Nc 13 + onlyoffice?

🍱 Features & apps onlyoffice
1

Nextcloud version: 13.0.1 stable
Operating system and versiion: Ubuntu 16.04.4 LTS
Apache or nginx version: nginx 1.10.3
PHP version: 7.2

Hi,

isn’t it possible to use onlyoffice with nextcloud 13 at the moment?
I’ve installed onlyoffice document server on another machine and it works (i think, at least i can open the website)

image
image1025×766 28.4 KB

I use http://10.0.0.130/ because i have no ssl cert for that, from the outside it’s running through a reverse proxy
10.0.0.115 is the nextcloud server, also behind the reverse proxy, which is 10.0.0.104 (port 80 and 443 natted to public ip)

server {
        listen 443;
        ssl on;
        ssl_certificate         /etc/nginx/ssl/crt;
        ssl_certificate_key     /etc/nginx/ssl/key;

        server_name             ***.example.org;
     
        location / {
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;
                proxy_set_header        Host $http_host;
                proxy_intercept_errors  on;
                add_header Strict-Transport-Security max-age=15552000;
                proxy_pass http://10.0.0.130;
        }
}

The output of your Nextcloud log in Admin > Logging:

Error	onlyoffice	CommandRequest on check error: Im Dokumentenservice ist ein Fehler aufgetreten: Error while downloading the document file to be converted.

access.log from nextcloud

10.0.0.104 - - [11/Apr/2018:19:41:13 +0200] "PUT /apps/onlyoffice/ajax/settings HTTP/1.0" 200 274 "-" "*useragent*"

access.log from onlyoffice:

10.0.0.115 - - [11/Apr/2018:17:44:53 +0000] "POST /coauthoring/CommandService.ashx HTTP/1.0" 200 31 "-" "-"
10.0.0.130 - - [11/Apr/2018:17:44:53 +0000] "GET /apps/onlyoffice/empty?doc=YWR0bGVUa09OTTNnT3FIYnJNSHJGMWFxK2tBbUNlWXBXbkROMUhZTldKQT0/eyJhY3Rpb24iOiJlbXB0eSJ9 HTTP/1.1" 404 160 "-" "-"
10.0.0.130 - - [11/Apr/2018:17:44:54 +0000] "GET /apps/onlyoffice/empty?doc=YWR0bGVUa09OTTNnT3FIYnJNSHJGMWFxK2tBbUNlWXBXbkROMUhZTldKQT0/eyJhY3Rpb24iOiJlbXB0eSJ9 HTTP/1.1" 404 160 "-" "-"
10.0.0.130 - - [11/Apr/2018:17:44:55 +0000] "GET /apps/onlyoffice/empty?doc=YWR0bGVUa09OTTNnT3FIYnJNSHJGMWFxK2tBbUNlWXBXbkROMUhZTldKQT0/eyJhY3Rpb24iOiJlbXB0eSJ9 HTTP/1.1" 404 160 "-" "-"
10.0.0.115 - - [11/Apr/2018:17:44:57 +0000] "POST /ConvertService.ashx HTTP/1.0" 200 80 "-" "-"

nothing in the error logs

i have no idea right now how to debug that

2

You need a cert for both, your inside onlyoffice webserver as well for your reverse proxy. a private cert on the onlyoffice server is okay, the reverse proxy should be equipped with lets encrypt.

Onlyoffice works fine with NC13, I am using it without problems.

1 Like
3

Do you have selfsigned for your onlyoffice installation too?
For me it still doesn’t work.

I did http by this: https://helpcenter.onlyoffice.com/server/linux/document/switch-to-https.aspx (Switching Document Server v.3.6 to 4.2 to HTTPS)

include /etc/nginx/includes/onlyoffice-http.conf;
## Normal HTTP host
server {
  listen 0.0.0.0:80;
  listen [::]:80 default_server;
  server_name _;
  server_tokens off;
  ## Redirects all traffic to the HTTPS host
  root /nowhere; ## root doesn't have to be a valid path since we are redirecting
  rewrite ^ https://$host$request_uri? permanent;
}
#HTTP host for internal services
server {
  listen 127.0.0.1:80;
  listen [::1]:80;
  server_name localhost;
  server_tokens off;
  include /etc/nginx/includes/onlyoffice-documentserver-common.conf;
  include /etc/nginx/includes/onlyoffice-documentserver-docservice.conf;
}
## HTTPS host
server {
  listen 0.0.0.0:443 ssl;
  listen [::]:443 ssl default_server;
  server_tokens off;
  root /usr/share/nginx/html;
  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  ssl on;
  ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
  ssl_verify_client off;
  #ssl_client_certificate ;
  ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128$"
  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache  builtin:1000  shared:SSL:10m;
  ssl_prefer_server_ciphers   on;
  add_header Strict-Transport-Security max-age=31536000;
  # add_header X-Frame-Options SAMEORIGIN;
  add_header X-Content-Type-Options nosniff;
  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
  ## Replace with your ssl_trusted_certificate. For more info see:
  ## - https://medium.com/devops-programming/4445f4862461
  ## - https://www.ruby-forum.com/topic/4419319
  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
  # ssl_stapling on;
  # ssl_stapling_verify on;
  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
  # resolver_timeout 10s;
  ## [Optional] Generate a stronger DHE parameter:
  ##   cd /etc/ssl/certs
  ##   sudo openssl dhparam -out dhparam.pem 4096
  ##
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
  include /etc/nginx/includes/onlyoffice-documentserver-*.conf;
}

