WSS connection error of OnlyOffice

zoo3 · November 11, 2019, 2:17am

I’m using Docker version trying to validate OnlyOffice. And it basically works.
When I start OnlyOffice from NC and look at the console log of the web browser, wss error always occurs when OnlyOffice starts.

WebSocket connection to ‘wss://onlyoffice.MYSERVER/5.4.1-39//doc/AAA/BBB/CCC/DDD/websocket’ failed: Error during WebSocket handshake: Unexpected response code: 400

AAA, BBB, and CCC above are usually random serial numbers. DDD is 4z3ysqvp or SpellCheck.

I’m looking for this cause, but I don’t know anymore.
I can connect to http://onlyoffice.myserver and https://onlyoffice.myserver with a web browser. However, I can’t connect with an IP address. https://IP-ADDRESS:443
Is it natural that I can’t connect to SSL with an IP address because I haven’t obtained a certificate? I create a self-certification in Docker.

What is the cause of the connection error in wss?

I also checked the post below.

I’m different from that person and the 503 Bad Error does not occur.

curl https://onlyoffice.yourdomain.tld/welcome
curl https://onlyoffice.yourdomain.tld/healthcheck

The curl command in the above post does not generate an error.
1 reslult:

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Redirecting</title>
</head>
<body>
<pre>Redirecting to <a href="/welcome/">/welcome/</a></pre>
</body>

2 result:

true

I have also inserted the following into config.php of Nextcloud:

 ‘onlyoffice’ =>
array (
‘verify_peer_off’ => TRUE,
),

How can I solve the WSS error?

The reason I’m considering OnlyOffice is because Collabora can’t input Japanese on a smartphone. This gets worse every time Collabora is updated. OnlyOffice can’t be used with the mobile Nextcloud application, so I would like to expect Collabora.

Nextcloud 17.0.1, CentOS 7.7, Docker 19.03.4, OnlyOffice app 3.0.2

zoo3 · November 13, 2019, 2:58pm

I wrote an nginx proxy as follows: However, the WSS error is not resolved. If not, what else should I doubt?

	location / {
		proxy_pass http://localhost:8880;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

	location ~ /websocket$ {
		proxy_pass http://localhost:8880;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
	}

Reiner_Nippes · November 13, 2019, 6:35pm

yes. because the certificate is valid only for the fqdn aka common-name you gave it. the certificates is saying: “i’m onlyoffice.yourdomain.tld” it is not saying “i’m 10.10.10.10”

but the real problem is if you are using self signed certificates onlyoffice doesn’t trust nextcloud server. (if the nextcloud server has also selfsigned certs.)

the following should not work in your case:

normally with selfsigned certificates you would have to add --insecure to curl.

to setup onlyoffice with selfsigned certificates (is a bad idea, use letsencrypt) you have to follows this thread:

github.com/ONLYOFFICE/Docker-DocumentServer

"Download failed" after upgrade to onlyoffice - unable to verify the first certificate

opened 03:22PM - 10 Apr 18 UTC

closed 12:48PM - 10 Jul 19 UTC

thomass4t

I upgraded to the current community- and document-server 9.6.1.627 Community-Se…rver runs with self-signed SSL certificate Document-Server runs with plain http After restart of the two docker containers, I get an error message when opening any kind of document. The error message merely shows "Download failed". I discovered the underlying error within the logfile /app/onlyoffice/DocumentServer/logs/documentserver/converter/out.log Whenever I open a document, an error shows up in this logfile: [2018-04-10 14:17:05.216] [ERROR] nodeJS - error downloadFile:url=https://onlyoffice/products/files/httphandlers/filehandler.ashx?action=stream&fileid=4&version=6&stream_auth=xxx;attempt=3;code:UNABLE_TO_VERIFY_LEAF_SIGNATURE;connect:undefined;(id=PryKqIixHZSmYe_LEsQ_) **Error: unable to verify the first certificate** at Error (native) at TLSSocket.<anonymous> (_tls_wrap.js:1092:38) at emitNone (events.js:86:13) at TLSSocket.emit (events.js:185:7) at TLSSocket._finishInit (_tls_wrap.js:609:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:439:38) The document-Server seems to download something from the community-server and fails because it doesn't know the CA of the self-signed certificate. How can I add my self-signed certificate or my CA to the document-server? My CA must be injected to Node-JS service. (Adding it to /etc/ssl/certs didn't work and also setting the docker-env NODE_TLS_REJECT_UNAUTHORIZED=0 didn't help either) Thanks for any suggestions, Thomas

problem with docker, if just login to the container and do as described above that change will be gone with the next update.

