Onlyoffice document server integration issue

Hello,
I’ve installed on the same VM in my intranet both Nextcloud 15 and Onlyoffice Document Server using the following tutorials: https://www.howtoforge.com/tutorial/how-to-install-nextcloud-with-nginx-and-php-fpm-on-centos-7/ and https://helpcenter.onlyoffice.com/server/linux/document/linux-installation-centos.aspx. As you can see through the attached images I can access both the applications with HTTP connection via http://nextcloud.xxx.it and http://onlyoffice.xxx.it.

nextcloud

onlyoffice

I’d like to integrate Onlyoffice in Nextcloud, so I activate the app as NC Administrator but when I set http://onlyoffice.xxx.it as “Document Editing Service address” I have the error Error when trying to connect (Bad Request or timeout error)

Can anybody help me?

FYI both servers should have a valid certificate e.g. Let’s Encrypt

Doesn’t it work with HTTP only? :roll_eyes:

Noop, but you can use Let’s Encrypt certbot to get a certificate and as you already using it, use Nginx to proxy https.

How can I use Let’s Encrypt certbot to get a certificate for a subdomain on an intranet, not accessible from internet?

Use DNS to verify your subdomain

Can I refer to this guide for nginx, instead of apache?

I’ve just tried to create the certificates for my subdomains, but they didn’t work because the DNS doesn’t point to a public IP address, the subdomains can only be accessed in the intranet

Either temporarily point it at a public IP (you can remove the A record, once verified)

or

generate and self sign a certificate following for example this guide There are plenty howto’s. You will have to add an exception when loading the page the first time, when you get a warning the certificate should not be trusted.

I applied what reported in that guide, but when I executed the command nginx -t the following error return:

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/private/nextcloud.key") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/ssl/private/nextcloud.key’,‘r’) error:20074002:BIO routines:FILE_CTRL:system lib error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed

I’ve checked the file /etc/ssl/private/nextcloud.key’ exists.

I don’t know how to fix it :disappointed_relieved:

I used the following commands:

mkdir -p /etc/nginx/cert/
openssl req -new -x509 -days 365 -nodes -out /etc/nginx/cert/nextcloud.crt -keyout /etc/nginx/cert/nextcloud.key
chmod 700 /etc/nginx/cert
chmod 600 /etc/nginx/cert/*

Then I configured Nextcloud Virtual Host in Nginx as follows:

upstream php-handler {
    server 127.0.0.1:9000;
    #server unix:/var/run/php5-fpm.sock;
}
 
server {
    listen 80;
    server_name nextcloud.xxx.it;
    # enforce https
    return 301 https://$server_name$request_uri;
}
 
server {
    listen 443 ssl;
    server_name nextcloud.xxx.it;
 
    ssl_certificate /etc/nginx/cert/nextcloud.crt;
    ssl_certificate_key /etc/nginx/cert/nextcloud.key;
 
    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=15768000;
    includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
 
    # Path to the root of your installation
    root /usr/share/nginx/html/nextcloud/;
 
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
 
    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;
 
    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
 
    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;
 
    # Disable gzip to avoid the removal of the ETag header
    gzip off;
 
    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;
 
    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;
 
    location / {
        rewrite ^ /index.php$uri;
    }
 
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
 
    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
 
    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }
 
    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        add_header Strict-Transport-Security "max-age=15768000;
        includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }
 
    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

After that:

nginx -t
systemctl restart nginx

My NC works fine on (not trusted) HTTPS :grin::grin::grin:

I tried what reported at the end of your howto’s suggestion but nothing changes.
The command I executed was:

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n "nextcloud.xxx.it" -i /etc/nginx/cert/nextcloud.crt

The last step!!! Please help me…

You should have a separate subdomain, certificate and nginx.vhost conf files for nc and onlyoffice

for example in /etc/nginx/sites-available/:
nextcloud.conf with cert for nextcloud.xxxx.it
onlyoffice.conf with cert for onlyoffice.xxxx.it

I have:

  • nextcloud.conf and onlyoffice-documentserver.conf in /etc/nginx/conf.d
  • nextcloud.crt and onlyoffice.crt in /etc/nginx/cert
  • nginx.conf in /etc/nginx/

What’s wrong?

It seems Nginx is looking for the key file somewhere else.
Adjust the PATH in the config file or create a symbolic link to it.

I have now both NC and Onlyoffice working on untrusted HTTPS connections.

I applied the following commands as reported at the end of the howto’s in order to make them trusted:

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n "nextcloud.xxx.it" -i /etc/nginx/cert/nextcloud.crt

certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n "onlyoffice.xxx.it" -i /etc/nginx/cert/onlyoffice.crt

but nothing changes.

What’s wrong?