[Solved] Collabora & nextcloud on seperate host (ubuntu & pi)

Hello,

since i can’t run collabora on my pi (which runs nextcloud),i installed it on my an another host, an ubuntu 16.04 pc of my internal network.
Now, how can i adapt the official instructions for linking Nexcloud & Collabora (yes i’m a newbie!)?
thanks,

Eric

You’ll need two domains with valid SSL certs.

I’ll suggest that you install your docker container on a VPS and you use that for your nextcloud instance in your network.

Thanks Ark74,

first point, i didn’t succeed to obtain a SSL certificate for my collabora dedicated domain, because it has the same IP address as the nextcloud domain (both free domain with no-ip). Is there a way to get a single SSL certificate for two domains on the same IP adress, or any trick to deal with this problem?

Second point, would you know a tuto to install a docker container on a vps (i never made this)?
thanks a lot for your helpp,

Eric

It is possible to get several SSL certs for the same IP.
It’s how it is usually done to run the Nextcloud and CODE on the same machine, they have the same IP but no the same domain.
You can read it on the page: https://nextcloud.com/collaboraonline/

Instead of using lets encrypt you might wanna use cerbot standalone that way you might bypass the restriction you find.

For the second point, it’s fairly easy to install the code docker on a VPS, you’ll find several online.
Some pointers:

  • Stick to AUFS
  • Use Apache2 as the proxy server
    Some people find nginx hard to use
  • Have patience and fun, you’ll need it.
    You can contact me if you get stuck pretty bad.

Cheers!

Well, you’re right, i have to be patient!

For the certification with certbot standalone, i installed it, and then tried to run a certbot-auto standalone command but it returned an unknown command.
./path/to/certbot-auto certonly --standalone -d example.com -d www.example.com
Thus i tried to use the command “locate” with “certbot” and found nothing either.
Hummm…any idea?
Thanks,

Eric

try with root or sudo:

service apache2 stop    
cd /etc
git clone https://github.com/certbot/certbot.git
cd /etc/certbot
./letsencrypt-auto certonly --agree-tos --standalone -d office.mydomain.com
service apache2 start

Tell me how it goes

Well the command is correctly running but i leads to the same result, referring to the first domain for which i obtained a Letsencrypt certificate.
" Domain: mlydesk.hopto.org
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
20a0cfc0013b8931c8c7a20d7f2601de.ee075483752a74e51538fd934d448515.acme.invalid
from 87.89.70.232:443. Received 2 certificate(s), first certificate
had names “mlynuage.hopto.org

…the fog goes deeper for me :wink:

ok,

  1. did you changed previous certs on the apache config file or are they running old certs?
  2. Run the certs one by one. Don’t try to generate them at the same time.

Check that.

Thanks,

  1. I currently have one certificate running on the apache server of my pi for the nextcloud domain (mlynuage.hopto.org). My /etc/letsencrypt/live on pi mentions this certificate on the date of 19 february 2017.

  2. My last command only tried to generate a certificate for the second domain (mlydesk.hopto.org) dedicated to collabora running on an other pc with ubuntu 16.04.

Oh i see!!!
You need to stop the apache on the pi when you try to generate the cert on the other machine.

The line [quote=“Ark74, post:6, topic:9692”]
service apache2 stop
[/quote]
Works only when both are on the same machine.

So stop apache on the pi, then stop apache on the 2nd pc for collabora, issue the cert for the 2nd pc, finally restart both apaches with the new configuration, they should work.

In progress…but

“So stop apache on the pi, then stop apache on the 2nd pc for collabora,” : done
"issue the cert for the 2nd pc" : done by, "/etc/certbot# ./letsencrypt-auto certonly --agree-tos --standalone -d mlydesk.hopto.org"
It created the certificate but could not connect to the server to verify the domain : “
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for mlydesk.hopto.org
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mlydesk.hopto.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 87.89.70.232:443 for TLS-SNI-01 challenge”

Edit I have a port forward rule that redirect 443 to my pi (for nextcloud), may be it is the reason why…?

Oh!!! Man i must be tired or something, and these things are slipping away.
I’m almost sure you have your router has open the 443 routing to your PI, not for the 2nd PC.
let’s say you open port 443 for 192.168.0.5 (which is the pi), and you have apache stop on both machines, but Let’sEncrypt won’t be able to call the 2nd PC (let’s say 192.168.0.7) since you have port 443 routed to the (192.168.0.5, the Pi).

So its kind of a messy.
That’s why i would recommend the VPS.

Please, with both apaches stop, route port 443 on your router to the 2nd PC (192.168.0.7) then try again.
It finally should work. But you might see the problem there even when certs are well set.

You’re totally right. We understood it at the same time and now it works

My beth if you wanna keep using the same network is.

Install everything on the second PC.
Both Nextcloud and Collabora, that’s it. :wink:

The Pi might be low power consumption but you face architect issues there.

Sure, you’re right, but the pc with collabora is not permanently running, contrary to the pi.
So if i would succeed in linking now collabora and nextcloud with the current config it would be great.

I found this tuto, do you thinks it could work in my case?

AFAIK, CODE docker container won’t run on the PI, according to many other users that have tried before you.

You’ll need an amd64/x86 architecture to run it. That’s what i mean with:

The Pi might be low power consumption but you face architect issues there.

Ok. I won’t use collabora.
Hum, little trouble going back to the normal situation, i can’t access to nextcloud.
Running netstat shows that the apache to server is not running after reboot.
“Failed to start apache.service: Unit apache.service failed to load: No such file or directory.”

Edit :sob:
systemctl status apache2.service
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled)
Active: failed (Result: exit-code) since dim. 2017-03-05 22:28:24 CET; 39s ago
Process: 8995 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)

Hello @arbras
For What I read, here’s a visualisation of what you want:

-------------------------------------- Internet
               V
     [       Noip       ] (DynDNS)
     [ mlydesk.hopto.org]
               | (SSL link)
---------------V--------------------- Your Network
        [ ISP's router] (NAT: 80|443 to host1)
     __________|__________
     V                   V
[Host1-Rpi]        [host2-Ubuntu]
[ Apache2 ]-proxy->[   Docker   ]
[Nextcloud]        [ Collabora  ]

###1 Requirements

  1. One domain for nextcloud (ref by DOM1) ( like mlydesk.hopto.org)
  • One domain for collabora (ref by DOM2)( like office.mlydesk.hopto.org ) ==> you must check if NOIP allows you to add subdomains per host/domain or declare a new domain for the same host.
  • Certificate(s) for DOM1 & DOM 2 ( 1 per domain or one for both ) - preferably signed by an authority ===> Check if Noip provides you let’sencrypt certificates
  • Static IP for host1 & host2
  • Properly configured Network address translation (NAT) on your ISP router: port 80 (http) &/or port 443 (https) translated to host1 (you can skip port 80 if you intend to use ONLY https)
  • A working Apache2 service (following your last port, you may need to check the logs in /var/logs/apache2 or run journalctl -u apache2.service)

###2 Configuration overview:

  1. Follow Nextcloud installation instructions. Assign certificate for DOM1 in the apache configuration.
  • Follow Collabora tutorial on the nextcloud website:
  • create the docker with docker run -t -d -p 9980:9980 -e 'domain=DOM1' --restart always --cap-add MKNOD collabora/code (replace DOM1 obviously, and escape each dots with \\) - note that I have purposely removed 127.0.0.1 from the command for the docker host to listen on every ethernet on port 9980
  • Replace the example domain (office.nextcloud.com) by DOM2 in the apache proxy configuration
  • Assign the certificate for DOM2 in the apache proxy configuration.
  • In the apache proxy configuration, replace ALL the proxy target (127.0.0.1) by your host2’s ip: https://127.0.0.1:9980 become https://yourhost2IP:9980
  • Restart apache2
  • Install the collabora app in your nextcloud and configure it in the admin panel with ‘https://DOM2
  • Enjoy ! :nerd:

###Notes:

  1. It doesnt matter to use the same certificate in 2 configuration files as long as the certificate is signed for the appropriated domains
  2. You are REALLY dependant of the quality of your ISP router:
  • In some bad quality routers, the OS fails to NAT a connexion to it-self (using collabora & nextcloud from inside) . What i mean here is that your Router will be used every time to access your nextcloud & collabora website, even when you are inside your private network, if you use DOM1 to access your nextcloud. Because it the public IP that is resolved by DNS. If it failed to NAT, you may have to use a different Domain only available inside your private network (but this requires more configuration in apache2 ) OR you override the DNS to point DOM1 & DOM2 to Host1 in every desktop or in your router (if you can).
  • …unless you have your custom router.

I’m available if you have questions :wink:
Regards,
Aal.

Thanks for your advices, i’ll try it!

Well, i think i have met all the requirements, but maybe not configured correctly :wink:
when i run ‘https://DOM2’ i have the default apache2 page. Before this i have warning concerning the certificate, that are installed standalone as mentionned above.
Any Idea?

Here is my vhost config file in /etc/apache2/sites-available

VirtualHost *:443>
ServerName mlydesk.hopto.org:443

                    # SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
                    SSLEngine on
                    SSLCertificateFile /etc/letsencrypt/live/mlydesk.hopto.org/cert.pem
                    SSLCertificateChainFile /etc/letsencrypt/live/mlydesk.hopto.org/chain.pem
                    SSLCertificateKeyFile /etc/letsencrypt/live/mlydesk.hopto.org/privkey.pem
                    SSLProtocol             all -SSLv2 -SSLv3
                    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-S$
                    SSLHonorCipherOrder     on

                    # Encoded slashes need to be allowed
                    AllowEncodedSlashes NoDecode

                    # Container uses a unique non-signed certificate
                    SSLProxyEngine On
                    SSLProxyVerify None
                    SSLProxyCheckPeerCN Off
                    SSLProxyCheckPeerName Off

                    # keep the host
                    ProxyPreserveHost On

                    # static html, js, images, etc. served from loolwsd
                    # loleaflet is the client part of LibreOffice Online
                    ProxyPass           /loleaflet https://192.168.1.55:9980/loleaflet retry=0
                    ProxyPassReverse    /loleaflet https://192.168.1.55:9980/loleaflet

                    # WOPI discovery URL
                    ProxyPass           /hosting/discovery https://192.168.1.55:9980/hosting/discovery retry=0
                    ProxyPassReverse    /hosting/discovery https://192.168.1.55:9980/hosting/discovery

                    # Main websocket
                    ProxyPassMatch "/lool/(.*)/ws$" wss://192.168.1.55:9980/lool/$1/ws nocanon

                    # Admin Console websocket
                    ProxyPass   /lool/adminws wss://192.168.1.55:9980/lool/adminws

keep the host

                    ProxyPreserveHost On

                    # static html, js, images, etc. served from loolwsd
                    # loleaflet is the client part of LibreOffice Online
                    ProxyPass           /loleaflet https://192.168.1.55:9980/loleaflet retry=0
                    ProxyPassReverse    /loleaflet https://192.168.1.55:9980/loleaflet

                    # WOPI discovery URL
                    ProxyPass           /hosting/discovery https://192.168.1.55:9980/hosting/discovery retry=0
                    ProxyPassReverse    /hosting/discovery https://192.168.1.55:9980/hosting/discovery

                    # Main websocket
                    ProxyPassMatch "/lool/(.*)/ws$" wss://192.168.1.55:9980/lool/$1/ws nocanon

                    # Admin Console websocket
                    ProxyPass   /lool/adminws wss://192.168.1.55:9980/lool/adminws

                    # Download as, Fullscreen presentation and Image upload operations
                    ProxyPass           /lool https://192.168.1.55:9980/lool
                    ProxyPassReverse    /lool https://192.168.1.55:9980/lool
                    </VirtualHost>