Make nextcloud/onlyoffice app accept self signed certificates

apps onlyoffice
,
#1

Hi

I have nextcloud and onlyoffice dockerized. Both on the same server and behind traefik (2.0) as reverse proxy.

Unfortunately, i cannot get onlyoffice to work via my domain. Yet I can make it accessible in my local network (http:). Again unfortunately, non-SSL connetion of apps are denied by nextcloud. So I created a certificate (selfsigned) and added it to onlyoffice. Again I get it working on https yet I have to add an exception to my browser as self-signed certs are not trusted.

Now when I want to connect to onlyoffice documentserver with onlyoffice app I get

> cURL error 60: SSL certificate problem: self signed certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html))

Is there a was to make nextcloud accept selfigned certs with a docker-compose command (I know there is sudo nextcloud.enable-https self-signed yet I couldn’t find a proper docker-compose command.

Or is there another way?

#2

It’ll be more trouble to work out each piece of the puzzle accepting a self-signed certificate than it would be to set up Let’s Encrypt.

Each server, container, and client would need it installed as a trusted root certificate

1 Like
#3

Thanks.

I have posted my question here then. Let’s see if there is someone who can help…

#4

that’s probably not the problem.

onlyoffice doesn’t accept the selfsigned cert from nextcloud. you have to set a env variable USE_UNAUTHORIZED_STORAGE=true in docker-compose file of onlyoffice.

example in an ansible playbook:

#5

Thanks for the hint! Yet, I have CA working for nextcloud - so presumably USE_UNOTHORIZED_STORAGE is not needed. The problem is on nextclouds side - as far as I can determine.

#6

did you disable hsts as well? ONLYOFFICE_HTTPS_HSTS_ENABLED: false

since you run both container on the same host why do you want to use tls anyway?

in my playbook i start the onlyoffice container without any special config:

nginx conf:

and i hope you read how the nextcloud config is done:

#7

oh, I do not want to use tls at all! I just couldn’t figure out how to:

  1. Use the 80 port with nextcloud - as nextcloud demands a SSL connection… If you can help with that I am all ears!!!
  2. Since non-SSL is not allowed, I tried it with a selfsigned cert to use port 443. Which again - is not accepted by nextcloud.
  3. So I got to the third option which isn’t working either: Use my default traefik 2.0 and letsencrypt setup to access onlyoffice-documentserver “from outside” (onlyoffice.mydomain.com) - getting a 504 timeout error every time I try to access it.

As you see I’ve come some way to get it working to no avail so far. If you can provide a solution to make the non-encrypted version working I would be delighted! :smiley:

Thank you!

#8

plain vanilla nextcloud? just ignore the warnings. but nextcloud doesn’t care about tls or not.

why do you want to do this? did you go through my config? nextcloud and onlyoffice are both behind the nginx webserver. both without tls on port 80. (because it’s docker internal traffic.)

if you want to disable traefik redirect from port 80 to 443 just remove the line that looks like this:

#9

btw: that’s where i copied my settings.

#10

Hi Reiner

Thanks for your help.

I first had to figure out what an Ansible is. While I am sure, this is a very helpful - for me right now not an option - too little time to learn new stuff with two little kiddies at home for the next two years…

Some additional research brought me one step closer to the solution from https://github.com/ONLYOFFICE/onlyoffice-nextcloud#known-issues check the last point. Follow the instructions on the last issue and tataaaaa. Nextcloud is willing to connect yet throws another errormessage at me:

Fehler beim AnschlieĂźen (Im Dokumentenservice ist ein Fehler aufgetreten: Error while downloading the document file to be converted.) (version 5.5)

Any ideas on that one?

Further info:
In the onlyoffice app on nextcloud I tried pointing documentserver to the local ssl port of nextcloud as well as the nexcloud.mydomain.com adress. Since at least the later one is signed with certs traefik gets via let’s encrypt. Hence this should not be an issue. Am I right?

My certs are issued to *.mydomain.com and not to every single subdomain - is that a problem for onlyoffice?

BTW: ONLYOFFICE_HTTPS_HSTS_ENABLED=false is set now in docker-compose.

I’ll keep looking and update the thread if I find something. If you can provide some insights I would very much appreciate it.

#11

Update: I managed to get it working - a simple typo prevented proper working.

YET NEXT PROBLEM: When I want to edit a document it only works when I first add an exception to the browser for my documentserver, due to self signed certs. I can connect and change settings with any browser and from everywhere. :thinking: Error message was: ONLYOFFICE not reachable. Contact admin

Hence, no one but myself can edit documents as one needs to be within my LAN to be able to access documentserver-IP and add that exception.

Any idea how to somehow mask the different containers for borwsers so that the browser assumes everything is coming form nextcloud?

Btw. I also tried to use the nextcloud internal document_community (server) app - with exactly the same error message. Of course after pointing the onlyoffice app to the internal server app… :astonished:

#12

Woohoooooooooo I made it - across the board! Here is my working environment. I will summarize everything I know below for others to check. I don’t know if all set parameter/variable are necessary (made a remark when unsure).

