UNAUTHORIZED WOPI HOST using "Share Link" on any files/folders connected via the "External Storage Support" App

UNAUTHORIZED WOPI HOST using “Share Link” on any files/folders connected via the “External Storage Support” App


Nextcloud version (eg, 10.0.2): 12.0.0
Operating system and version (eg, Ubuntu 16.04): Ubuntu 16.04.02
Apache or nginx version (eg, Apache 2.4.25): 2.4.18
PHP version (eg, 5.6): 7.0.18
Is this the first time you’ve seen this error?: No

Can you reliably replicate it? (If so, please outline steps): Yes

The issue you are facing:
Using the “Share Link” option for any files or folders using the “External Storage Support” app does not work. The “Share Link” option will generate a link, but when any user attempts to access that link from any location, they see the collabora interface starting up but then receive the error/whitebox:

“Unauthorized WOPI host. Please try again later and report to your administrator if the issue persists.”

If I use the “share link” option on a file or folder that is NOT using the external storage app (Ex. the user’s main folder), I am able to access that share link from any location with no issue.

The issue isn’t really related to shares or mounts either. I created a folder /home/test and gave www-data ownership of it. I then used the External Storage Support app to add /home/test as local storage. Everything is fine when logged in as I am able to edit the file and other logged in users see the live editing. But if I try to use the “share link” option, the error I get when trying to access that shared link is like above, “Unauthorized WOPI host…”

I have tried installations of Nextcloud 11.04 and 12.0.0.29. I have tried the collabora install via the quick tutorial on the main collabora page as well as the collabora.sh script via https://github.com/nextcloud/vm/blob/master/apps/collabora.sh

The permissions on the share I am pointing to is “Full Control” for a specific user on a Server 2008 R2 share.

I have tried to mount the share in fstab with:
//myshare-hostname.com/Digital /mnt/digital cifs gid=33,dir_mode=0770,uid=www-data,sec=ntlm,credentials=/home/it/.smbcredentials,iocharset=utf8,file_mode=0770,vers=2.0 0 0

I have tried file_mode 0777 so even “Other” can open and edit everything in the folder.

No matter what I do, sharing a local file/folder in the user folder works perfectly. Sharing a file/folder from a mount either via fstab or completely via External Storage Support app failed with the “Unauthorized WOPI Host”

I have also tried removing the docker image, and trying different hostnames with escaped info such as either two backslashes or one.

docker run -t -d -p 127.0.0.1:9980:9980 -e ‘domain=digitalfile\.mydomain\.com’ --restart always --cap-add MKNOD collabora/code
docker run -t -d -p 127.0.0.1:9980:9980 -e ‘domain=digitalfile.mydomain.com’ --restart always --cap-add MKNOD collabora/code

The output of your Nextcloud log in Admin > Logging:

Error files Backends provided no user object for 2017-05-31T09:49:27-0500
Error files Backends provided no user object for 2017-05-31T09:45:08-0500
Error files Backends provided no user object for 2017-05-31T09:30:55-0500
Error files Backends provided no user object for 2017-05-31T08:58:16-0500
Error files Backends provided no user object for 2017-05-31T08:57:05-0500
Error files Backends provided no user object for 2017-05-31T08:48:36-0500
Error files Backends provided no user object for 2017-05-31T08:48:00-0500

