Nexcloud & collabora in docker container (solved)

Raffi_Alexanian · November 15, 2024, 12:16pm

Hello there.
I have a fully functionnal NC instance running on docker.
I have a fully functionnal collabora office connected to nextcloud.
I have a fully functionnal swag container that connects domains to my locals ip that are all accessible via 443 ports.

I can edit documents when I connect from nexcloud.mydomain.com (amazing !), But when I try to connect from my local IP (192.168.X.X (added to wopi host from docker compose (aliasgroup1) NOT FROM THE NEXTCLOUD ADMINISTRATION ! ! (that swipes all wopi hosts…))), then I get the ssl error in collabora logs
20C0F2917F000000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:
| net/Socket.cpp:651
As far as I understood, collabora is not ok that I try to connect from a self-signed ssl adress (local nexcloud).

So the question is :
Is there a way to disable the collabora ssl certificate verification when I log from my local Nextcloud adress ?

Thanks a lot !

wwe · November 15, 2024, 12:19pm

this is an expected behavior as TLS certificates are issued for a domain and not for an IP address. For this reason direct connection to an IP address always trigger TLS error. and TLS is required for WOPI protocol.

If you want avoid internet loop you need so called 101: Split-Brain DNS (split-horizon)

Raffi_Alexanian · November 16, 2024, 12:02pm

Goood !
Thank you very much. Well, that sounds tricky. The last diagram in your (amazing) article is not very clear… Anyway. I added a DNS rule in my AdGuardHome (in the filters menu—not in the DNS menu!) that redirects nextcloud.mydomain.com to 192.168.X.X. However, the certificate is still self-signed, and Collabora won’t open.
The the new question is :
Should I add a rule in the SWAG container as well? Or should I redirect this address to my SWAG container? At this point, I’m a bit lost!

Thank you very much.

Raffi_Alexanian · November 16, 2024, 12:23pm

Sorry, the answer was : Of course the Swag addess.
Here are my rules in AdGuard
192.168.X.Y (swag adress) nextcloud.mydomain.com
192.168.X.Y (same swag address) collabora.mydomain.com
Swag makes it’s own kitchen (relatively to the address witch request is comming from) and it seems to work.
I disconnected internet, to be sure, and I could access my nexcloud entering the nexcloud.mydomain.com. However, Collabora doesn’t seems to open out-line… (I’ll try later on).
Thank you much for your answer wwe, you’re amazing !