Software used
As of today I use the latest

  • UbuntuServer 18.04
  • docker
  • docker-compose
  • nextcloud image for docker
  • onlyoffice image for docker
  • traefik 2.0 image for docker

Design/Goal
Nextcloud and Onlyoffice document server in seperate containers on the same host system. Make Nextcloud use Onlyoffice document server from the seperate container. I will not go into the detail of the problem as it is described above. In essence: get an CA certificate for onlyoffice.

Solution
Get the certificate: As for some reason onlyoffice cannot directly use letsencrypt certificates, which traefik is pulling (*.mydomain.com). I manually created a onlyoffice.pem file from the traefik acme.json file (to be found in the acme-folder in traefik container). Put it in the right folder in the onlyoffice container and ready you are.

docker-compose.yml sinppets (except for traefik)

nextcloud:
    image: linuxserver/nextcloud
    container_name: nextcloud
    hostname: nextcloud
    environment:
        - PUID=$PUID8
        - PGID=$PGID
        - TZ=${TZ}
    volumes:
        - $USERDIR/nextcloud/config:/config
        - $USERDIR/nextcloud/data:/data
        - $USERDIR/Docs:/var/hda/files/Docs
        - $USERDIR/Pictures:/var/hda/files/Pictures
        - $USERDIR/Music:/var/hda/files/Music
    networks:
        - default
        - t2_proxy
    ports:
        - $NEXTCLOUD_PORTS:443 #for LAN use only            
    depends_on:
        - "mariadb"
    labels:
        - "traefik.enable=true"
        ## TCP Routers
        - "traefik.tcp.routers.nextcloud-tcp.entrypoints=https"
        - "traefik.tcp.routers.nextcloud-tcp.rule=HostSNI(`nextcloud.$DOMAINNAME`)"
        - "traefik.tcp.routers.nextcloud-tcp.tls=true"
        - "traefik.tcp.routers.nextcloud-tcp.tls.passthrough=true"
        ## TCP Services
        - "traefik.tcp.routers.nextcloud-tcp.service=nextcloud-tcp-svc"
        - "traefik.tcp.services.nextcloud-tcp-svc.loadbalancer.server.port=443"
    restart: unless-stopped

   .....


  onlyoffice-documentserver:
    container_name: onlyoffice-documentserver
    image: onlyoffice/documentserver
    environment:
      - TZ=${TZ}
      - FORCE_SSL=true
      - CERT_FOLDER=/certs/
      - /app/onlyoffice/DocumentServer/data/certs/onlyoffice.pem:/certs/cert1.pem
      # Comment strings below to disable the JSON Web Token validation.
      - JWT_ENABLED=true
      - JWT_SECRET=${PW3}
      - JWT_HEADER=Authorization
      - JWT_IN_BODY=true
    stdin_open: true 
    tty: true
    networks:
        - default
        - t2_proxy
    restart: always
    volumes:
       - $USERDIR/onlyoffice/data:/var/www/onlyoffice/Data/
       - $USERDIR/onlyoffice/data/certs:/var/www/onlyoffice/Data/onlyoffice/documentserver
       - $USERDIR/onlyoffice/log:/var/log/onlyoffice
       - $USERDIR/onlyoffice/cache:/var/lib/onlyoffice/documentserver/App_Data/cache/files
       - $USERDIR/onlyoffice/example:/var/www/onlyoffice/documentserver-example/public/files
       - $USERDIR/onlyoffice/fonts:/usr/share/fonts
    labels:
       - "traefik.enable=true"
       ## TCP Routers
       - "traefik.tcp.routers.onlyoffice-tcp.entrypoints=https"
       - "traefik.tcp.routers.onlyoffice-tcp.rule=HostSNI(`onlyoffice.$DOMAINNAME`)"
       - "traefik.tcp.routers.onlyoffice-tcp.tls=true"
       - "traefik.tcp.routers.onlyoffice-tcp.tls.passthrough=true"
       ## TCP Services
       - "traefik.tcp.routers.onlyoffice-tcp.service=onlyoffice-tcp-svc"
       - "traefik.tcp.services.onlyoffice-tcp-svc.loadbalancer.server.port=443"

With that you basically have the two containers working the right way. Now to the NC
config.php

 <?php
 $CONFIG = array (
    'memcache.local' => '\\OC\\Memcache\\APCu',
    'datadirectory' => '/data',
    'instanceid' => 'sensitive Data',
    'passwordsalt' => 'sensitive Data',
    'secret' => 'sensitive Data',
    'trusted_domains' => 
    array (
      0 => 'XXX.XXX.XXX.XXX:YYYY',
      1 => 'nextcloud.mydomain.com',
      2 => 'onlyoffice.mydomain.com', #not sure if this line is needed
    ),
    'overwrite.cli.url' => 'https://nextcloud.mydomain.com', #not sure if this line is needed
    ..... #non relevant content for this problem 
  );

Again thanks to everybody who is helping out with this stuff!

1 Like