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php $CONFIG = array ( 'instanceid' => 'ocqoowv5yrwv', 'passwordsalt' => 'oycJMmsh3456j3R+Veu8KVjS', 'secret' => 'kADb5A8fqdqewfFlt2j8//Nq4KWYjDEY2NRITGNJ57rupFI0UYO4hyte', 'trusted_domains' => array ( 0 => 'digitalfile.mydomain.com', ), 'datadirectory' => '/var/www/nextcloud-data/', 'overwrite.cli.url' => 'http://digitalfile.mydomain.com', 'dbtype' => 'mysql', 'version' => '12.0.0.29', 'dbname' => 'nextcloud', 'dbhost' => 'localhost', 'dbport' => '', 'dbtableprefix' => 'oc_', 'dbuser' => 'nextclouduser', 'dbpassword' => 'my-db-password', 'installed' => true, The output of my docker logs wsd-00026-00040 14:44:54.863540 [ docbroker_002 ] ERR Socket #19 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255 wsd-00026-00040 14:44:54.863652 [ docbroker_002 ] ERR Socket #19 SSL BIO error: error:140D00CF:SSL routines:SSL_write:protocol is shutdown (errno: Success)| ./net/SslSocket.hpp:273 wsd-00026-00040 14:44:54.863722 [ docbroker_002 ] WRN ToClient-0004: Exception while closing socket for docKey [digitalfile.my-domain.com:443/index.php/apps/richdocuments/wopi/files/148_ocqoowv5yrwv]: error:140D00CF:SSL routines:SSL_write:protocol is shutdown| wsd/ClientSession.cpp:805 wsd-00026-00027 14:44:54.870671 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_002], started: true, finished: true| ./net/Socket.hpp:507 wsd-00026-00027 14:44:54.870722 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_002], started: true, finished: true| ./net/Socket.hpp:507 wsd-00026-00027 14:44:54.870792 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_002], started: false, finished: true| ./net/Socket.hpp:507 wsd-00026-00027 14:44:54.870839 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_002], started: false, finished: true| ./net/Socket.hpp:507 wsd-00026-00034 14:45:07.758268 [ websrv_poll ] WRN WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:317 wsd-00026-00050 14:45:08.026504 [ docbroker_003 ] ERR WOPI::CheckFileInfo failed and no JSON payload returned. Access denied.| wsd/Storage.cpp:496 wsd-00026-00050 14:45:08.026611 [ docbroker_003 ] ERR Error while handling loading : Access denied.| wsd/LOOLWSD.cpp:2113 wsd-00026-00050 14:45:08.027202 [ docbroker_003 ] WRN Attempted ping on non-upgraded websocket!| ./net/WebSocketHandler.hpp:285 wsd-00026-00050 14:45:08.041700 [ docbroker_003 ] WRN Child session [000a] not found to forward message: load url=https://digitalfile.my-domain.com/index.php/apps/richdocuments/wopi/files/141_ocqoowv5yrwv?access_token=NQyZu0yiZTYdOVlNkva21khvR1Ut5Xgb&access_token_ttl=0&permission=edit readonly=0 lang=en| wsd/DocumentBroker.cpp:1272 wsd-00026-00050 14:45:08.042720 [ docbroker_003 ] ERR Socket #15 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255 wsd-00026-00050 14:45:08.042818 [ docbroker_003 ] ERR Socket #15 SSL BIO error: error:140D00CF:SSL routines:SSL_write:protocol is shutdown (errno: Success)| ./net/SslSocket.hpp:273 wsd-00026-00050 14:45:08.042939 [ docbroker_003 ] WRN ToClient-000a: Exception while closing socket for docKey [digitalfile.my-domain.com:443/index.php/apps/richdocuments/wopi/files/141_ocqoowv5yrwv]: error:140D00CF:SSL routines:SSL_write:protocol is shutdown| wsd/ClientSession.cpp:805 wsd-00026-00027 14:45:08.043590 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_003], started: true, finished: true| ./net/Socket.hpp:507 wsd-00026-00027 14:45:08.043669 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_003], started: true, finished: true| ./net/Socket.hpp:507 wsd-00026-00027 14:45:08.043744 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_003], started: false, finished: true| ./net/Socket.hpp:507 wsd-00026-00027 14:45:08.043842 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_003], started: false, finished: true| ./net/Socket.hpp:507 wsd-00026-00034 14:49:27.251957 [ websrv_poll ] WRN WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:317 wsd-00026-00054 14:49:27.560354 [ docbroker_004 ] ERR WOPI::CheckFileInfo failed and no JSON payload returned. Access denied.