Now I get an error from nextcloud instantly, there isn’t even a request to the onlyoffice server (according to the access.log)

Error	onlyoffice	CommandRequest on check error: Bad Request oder Timeout Fehlermeldung

access.log from nextcloud:

10.0.0.104 - - [11/Apr/2018:21:11:40 +0200] "PUT /apps/onlyoffice/ajax/settings HTTP/1.0" 200 207 "-" "useragent"
4

Yes I am using private cert on internal host and Lets Encrypt on my external host URL.

I am also using Apache and so I am not really familiar with NGINX. As far as I can see you are redirecting by rewriting URLs manually? I woulnd’t do this, better use 301 Redirects. Here’s the interesting part in my Reverse Proxy Config in Apache. Due using a private cert on the inside host it’s impotant to disable cert checks:

SSLProxyEngine on
ProxyPass / https://192.168.0.170/
ProxyPassReverse / https://192.168.0.170/

SSLEngine on
SSLProxyVerify none 
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

Hope it helps!

5

That rewrite is just to force https.

for example if you try to open http://sub.example.org/randomdir/site.php it rewrites it to https://sub.example.org/randomdir/site.php.

But as I don’t even try to open it via http, this virtualhost is not even neccessary.

So do I understand this correct, you replaced nginx, which comes with onlyoffice by default, with apache?
Or did you installed onlyoffice a different way?

What is strange: the webserver don’t even get accessed by the nextcloud installation.
well, kind of it does get accessed…

tcpdump:

19:16:31.775698 IP 10.0.0.115.58560 > 10.0.0.130.443: Flags [S], seq 2667717775, win 29200, options [mss 1460,sackOK,TS val 1712473613 ecr 0,nop,wscale 7], length 0
19:16:31.775771 IP 10.0.0.130.443 > 10.0.0.115.58560: Flags [S.], seq 2692322618, ack 2667717776, win 28960, options [mss 1460,sackOK,TS val 451347376 ecr 1712473613,nop,wscale 7], length 0
19:16:31.775798 IP 10.0.0.115.58560 > 10.0.0.130.443: Flags [.], ack 1, win 229, options [nop,nop,TS val 1712473613 ecr 451347376], length 0
19:16:31.778157 IP 10.0.0.115.58560 > 10.0.0.130.443: Flags [P.], seq 1:518, ack 1, win 229, options [nop,nop,TS val 1712473615 ecr 451347376], length 517
19:16:31.778205 IP 10.0.0.130.443 > 10.0.0.115.58560: Flags [.], ack 518, win 235, options [nop,nop,TS val 451347378 ecr 1712473615], length 0
19:16:31.779866 IP 10.0.0.130.443 > 10.0.0.115.58560: Flags [P.], seq 1:1336, ack 518, win 235, options [nop,nop,TS val 451347380 ecr 1712473615], length 1335
19:16:31.780143 IP 10.0.0.115.58560 > 10.0.0.130.443: Flags [.], ack 1336, win 251, options [nop,nop,TS val 1712473617 ecr 451347380], length 0
19:16:31.790766 IP 10.0.0.115.58560 > 10.0.0.130.443: Flags [P.], seq 518:525, ack 1336, win 251, options [nop,nop,TS val 1712473628 ecr 451347380], length 7
19:16:31.791663 IP 10.0.0.130.443 > 10.0.0.115.58560: Flags [F.], seq 1336, ack 525, win 235, options [nop,nop,TS val 451347392 ecr 1712473628], length 0
19:16:31.793098 IP 10.0.0.115.58560 > 10.0.0.130.443: Flags [R.], seq 525, ack 1337, win 251, options [nop,nop,TS val 1712473630 ecr 451347392], length 0

but access.log is empty.

The only thing I can imagine right now, is that nexctcloud denies to connect to the onlyoffice server.
is there any way to see a log of what nextcloud tries to do?

