Nexcloud Collobora Code SSL issue. Failed to verify the certificate

Good day!
I’m almost ready but got stuck with some issue I’m fighting with the last 2 days. As I understand the problem is Collabory can’t proof Nexctloud SSL certificate. The browser is not showing any SSL issues by opening Nextcloud. Any help is appreciated.

Collabora is running, Nextcloud accepted the server address incl. certificate check. Both Nextcloud and Collabora are using different subdomains and Letsencrypt certificates.

The certificates are copied to and the permit is set with chown -R lool:www-data

After I try to open a document, I see the following in systemctl status loolwsd:

WRN  Failed to verify the certificate of [cloud.XXX.net]| ./net/SslSocket.hpp:196
ERR  Socket #32 SSL BIO error: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown (0: Success)| ./net/SslSocket.hpp:330
ERR  Error while handling poll for socket #32 in HttpSynReqPoll: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown| net/Socket.cpp:423
ERR  WOPI::GetFile [https://cloud.XXX.net/index.php/apps/richdocuments/wopi/files/1249_ocfhv9kwyxj6/contents?access_token=&access_token_ttl=0] failed with Status >
ERR  Cannot download document from WOPI storage uri [https://cloud.XXX.net/index.php/apps/richdocuments/wopi/files/1249_ocfhv9kwyxj6/contents?access_token=&access>
ERR  Failed to load: file://, error: Unsupported URL <file://>: "type detection failed"| kit/Kit.cpp:1316
ERR  error: cmd=load kind=faileddocloading| ./common/Session.hpp:136
WRN  Document load failed: faileddocloading| wsd/ClientSession.cpp:1480
ERR  Failed to get LoKitDocument instance for [file://].| kit/ChildSession.cpp:684
WRN  Ignoring attempted read from 24| ./net/Socket.hpp:1021

Nextcloud log is showing the following PHP error:

Error: Trying to access array offset on the value of type null at /var/www/nextcloud/apps/richdocuments/lib/WOPI/DiscoveryManager.php#125

0. /var/www/nextcloud/apps/richdocuments/lib/WOPI/DiscoveryManager.php - line 125:OC\Log\ErrorHandler::onError()
1. /var/www/nextcloud/apps/richdocuments/lib/WOPI/DiscoveryManager.php - line 80:OCA\Richdocuments\WOPI\DiscoveryManager->isProxyStarting()
2. /var/www/nextcloud/apps/richdocuments/lib/WOPI/DiscoveryManager.php - line 56:OCA\Richdocuments\WOPI\DiscoveryManager->fetchFromRemote()
3. /var/www/nextcloud/apps/richdocuments/lib/WOPI/Parser.php - line 41:OCA\Richdocuments\WOPI\DiscoveryManager->get()
4. /var/www/nextcloud/apps/richdocuments/lib/Controller/SettingsController.php - line 176:OCA\Richdocuments\WOPI\Parser->getUrlSrc()
5. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 217:OCA\Richdocuments\Controller\SettingsController->setSettings()
6. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 126:OC\AppFramework\Http\Dispatcher->executeController()
7. /var/www/nextcloud/lib/private/AppFramework/App.php - line 156:OC\AppFramework\Http\Dispatcher->dispatch()
8. /var/www/nextcloud/lib/private/Route/Router.php - line 301:OC\AppFramework\App::main()
9. /var/www/nextcloud/lib/base.php - line 1000:OC\Route\Router->match()
10. /var/www/nextcloud/index.php - line 36:OC::handleRequest()

Here is the WOPI part of nano /etc/loolwsd/loolwsd.xml

<wopi allow="true" desc="Allow/deny wopi storage. Mutually exclusive with webdav.">
<host allow="true">office.XXX.net</host>
<host allow="true">cloud.XXX.net</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
                    <host allow="true" desc="Regex pattern of hostname to allow or deny.">[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
                        <host allow="false" desc="Regex pattern of hostname to allow or deny.">192\.168\.1\.1</host>
                        <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
                        <reuse_cookies default="false" desc="When enabled, cookies from the browser will be captured and set on WOPI requests." type="bool">false</reuse_cookies>
                        <locking desc="Locking settings">
                                <refresh default="900" desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int">900</refresh>
                        </locking>
                </wopi>