| wsd/Storage.cpp:496 wsd-00026-00054 14:49:27.560465 [ docbroker_004 ] ERR Error while handling loading : Access denied.| wsd/LOOLWSD.cpp:2113 wsd-00026-00054 14:49:27.561156 [ docbroker_004 ] WRN Attempted ping on non-upgraded websocket!| ./net/WebSocketHandler.hpp:285 wsd-00026-00054 14:49:27.584129 [ docbroker_004 ] WRN Child session [000d] not found to forward message: load url=https://my-domain.robbinskersten.com/index.php/apps/richdocuments/wopi/files/141_ocqoowv5yrwv?access_token=8xvjj9MLlpPD2OityIV1rxOIxpJRnlGO&access_token_ttl=0&permission=edit readonly=0 lang=en| wsd/DocumentBroker.cpp:1272 wsd-00026-00054 14:49:27.598355 [ docbroker_004 ] ERR Socket #19 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255 wsd-00026-00054 14:49:27.599102 [ docbroker_004 ] ERR Socket #19 SSL BIO error: error:140D00CF:SSL routines:SSL_write:protocol is shutdown (errno: Success)| ./net/SslSocket.hpp:273 wsd-00026-00054 14:49:27.599619 [ docbroker_004 ] WRN ToClient-000d: Exception while closing socket for docKey [digitalfile.my-domain.com:443/index.php/apps/richdocuments/wopi/files/141_ocqoowv5yrwv]: error:140D00CF:SSL routines:SSL_write:protocol is shutdown| wsd/ClientSession.cpp:805 wsd-00026-00027 14:49:27.600020 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_004], started: true, finished: true| ./net/Socket.hpp:507 wsd-00026-00027 14:49:27.600214 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_004], started: true, finished: true| ./net/Socket.hpp:507 wsd-00026-00027 14:49:27.600320 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_004], started: false, finished: true| ./net/Socket.hpp:507 wsd-00026-00027 14:49:27.600407 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_004], started: false, finished: true| ./net/Socket.hpp:507 wsd-00026-00034 14:53:24.453986 [ websrv_poll ] WRN WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:317 wsd-00026-00058 14:53:24.705373 [ docbroker_005 ] ERR WOPI::CheckFileInfo failed and no JSON payload returned. Access denied.| wsd/Storage.cpp:496 wsd-00026-00058 14:53:24.705506 [ docbroker_005 ] ERR Error while handling loading : Access denied.| wsd/LOOLWSD.cpp:2113 wsd-00026-00058 14:53:24.708928 [ docbroker_005 ] ERR #15: Wrote outgoing data -1 bytes. (errno: Broken pipe)| ./net/Socket.hpp:909 wsd-00026-00058 14:53:24.709122 [ docbroker_005 ] WRN Attempted ping on non-upgraded websocket!| ./net/WebSocketHandler.hpp:285 wsd-00026-00058 14:53:24.709688 [ docbroker_005 ] ERR #15: Wrote outgoing data -1 bytes. (errno: Broken pipe)| ./net/Socket.hpp:909 wsd-00026-00058 14:53:24.709830 [ docbroker_005 ] WRN Child session [000f] not found to forward message: load url=https://digitalfile.my-domain.com/index.php/apps/richdocuments/wopi/files/141_ocqoowv5yrwv?access_token=m5cmCGZzXJ3SnpDjmWoAsUAY5WRoWCFz&access_token_ttl=0&permission=edit readonly=0 lang=en| wsd/DocumentBroker.cpp:1272 wsd-00026-00058 14:53:24.723520 [ docbroker_005 ] ERR Socket #19 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255 wsd-00026-00058 14:53:24.723720 [ docbroker_005 ] ERR Socket #19 SSL BIO error: error:140D00CF:SSL routines:SSL_write:protocol is shutdown (errno: Success)| ./net/SslSocket.hpp:273 wsd-00026-00058 14:53:24.723835 [ docbroker_005 ] WRN ToClient-000f: Exception while closing socket for docKey [digitalfile.my-domain.com:443/index.php/apps/richdocuments/wopi/files/141_ocqoowv5yrwv]: error:140D00CF:SSL routines:SSL_write:protocol is shutdown| wsd/ClientSession.cpp:805 wsd-00026-00027 14:53:24.724025 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_005], started: true, finished: true| ./net/Socket.hpp:507 wsd-00026-00027 14:53:24.724270 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_005], started: true, finished: true| ./net/Socket.hpp:507 wsd-00026-00027 14:53:24.724429 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_005], started: false, finished: true| ./net/Socket.hpp:507 wsd-00026-00027 14:53:24.724467 [ prisoner_poll ] WRN Waking up dead poll thread [docbroker_005], started: false, finished: true| ./net/Socket.hpp:507

