Nextcloud live doc editing w/ Collabora Online (CODE) cURL error 60: Peer's certificate issuer has been marked as not trusted by the user

Question

Hello! I am having the damndest time with this. I want to get it finished so I can start writing an inspirational book for people and other brain injury survivors here and there when I have time. I have a brain injury with short-term memory loss (like Dory from finding Nemo) from a near fatal car accident in 2007 and have recovered extremely well. I don't want to use Google drive or other cloud solutions owned by other companies because any information uploaded to something like Google drive belongs to Google and they can redistribute as they please. Anyways, I digress.

I installed Nextcloud 12 on Apache, and it works great! I'd like to do live document editing for reasons above. Following instructions at Collabora CODE Documentation. I am using the Docker CODE image (collabora/code). I start the image with the code below as explained in documentation. I have apache running without error, at least no obvious ones that I have seen. I haven't combed through the logs, just looked for new ones when performing an action in nextcloud. I have the Collabore Online app installed, and set the Collabora online server under Admin to https://127.0.0.1:9980. When I go to Files and try to open a new, previously created yesterday, blank .odt document it gives me an error, shown in the block below.

The 9980 port IS open. Selinux is on as well but I'd like to keep it on. I have tried many things over the past week or two here and there when I had time. I don't recall every thing I have done but I know I have tried to make a custom Docker file to copy over the old certs used with my website's "Let's Encrypt" cert. I do not recall if I then passed in the right env variable to prevent creating the self-signed cert and using the one on the filesystem, does anyone know the steps to do this? I reverted this back to using the self-signed cert because so many tutorials available use the self-signed cert without issue. So maybe it is my special setup? With the cert manipulations I have tried, I have tested against https://127.0.0.1:8890 with curl. I have run into cURL error 35 Encountered end of file, and cURL error 60 Peer's certificate has been marked as untrusted.

Does anyone know how I could use my own let's encrypt certificate from my website in the container successfully for the loolwsl service running inside it? Please let me know if I neglected to mention anything! Thank you very much for reading, and for your help!

khamil8686

On the webpage

Internal Server Error

The server encountered an internal error and was unable to complete your request.

Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.

More details can be found in the server log.

Technical details

    Remote Address: 167.142.215.1
    Request ID: WVOhwIY0d9yPqqbVbYLBaQAAAAI

Apache log message (same thing repeated several times)
[Thu Jun 29 07:09:25.542925 2017] [authz_core:error] [pid 23408] [client 167.142.215.1:14850] AH01630: client denied by server configuration: /var/www/nextcloud/data/.ocdata