…and the SSL part:

    <ssl desc="SSL settings">
            <enable default="true" desc="Controls whether SSL encryption between browser and loolwsd is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." type="bool">true</enable>
            <termination default="true" desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool">false</termination>
            <cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/fullchain.pem</cert_file_path>
            <key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/privkey.pem</key_file_path>
            <ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/cert.pem</ca_file_path>
            <cipher_list default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" desc="List of OpenSSL ciphers to accept"/>
            <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
                    <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
                    <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"/>
                    <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
                            <pin/>
                    </pins>
            </hpkp>
    </ssl>

Nginx configuration nano /etc/nginx/sites-enabled/office.XXX.net is:

server {
    listen 4443 ssl http2;
    listen [::]:4443 ssl http2;

    # modify this three lines with your own domain:
    server_name office.XXX.net;
    ssl_certificate /etc/letsencrypt/live/office.XXX.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/office.XXX.net/privkey.pem;
    ##########
    ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
    # static files
    location ^~ /loleaflet {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # Capabilities
    location ^~ /hosting/capabilities {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # main websocket
    location ~ ^/lool/(.*)/ws$ {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ ^/lool {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }
}
1 Like

Perhaps you find the error with searching

Failed to load: file://, error: Unsupported URL <file://>: "type detection failed"| kit/Kit.cpp:1316

or short version

Kid.cpp:1316

Collabora stopped working on two of my instances, failed to load document - #7 by harley-peter

Collabora 6.4.10.x does not work with Nextcloud when NC is behind HAProxy 2.x · Issue #3199 · CollaboraOnline/online · GitHub

Please post more details of your architecture.

??? Wyh not www-data:www-data?

2 Likes

Hi. Thank you for the fast reply. I set the lool:www-date during some investigations for some other issue.

Indeed, the status of loolwsd is similar, just have an additional error with the certificate of the nextcloud domain so I think it makes sense to clarify this.

You need the same user for your webserver (mostly www-data) and your nextcloud installation.

1 Like

changed, but no reaction

Sorry, here is my config:
Nextcloud 22.1.1
Nginx 1.18.0-0
Linux Mint 20.1
Collabore Code 6.4.10-10

Collabora CODE was just updated to 6.4.11-3 but no change :frowning:

I think Linux Mint 20.1 is perhaps not the best selection for Nextcloud.
The packages can differ from e.g. Ubuntu 20.04 LTS or Debian Buster / Bullseye

ulyssa - Linux Mint (Linux Mint 20.1)
Ubuntu – Package Search Results -- focal (Ubuntu 20.04 LTS)

https://packages.debian.org/search?keywords=buster (Debian Buster)
https://packages.debian.org/stable (Debian Bullseye)

I solved the issue. I just had to add cloud.xxx.net to the hosts. Maybe additionally the update of Collabora CODE did it…

Hello All,

I use Ubuntu 20.04 and nextcloud-22.2.3.

I have installed nextcloud without any problem, now I am working on Collabora without docker on ubuntu 20.04. When I try to install loolwsd I get the following error:

Package loolwsd is not available but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However, the following packages replace it:
coolwsd

E: Package ‘loolwsd’ has no installation candidate

I have installed coolwsd and done the proxy settings as in the link, couldn’t connect the collobara.
https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html

Is there a way to use loolwsd in ubuntu 2004 without docker? or what are your suggentions?
Thanks

Did you add the second subdomain for collabara? and where exactly?

I found the solution of my problem :slight_smile:

https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html

Because I used coolwsd instead of loolwsd since the beginning, this part shouldn’t be in proxy settings

Compatibility with integrations that use the /lool/convert-to endpoint

ProxyPass /lool https://127.0.0.1:9980/cool
ProxyPassReverse /lool https://127.0.0.1:9980/cool