i created a pull request for onlyoffice to fix this.

github.com

ReinerNippes/Docker-DocumentServer/blob/d067050bc388a7a7ce06c8e33123959357c040e6/run-document-server.sh#L289


      
            if [ -f "${CA_CERTIFICATES_PATH}" ]; then
              sed '/ssl_verify_client/a '"ssl_client_certificate ${CA_CERTIFICATES_PATH}"';' -i ${NGINX_ONLYOFFICE_CONF}
            fi
          
            if [ "${ONLYOFFICE_HTTPS_HSTS_ENABLED}" == "true" ]; then
              sed 's,\(max-age=\).*\(;\)$,'"\1${ONLYOFFICE_HTTPS_HSTS_MAXAGE}\2"',' -i ${NGINX_ONLYOFFICE_CONF}
            else
              sed '/max-age=/d' -i ${NGINX_ONLYOFFICE_CONF}
            fi
          
            if [ "${SSL_SELFSIGNED_CERTIFICATE}" == "true" ]; then
              ${JSON} -I -e "if(this.services.CoAuthoring.requestDefaults===undefined)this.services.CoAuthoring.requestDefaults={}"
              ${JSON} -I -e "if(this.services.CoAuthoring.requestDefaults.rejectUnauthorized===undefined)this.services.CoAuthoring.requestDefaults.rejectUnauthorized=false"
            fi
          else
            ln -sf ${NGINX_ONLYOFFICE_PATH}/ds.conf.tmpl ${NGINX_ONLYOFFICE_CONF}
          fi
          
          # check if ipv6 supported otherwise remove it from nginx config
          if [ ! -f /proc/net/if_inet6 ]; then
            sed '/listen\s\+\[::[0-9]*\].\+/d' -i $NGINX_ONLYOFFICE_CONF

since it is not merged by onlyoffice with this fork you can build your own onlyoffice container right now. but you wouldn’t get any updates also. or you have to build a new image yourself.

another idea is to use the following dockerfile. but i’m not sure if you would get updates with this method.

FROM onlyoffice/documentserver 
 
COPY run-document-server.sh /app/onlyoffice/run-document-server.sh 
 
EXPOSE 80 443 
 
VOLUME /var/log/onlyoffice /var/lib/onlyoffice /var/www/onlyoffice/Data /var/lib/postgresql /usr/share/fonts/truetype/custom 
 
ENTRYPOINT /app/onlyoffice/run-document-server.sh

plus: you have to download the file run-document-server.sh from my patch and set -e SSL_SELFSIGNED_CERTIFICATE=true during docker run ...

zoo3 · November 14, 2019, 1:05am

Thanks.

I was advised that I don’t need a self-signed certificate in Docker because my site is SSL-enabled with Let’s Encrypt. I’m currently working on the container ignoring the self-signed certificate entry in the OnlyOffice manual. The result was exactly the same as before.

In that state, adjusting the proxy syntax below doesn’t change it either. It doesn’t get better or worse.

I will try your self-signed certificate later.

Reiner_Nippes · November 14, 2019, 11:19am

sorry. for the misunderstanding. if you have letsencrypt certificates use them.

you won’t solve your problem with selfsigned certificates.

if it would help you have a look at my two ansible playbooks to setup nextcloud.

both setup nextcloud and onlyoffice with letsencrypt certifcates.

but don’t use them on your existing installation. that would break your setup.

get a new server (cloud, virtual box, …) and follow the readme.

either you move your nextcloud data to the new machine or you examine the config and find out what is wrong with your setup.

and

zoo3 · November 15, 2019, 1:06am

Is there a possibility that Nextcloud’s OnlyOffice application is the cause?

I had a similar Websocket problem when I introduced Mattermost. I was able to eliminate it by disabling CORS. Does Nextcloud have settings related to CORS?