In the nextcloud log
{"reqId":"WVOhwIY0d9yPqqbVbYLBaQAAAAI","level":3,"time":"2017-06-28T12:32:00+00:00","remoteAddr":"167.142.215.1","user":"khamil8686","app":"richdocuments","method":"GET","url":"\/nextcloud\/index.php\/apps\/richdocuments\/index?fileId=641&requesttoken=xRmG6LQ%2BYOl01txmrtMSQ1OlqGsDB81OeVyWM5JAFTg%3D%3Asl3MrI1OI7w6mY1X5IpnJgLs4C9FX4YFEBXeQ6UvInk%3D","message":"Exception: {\"Exception\":\"GuzzleHttp\\\\Exception\\\\RequestException\",\"Message\":\"cURL error 60: Peer's certificate issuer has been marked as not trusted by the user.\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/RequestFsm.php(103): GuzzleHttp\\\\Exception\\\\RequestException::wrapException(Object(GuzzleHttp\\\\Message\\\\Request), Object(GuzzleHttp\\\\Ring\\\\Exception\\\\RingException))\\n#1 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/RequestFsm.php(132): GuzzleHttp\\\\RequestFsm->__invoke(Object(GuzzleHttp\\\\Transaction))\\n#2 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/react\\\/promise\\\/src\\\/FulfilledPromise.php(25): GuzzleHttp\\\\RequestFsm->GuzzleHttp\\\\{closure}(Array)\\n#3 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/ringphp\\\/src\\\/Future\\\/CompletedFutureValue.php(55): React\\\\Promise\\\\FulfilledPromise->then(Object(Closure), NULL, NULL)\\n#4 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/Message\\\/FutureResponse.php(43): GuzzleHttp\\\\Ring\\\\Future\\\\CompletedFutureValue->then(Object(Closure), NULL, NULL)\\n#5 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/RequestFsm.php(134): GuzzleHttp\\\\Message\\\\FutureResponse::proxy(Object(GuzzleHttp\\\\Ring\\\\Future\\\\CompletedFutureArray), Object(Closure))\\n#6 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/Client.php(165): GuzzleHttp\\\\RequestFsm->__invoke(Object(GuzzleHttp\\\\Transaction))\\n#7 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/Client.php(125): GuzzleHttp\\\\Client->send(Object(GuzzleHttp\\\\Message\\\\Request))\\n#8 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/Http\\\/Client\\\/Client.php(138): GuzzleHttp\\\\Client->get('https:\\\/\\\/127.0.0...', Array)\\n#9 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/richdocuments\\\/lib\\\/WOPI\\\/DiscoveryManager.php(84): OC\\\\Http\\\\Client\\\\Client->get('https:\\\/\\\/127.0.0...')\\n#10 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/richdocuments\\\/lib\\\/WOPI\\\/Parser.php(41): OCA\\\\Richdocuments\\\\WOPI\\\\DiscoveryManager->get()\\n#11 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/richdocuments\\\/lib\\\/TokenManager.php(117): OCA\\\\Richdocuments\\\\WOPI\\\\Parser->getUrlSrc('application\\\/vnd...')\\n#12 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/richdocuments\\\/lib\\\/Controller\\\/DocumentController.php(108): OCA\\\\Richdocuments\\\\TokenManager->getToken(*** sensitive parameters replaced ***)\\n#13 [internal function]: OCA\\\\Richdocuments\\\\Controller\\\\DocumentController->index('641')\\n#14 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(160): call_user_func_array(Array, Array)\\n#15 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(90): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController(Object(OCA\\\\Richdocuments\\\\Controller\\\\DocumentController), 'index')\\n#16 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(114): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch(Object(OCA\\\\Richdocuments\\\\Controller\\\\DocumentController), 'index')\\n#17 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Routing\\\/RouteActionHandler.php(47): OC\\\\AppFramework\\\\App::main('OCA\\\\\\\\Richdocumen...', 'index', Object(OC\\\\AppFramework\\\\DependencyInjection\\\\DIContainer), Array)\\n#18 [internal function]: OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler->__invoke(Array)\\n#19 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/Route\\\/Router.php(299): call_user_func(Object(OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler), Array)\\n#20 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/base.php(1000): OC\\\\Route\\\\Router->match('\\\/apps\\\/richdocum...')\\n#21 \\\/var\\\/www\\\/nextcloud\\\/index.php(40): OC::handleRequest()\\n#22 {main}\",\"File\":\"\\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/Exception\\\/RequestException.php\",\"Line\":51}","userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko\/20100101 Firefox\/54.0","version":"12.0.0.29"}

More readable nextcloud log from UI
    /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/RequestFsm.php - line 103: GuzzleHttp\Exception\RequestException wrapException(Object(GuzzleHttp\Message\Request), Object(GuzzleHttp\Ring\Exception\RingException))
    /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/RequestFsm.php - line 132: GuzzleHttp\RequestFsm->__invoke(Object(GuzzleHttp\Transaction))
    /var/www/nextcloud/3rdparty/react/promise/src/FulfilledPromise.php - line 25: GuzzleHttp\RequestFsm->GuzzleHttp\{closure}(Array)
    /var/www/nextcloud/3rdparty/guzzlehttp/ringphp/src/Future/CompletedFutureValue.php - line 55: React\Promise\FulfilledPromise->then(Object(Closure), NULL, NULL)
    /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Message/FutureResponse.php - line 43: GuzzleHttp\Ring\Future\CompletedFutureValue->then(Object(Closure), NULL, NULL)
    /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/RequestFsm.php - line 134: GuzzleHttp\Message\FutureResponse proxy(Object(GuzzleHttp\Ring\Future\CompletedFutureArray), Object(Closure))
    /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php - line 165: GuzzleHttp\RequestFsm->__invoke(Object(GuzzleHttp\Transaction))
    /var/www/nextcloud/3rdparty/guzzlehttp/guzzle/src/Client.php - line 125: GuzzleHttp\Client->send(Object(GuzzleHttp\Message\Request))
    /var/www/nextcloud/lib/private/Http/Client/Client.php - line 138: GuzzleHttp\Client->get('https //127.0.0...', Array)
    /var/www/nextcloud/apps/richdocuments/lib/WOPI/DiscoveryManager.php - line 84: OC\Http\Client\Client->get('https //127.0.0...')
    /var/www/nextcloud/apps/richdocuments/lib/WOPI/Parser.php - line 41: OCA\Richdocuments\WOPI\DiscoveryManager->get()
    /var/www/nextcloud/apps/richdocuments/lib/TokenManager.php - line 117: OCA\Richdocuments\WOPI\Parser->getUrlSrc('application/vnd...')
    /var/www/nextcloud/apps/richdocuments/lib/Controller/DocumentController.php - line 108: OCA\Richdocuments\TokenManager->getToken(*** sensitive parameters replaced ***)
    [internal function] OCA\Richdocuments\Controller\DocumentController->index('641')
    /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 160: call_user_func_array(Array, Array)
    /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 90: OC\AppFramework\Http\Dispatcher->executeController(Object(OCA\Richdocuments\Controller\DocumentController), 'index')
    /var/www/nextcloud/lib/private/AppFramework/App.php - line 114: OC\AppFramework\Http\Dispatcher->dispatch(Object(OCA\Richdocuments\Controller\DocumentController), 'index')
    /var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php - line 47: OC\AppFramework\App main('OCA\\Richdocumen...', 'index', Object(OC\AppFramework\DependencyInjection\DIContainer), Array)
    [internal function] OC\AppFramework\Routing\RouteActionHandler->__invoke(Array)
    /var/www/nextcloud/lib/private/Route/Router.php - line 299: call_user_func(Object(OC\AppFramework\Routing\RouteActionHandler), Array)
    /var/www/nextcloud/lib/base.php - line 1000: OC\Route\Router->match('/apps/richdocum...')
    /var/www/nextcloud/index.php - line 40: OC handleRequest()
    {main}

