Ownership of updated cerificates for Nextcloud office

falko · September 20, 2024, 8:15am

Hi,

I have problems with the LetsEncrypt certificates used by my own Collabora server. The only way I can make them work is to do the following every 2 months after the update:

copy the most recent *.pem files from /etc/letsencrypt/archive// to /etc/coolwsd/certs/
rename the files like so: privkey[0-9].pem to privkey.pem
change the ownership of the *.pem files to cool

I was hoping to write into coolwsd.xml just the path to the files located /etc/letsencrypt/live// and that would be transparent to every update. But no go.

wwe · September 20, 2024, 1:48pm

Hello @falko, you started a topic in support category.

Unfortunately you ignored the template and a lot of information to help you is missing.

Please add all necessary information like Nextcloud version, webserver type and version, os version, related log file content.

Without additional information the community members cannot help you.

It sounds you question relates to CODE itself - in this case you better ask in Collabora Forum. You could also use a reverse proxy with integrated support of automatic certificate renewal like caddy traefik 101: reverse proxy

Regards,
wwe

falko · September 30, 2024, 12:01pm

Sorry here’s the systeminfo data:

Operating system: Linux 5.15.0-122-generic #132-Ubuntu SMP Thu Aug 29 13:45:52 UTC 2024 x86_64

Webserver: Apache/2.4.52 (Ubuntu) (fpm-fcgi)

Database: mysql 10.6.18

PHP version: 8.3.12

Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, random, Reflection, SPL, session, standard, sodium, cgi-fcgi, mysqlnd, PDO, xml, apcu, bcmath, bz2, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, intl, exif, mysqli, pdo_mysql, Phar, posix, readline, redis, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlwriter, xsl, zip, Zend OPcache

Nextcloud version: 30.0.0 - 30.0.0.14

and errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors.

,“remoteAddr”:“”,“user”:“–”,“app”:“richdocuments”,“method”:“”,“url”:“–”,“message”:“Failed to fetch capabilities: cURL error 60: SSL certificate problem: certificate has expired (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://collabora.svenmojpes.xyz:9980/hosting/capabilities”, …

wwe · September 30, 2024, 8:34pm

it looks your certificate for https://collabora.svenmojpes.xyz:9980/hosting/capabilities is not valid anymore - check you webserver/reverse proxy settings and logs

falko · October 1, 2024, 1:26pm

Indeed!

The log says: Client error: POST https://collabora.svenmojpes.xyz:9980/cool/extract-document-structure?limit=content-control resulted in a 403 Forbidden response

For me this is a total nightmare that makes increasingly frequently think to abandon self-hosted NC, mostly due to my ignorance of the concepts like webserver, apache, reverse proxy and the like.

wwe · October 1, 2024, 8:13pm

Self-hosting of complex applications requires lot of technical know-how and continuous effort. 101: Self-hosting information for beginners If you are not willing to spend your time and don’t enjoy the technology itself it is definitely the better choice to use a managed variant.