Good day!
I’m almost ready but got stuck with some issue I’m fighting with the last 2 days. As I understand the problem is Collabory can’t proof Nexctloud SSL certificate. The browser is not showing any SSL issues by opening Nextcloud. Any help is appreciated.
Collabora is running, Nextcloud accepted the server address incl. certificate check. Both Nextcloud and Collabora are using different subdomains and Letsencrypt certificates.
The certificates are copied to and the permit is set with chown -R lool:www-data
After I try to open a document, I see the following in systemctl status loolwsd:
WRN Failed to verify the certificate of [cloud.XXX.net]| ./net/SslSocket.hpp:196
ERR Socket #32 SSL BIO error: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown (0: Success)| ./net/SslSocket.hpp:330
ERR Error while handling poll for socket #32 in HttpSynReqPoll: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown| net/Socket.cpp:423
ERR WOPI::GetFile [https://cloud.XXX.net/index.php/apps/richdocuments/wopi/files/1249_ocfhv9kwyxj6/contents?access_token=&access_token_ttl=0] failed with Status >
ERR Cannot download document from WOPI storage uri [https://cloud.XXX.net/index.php/apps/richdocuments/wopi/files/1249_ocfhv9kwyxj6/contents?access_token=&access>
ERR Failed to load: file://, error: Unsupported URL <file://>: "type detection failed"| kit/Kit.cpp:1316
ERR error: cmd=load kind=faileddocloading| ./common/Session.hpp:136
WRN Document load failed: faileddocloading| wsd/ClientSession.cpp:1480
ERR Failed to get LoKitDocument instance for [file://].| kit/ChildSession.cpp:684
WRN Ignoring attempted read from 24| ./net/Socket.hpp:1021
Nextcloud log is showing the following PHP error:
Error: Trying to access array offset on the value of type null at /var/www/nextcloud/apps/richdocuments/lib/WOPI/DiscoveryManager.php#125
0. /var/www/nextcloud/apps/richdocuments/lib/WOPI/DiscoveryManager.php - line 125:OC\Log\ErrorHandler::onError()
1. /var/www/nextcloud/apps/richdocuments/lib/WOPI/DiscoveryManager.php - line 80:OCA\Richdocuments\WOPI\DiscoveryManager->isProxyStarting()
2. /var/www/nextcloud/apps/richdocuments/lib/WOPI/DiscoveryManager.php - line 56:OCA\Richdocuments\WOPI\DiscoveryManager->fetchFromRemote()
3. /var/www/nextcloud/apps/richdocuments/lib/WOPI/Parser.php - line 41:OCA\Richdocuments\WOPI\DiscoveryManager->get()
4. /var/www/nextcloud/apps/richdocuments/lib/Controller/SettingsController.php - line 176:OCA\Richdocuments\WOPI\Parser->getUrlSrc()
5. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 217:OCA\Richdocuments\Controller\SettingsController->setSettings()
6. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 126:OC\AppFramework\Http\Dispatcher->executeController()
7. /var/www/nextcloud/lib/private/AppFramework/App.php - line 156:OC\AppFramework\Http\Dispatcher->dispatch()
8. /var/www/nextcloud/lib/private/Route/Router.php - line 301:OC\AppFramework\App::main()
9. /var/www/nextcloud/lib/base.php - line 1000:OC\Route\Router->match()
10. /var/www/nextcloud/index.php - line 36:OC::handleRequest()
Here is the WOPI part of nano /etc/loolwsd/loolwsd.xml
<wopi allow="true" desc="Allow/deny wopi storage. Mutually exclusive with webdav.">
<host allow="true">office.XXX.net</host>
<host allow="true">cloud.XXX.net</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="false" desc="Regex pattern of hostname to allow or deny.">192\.168\.1\.1</host>
<max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
<reuse_cookies default="false" desc="When enabled, cookies from the browser will be captured and set on WOPI requests." type="bool">false</reuse_cookies>
<locking desc="Locking settings">
<refresh default="900" desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int">900</refresh>
</locking>
</wopi>
…and the SSL part:
<ssl desc="SSL settings">
<enable default="true" desc="Controls whether SSL encryption between browser and loolwsd is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." type="bool">true</enable>
<termination default="true" desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool">false</termination>
<cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/fullchain.pem</cert_file_path>
<key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/privkey.pem</key_file_path>
<ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/cert.pem</ca_file_path>
<cipher_list default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" desc="List of OpenSSL ciphers to accept"/>
<hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
<max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
<report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"/>
<pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
<pin/>
</pins>
</hpkp>
</ssl>
Nginx configuration nano /etc/nginx/sites-enabled/office.XXX.net is:
server {
listen 4443 ssl http2;
listen [::]:4443 ssl http2;
# modify this three lines with your own domain:
server_name office.XXX.net;
ssl_certificate /etc/letsencrypt/live/office.XXX.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/office.XXX.net/privkey.pem;
##########
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
# static files
location ^~ /loleaflet {
proxy_pass https://localhost:9980;
proxy_set_header Host $http_host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass https://localhost:9980;
proxy_set_header Host $http_host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass https://localhost:9980;
proxy_set_header Host $http_host;
}
# main websocket
location ~ ^/lool/(.*)/ws$ {
proxy_pass https://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/lool {
proxy_pass https://localhost:9980;
proxy_set_header Host $http_host;
}
# Admin Console websocket
location ^~ /lool/adminws {
proxy_pass https://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
}