To run the Collabora Online CODE Docker image
docker run -t -d -p 127.0.0.1:9980:9980 \
       -e 'cert_domain=X\.com' \
       -e 'username=admin' \
       -e 'password=password' --restart always --cap-add MKNOD collabora/code

Apache Config - nextcloud.conf & collaboraonlineCODE.conf in conf.d

==> /etc/httpd/conf.d/nextcloud.conf 
  Options +FollowSymlinks
  AllowOverride All

  
    Dav off
  

  SetEnv HOME /var/www/nextcloud
  SetEnv HTTP_HOME /var/www/nextcloud



==> /etc/httpd/conf.d/collaboraonlineCODE.conf 
  ServerName collabora.X:443

  # SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/X-0002/cert.pem
  SSLCertificateChainFile /etc/letsencrypt/live/X.com-0002/chain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/X.com-0002/privkey.pem
  SSLProtocol             all -SSLv2 -SSLv3
  SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  SSLHonorCipherOrder     on

  # Encoded slashes need to be allowed
  AllowEncodedSlashes NoDecode

  # Container uses a unique non-signed certificate
  SSLProxyEngine On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off

  # keep the host
  ProxyPreserveHost On

  # static html, js, images, etc. served from loolwsd
  # loleaflet is the client part of LibreOffice Online
  ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
  ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

  # WOPI discovery URL
  ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
  ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

  # Main websocket
  ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

  # Admin Console websocket
  ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

  # Download as, Fullscreen presentation and Image upload operations
  ProxyPass           /lool https://127.0.0.1:9980/lool
  ProxyPassReverse    /lool https://127.0.0.1:9980/lool

Answer 1

One warning ahead: You should definitely NOT use the password password for its admin tool. Even if you do intend to restrict access in some way, its too easy to make a mistake there and invite malicious parties.

The certificate of the docker container showing up as not trusted is expected behaviour. That autogenerated certificate does not matter though, if you forward your CODE installation via apache, too.

For reasons beyond¹⁾ the simple "I do not want to care about certificates", the recommended setup of CODE, by design, avoids certificate hassle entirely, by asking you to setup CODE on a different domain (with potentially separate certificate) than your nextcloud installation.

Have your nextcloud on one (sub) domain, such as www.example.com, and configure an additional entry in your apache config, such as code.example.com, which forwards requests to 127.0.0.1:9980 (ignoring the certificate, trusting that no malicious user can setup a different service on that port & device combination).

Follow the official guidelines and then put the https://127.0.0.1:9980 URL into the apache config for code.example.com at (something like) /etc/httpd/conf.d/collaboraonlineCODE.conf and the public domain https://code.example.com of your CODE installation into the nextcloud configuration at (somehting like) https://example.com/settings/admin. This ensures you can access CODE the same way as nextcloud - on any computer, not just the one running the installation.

¹⁾ This way, the docker container doesnt contain the certificate, which is a rather sane choice considering CODE is by no means reasonably security hardened.

Answer 2

Don't use your own cert with nextcloud. The self signed special one is just fine. I still don't have it completely up and working, but this error is passed.