I have just found an additional piece of the puzzle…

Steps:

  1. I have mounted the share directly in the /var/www/nextcloud-data/admin/files directory (//server/share mounted to /var/www/nextcloud-data/admin/files/testing)
  2. When I logged into nextcloud I could not see the “testing” folder even though it shows fine when I list the directory via cli
  3. I tried to add a folder and named it “testing”. It gave me an error “Could not create folder “testing” because it already exists”
  4. After I received the error, it refreshed the page and I could then see the “testing” folder.
  5. I browsed to it, and selected my testspreadsheet.ods share option, select “share link”, enabled editing.
  6. I copied that link to another pc and it was able to open and edit the files with absolutely no issue.

This is the exact behavior expected but I had to jump through significant hoops to do that. Now I’m not sure if I can mount to the skeleton directory so it will appear for all new users or if we can find out what the issue is so I don’t have to ghetto-rig this implementation.

Any ideas?

Ghetto-rigging has been implemented and works.

Until Nextcloud/Collabora support can figure this out, here is the solution

Mount the smb/cifs windows share in fstab to mount to the skeleton location.

  1. I removed all files and folders from the skeleton location (previously because I did not want all users to have the Documents/Photos folders or any of the files included as default)
  2. Created a folder named “Share”. The full path is /var/www/nextcloud/core/skeleton/share
  3. Mounted the share in fstab with the following line:
    //Server-Host-Name/Share /var/www/nextcloud/core/skeleton/share cifs gid=www-data,dir_mode=0755,uid=www-data,sec=ntlm,credentials=/home/it/.smbcredentials,iocharset=utf8,file_mode=0755,vers=2.0 0 0
  4. Once I mount (mount -a), and then I add a new test user.
  5. When the new user logs in they see the “Share” folder. They can then “Share Link” and I see the expected behavior which is I can bring up that share link on any computer and start live editing the file with other.

NO UNAUTHORIZED WOPI HOST error!!!

This is only the first step into getting everything up and running so I will report any issues or “gotchas” as I run into them.

It would be nice if Collabora/Nextcloud support could let me know what is wrong with the External Storage Support app implementation .

I spoke way too soon. This ghetto-riggin option to put the mount in the skeleton directory only copies what is in the mount to the new user folder. Once the new user is created, the files listed are a copy of the share folder and not the real share folder. Ugggg

So back to square 1 I guess.

It’s me again! I feel like I am talking to myself here but I figured I would give everyone an update

So the ghetto rigging will work, but I will have to mount the share directly into the user folder. This requires me to have 1 line per user in my fstab. This is going to be very messy and very problematic to admin but at least it works.

Basically I am mounting via fstab for each user:
//Server-Host-Name/Share /var/www/nextcloud-data/user1/files/share cifs gid=www-data,dir_mode=0755,uid=www-data,sec=ntlm,credentials=/home/it/.smbcredentials,iocharset=utf8,file_mode=0755,vers=2.0 0 0

//Server-Host-Name/Share /var/www/nextcloud-data/user2/files/share cifs gid=www-data,dir_mode=0755,uid=www-data,sec=ntlm,credentials=/home/it/.smbcredentials,iocharset=utf8,file_mode=0755,vers=2.0 0 0

//Server-Host-Name/Share /var/www/nextcloud-data/user3/files/share cifs gid=www-data,dir_mode=0755,uid=www-data,sec=ntlm,credentials=/home/it/.smbcredentials,iocharset=utf8,file_mode=0755,vers=2.0 0 0

Definitely do not want to pay for this as a long term option. My company is certainly wiling to pay support fees but I need to get this solution to a manageable state and not this “mount a dir manually for each user” solution.

Additionally, has anyone had success sharing a link and having a guest user open that link and edit a file in the “ONLYOFFICE” application for Nextcloud? Is that better or more stable than Collabora?

I am probably speaking to myself here but figured I would keep people informed. Even if one person gets help with this it is worth it.

So far I have tried a completely different install. Version 12 nextcloud but this time I set my data directory as a mount location (in this case /media/share). I set www-data:www-data as owner and chmod 777 for testing.

Now when I try to live edit a file in my user folder, it gives me the Unauthorized WOPI host error. So I guess this method completely breaks Nextcloud/Collabora.

Any ideas Collabora support?

I have just opened up a bug/issue with the richdocuments github.

Everything is now resolved. Patch was written for /var/www/nextcloud/apps/richdocuments/lib/TokenManager.php

My post is here:

The github fix is posted here: