SSL routines:ssl3_get_record:wrong version number

I’m not sure where to begin but I’ll describe setup

internet — reverse proxy (apache) (nextcloud runs here) ----SSL encrypted proxy—>internal reverse proxy with apache/docker collabora running on same machine.

So basically in my setup I have two reverse proxies – (2 instances of apache running on two separate machines). On internal machine the docker container running collabora is installed.

Both reverse proxies have FQDN with lets encrypt certs. I’ve verified I can present SSL encrypted webpages to the internet from the internal reverse proxy so I believe encrypted tunnels are setup appropriately up to the reverse proxy.

I’m starting collabora with the following:

sudo docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --sysctl net.ipv6.conf.default.disable_ipv6=1 -t -d -p 127.0.0.1:9980:9980 -e 'domain=office\\.gohilton\\.com' --name="jax" -e "username=admin" -e "password=dockercol" -e extra_params='--o:ssl.enable=false --o:ssl.termination=true' --restart always --cap-add MKNOD collabora/code:latest

My relevant apache configuration on the internal apache server is the following:

  > SSLEngine On
>   SSLCertificateFile /etc/letsencrypt/live/xxx .com/fullchain.pem
>   SSLCertificateKeyFile /etc/letsencrypt/live/xxxx.com/privkey.pem
>   ##Include /etc/letsencrypt/options-ssl-apache.conf
> 
>   SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
>   SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA
> -CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA
> 384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
>   SSLHonorCipherOrder     on
>   SSLCompression          off
>   SSLSessionTickets       off
>   SSLOptions              +StrictRequire
> 
>   <IfModule mod_headers.c>
>          # HSTS (mod_headers is required) (15768000 seconds = 6 months)
>          Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
>    </IfModule>
> 
>   # Encoded slashes need to be allowed
>   AllowEncodedSlashes NoDecode
> 
>   # Container uses a unique non-signed certificate
>   SSLProxyEngine On
>   SSLProxyVerify None
>   SSLProxyCheckPeerCN Off
>   SSLProxyCheckPeerName Off
> 
>   # keep the host
>   ProxyPreserveHost On
> 
>   # static html, js, images, etc. served from loolwsd
>   # loleaflet is the client part of LibreOffice Online
>   ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
>   ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet
> 
>   # WOPI discovery URL
>   ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
>   ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery
> 
>   # Capabilities
>   ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
>   ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities
> 
>   # Main websocket
>   ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon
> 
>   # Admin Console websocket
>   ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws
> 
>   # Download as, Fullscreen presentation and Image upload operations
>   ProxyPass /lool https://127.0.0.1:9980/lool
>   ProxyPassReverse /lool https://127.0.0.1:9980/lool

I believe I’m having problems with SSL certs since in testing the docker collabora installation – I can get the scroll bars and menu bars to display when accessing it from nextcloud – but no documents will display.

I don’t necessarily need to have collabora do any SSL management since its running on the same machine as the reverse proxy however I believe by default it is doing SSL???

While on the reverse proxy I’ve tried this to debug my installation:

# curl https://127.0.0.1:9980/lolleaflet/dist/admin/admin.html
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

I’m not sure where to go with this one however it seems like an SSL problem with the docker container itself and possibly the certificate its trying to push out.

I’m open to ideas at this point since I’m kind of stuck.

You should disable SSL Controls ( Config Line starts with “Controls wheter SSL encryption …” in /etc/loolwsd/loolwsd.xml ) to “false” in case is set to “true” by default.

@ralfi

Thanks - that actually helped turning off SSL capabilities since SSL was handled in my situation with the reverse proxy.