyoffice/documentserver
    environment:
      - TZ=${TZ}
      - FORCE_SSL=true
      - CERT_FOLDER=/certs/
      - /app/onlyoffice/DocumentServer/data/certs/onlyoffice.pem:/certs/cert1.pem
      # Comment strings below to disable the JSON Web Token validation.
      - JWT_ENABLED=true
      - JWT_SECRET=${PW3}
      - JWT_HEADER=Authorization
      - JWT_IN_BODY=true
    stdin_open: true 
    tty: true
    networks:
        - default
        - t2_proxy
    restart: always
    volumes:
       - $USERDIR/onlyoffice/data:/var/www/onlyoffice/Data/
       - $USERDIR/onlyoffice/data/certs:/var/www/onlyoffice/Data/onlyoffice/documentserver
       - $USERDIR/onlyoffice/log:/var/log/onlyoffice
       - $USERDIR/onlyoffice/cache:/var/lib/onlyoffice/documentserver/App_Data/cache/files
       - $USERDIR/onlyoffice/example:/var/www/onlyoffice/documentserver-example/public/files
       - $USERDIR/onlyoffice/fonts:/usr/share/fonts
    labels:
       - "traefik.enable=true"
       ## TCP Routers
       - "traefik.tcp.routers.onlyoffice-tcp.entrypoints=https"
       - "traefik.tcp.routers.onlyoffice-tcp.rule=HostSNI(`onlyoffice.$DOMAINNAME`)"
       - "traefik.tcp.routers.onlyoffice-tcp.tls=true"
       - "traefik.tcp.routers.onlyoffice-tcp.tls.passthrough=true"
       ## TCP Services
       - "traefik.tcp.routers.onlyoffice-tcp.service=onlyoffice-tcp-svc"
       - "traefik.tcp.services.onlyoffice-tcp-svc.loadbalancer.server.port=443"

With that you basically have the two containers working the right way. Now to the NC
config.php

 <?php
 $CONFIG = array (
    'memcache.local' => '\\OC\\Memcache\\APCu',
    'datadirectory' => '/data',
    'instanceid' => 'sensitive Data',
    'passwordsalt' => 'sensitive Data',
    'secret' => 'sensitive Data',
    'trusted_domains' => 
    array (
      0 => 'XXX.XXX.XXX.XXX:YYYY',
      1 => 'nextcloud.mydomain.com',
      2 => 'onlyoffice.mydomain.com', #not sure if this line is needed
    ),
    'overwrite.cli.url' => 'https://nextcloud.mydomain.com', #not sure if this line is needed
    ..... #non relevant content for this problem 
  );

Again thanks to everybody who is helping out with this stuff!

ImperiumMaster · August 5, 2020, 8:05pm

@akrea Hello, I’ve encountered the same need. I managed to make onlyoffice works with another way, but that’s not the subject I bring back.

I’m trying to setup nextcloud, I had the exact same traefik labels as you. My issue is that I Nextcloud is proving the self-signed certificate and my browser is complaining about that. Due to passthrough=true, the LE certificate managed by traefik is not used.
Did you have the same issue and managed to solve it?