Edit: ahhhh

Error	onlyoffice	CommandRequest on check error: Bad Request oder Timeout Fehlermeldung	2018-04-12T21:32:43+0200
Error	PHP	file_get_contents(https://10.0.0.130/coauthoring/CommandService.ashx): failed to open stream: operation failed at /var/www/nextcloud/apps/onlyoffice/lib/documentservice.php#351	2018-04-12T21:32:43+0200
Error	PHP	file_get_contents(): Failed to enable crypto at /var/www/nextcloud/apps/onlyoffice/lib/documentservice.php#351	2018-04-12T21:32:43+0200
Error	PHP	file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /var/www/nextcloud/apps/onlyoffice/lib/documentservice.php#351

Edit 2: as it is a clear ssl error, i used my wildcard cert for onlyoffice and added onlyoffice.example.org as 10.0.0.130 in my nextclouds /etc/hosts

so far so good, but now i’m at the error from the beginning again, so i guess ssl is not required for the internal access.

Error	onlyoffice	CommandRequest on check error: Im Dokumentenservice ist ein Fehler aufgetreten: Error while downloading the document file to be converted.	2018-04-12T21:39:47+0200

now i’m quite stumped
i guess i’ll try onlyoffice with docker

6

oh no no no, this is a misunderstanding. Only my Reverse Proxy is an Apache. The Onlyoffice Host is as recommended by OnlyOffice an NGINX.

And yes Rediretion from http to https shouldn’t be done with rewriting It should be permanently redirected with 301 but this is another problem.

Your problem is not related to Nextcloud, there is a server configuration problem I am locating somewhere on your Reverse Proxy or between your OO Host and Reverse Proxy.

7

To be sure that it’s not a proxy issue I’ve set up two vm’s in my local network. (without proxy etc.)

1x ubuntu 16.04 with nextcloud via snap
1x ubuntu 16.04 with onlyoffice documentserver via docker (docker run -i -t -d -p 80:80 onlyoffice/documentserver)

still the same behaviour.

Error while downloading the document file to be converted.

well i didn’t use https on both, but when both are http it should work, or not?

8

as far as I know, OO only works with https properly

9

seems like selfsigned does not work.

i did this: https://github.com/ONLYOFFICE/Docker-DocumentServer#running-onlyoffice-document-server-using-https
-> doesn’t work

replaced the certs with my real cert and added the ip as onlyoffice.example.org into /etc/hosts
-> works

10

seems like selfsigned does not work.

can’t confirm this, i am using self-signed certs on my inside OO host.

11

Hi, I faced with the same “error while downloading the document file to be converted” after updating OO from 5.0 to new 5.1 version.

12

Finally, my case is resolved. It was self-signed certificate issue, exactly. Having installed OO 5.0.x, rooCA in /usr/share/ca-certificates/extra/ all works fine and curl https://nextcloud.local was clean. But after upgrade to OnlyOffice 5.1 I faced with “error while downloading the document file to be converted”.
When I looked at /var/log/onlyoffice/documentserver/converter/out.log I saw:

[ERROR] nodeJS - error downloadFile:url=https://nextcloud.local/apps/onlyoffice/empty?doc=cklIWFVDSXFpUCttL0U3ZDg2NzJmcXNFRkZWekdWajMyNUowNzBQTldOST0/eyJhY3Rpb24iOiJlbXB0eSJ9;attempt=1;code:UNABLE_TO_VERIFY_LEAF_SIGNATURE;connect:undefined;(id=conv_check_2095600374_docx)
Error: unable to verify the first certificate

After a lot of experiments and tryings, I realised two necessary things for my case:

  • Web-server certificate for nexcloud must contain full chain. My certificate was signed by SubCA.
  • I had to run Node.js with additional key NODE_EXTRA_CA_CERTS=/etc/ssl/certs/mycorpRCA.pem. I suppose it must be added only to /etc/onlyoffice/documentserver/supervisor/onlyoffice-documentserver-converter.conf, but I added it to each *.conf in that directory, for sure. Please note, adding NODE_TLS_REJECT_UNAUTHORIZED=0 instead wasn’t helpful for me.
    I hope it would be helpful for someone.
1 Like
13

Thanks, that worked for me also! :slight_smile:

sudo docker run -i -t -d -p 444:443 \
    -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data  onlyoffice/documentserver
  1. Copied my Letsencrypt private key to /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
  2. Copied my Letsencrypt certificate to /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
  3. Added private IP address and my public URL to /etc/hosts
  4. Added additional port forwarding on my Internet router for port 444

Great! :+1:

14

Oh my god, finally found the real error… :frowning:
in the 3rd setting you have to enter the domain from the nextcloud instance itself… :sweat_smile:

works…