Nextcloud can't connect to Collabora

Shai

@nebulon thanks for sticking with me on this one.

• green lock on all browsers on both nextcloud.mydomain.tech and collabora.mydomain.tech
• I renewed all certs twice
  • First time it essentially ran a check but didn't change anything because it saw the certs were fine.
  • Second time I changed the cert type from LetsEncrypt wildcard to LetsEncrypt prod. This time it created new certs.
• I ran the curl to Collabora after each time that I renewed the certs. No change, exact same messages.

Some more data from my troubleshooting

I removed all the gazillion certs that were in /etc/ssl/certs and also deleted all lines in /etc/ssl/certs/ca-certificates.crt in advance of renewing my domain certs in the Cloudron domains admin page. Those actions had absolutely no effect on anything. Green lock still appeared on all my Cloudron sites and Nextcloud still couldn't contact Cloudron server.

find / -iname "*letsencrypt*" returned zero rows

Some wild ideas to just toss out there:

• Are there ever cert issues related to new TLDs like the .tech domains that I am using?
• I've got two Nextcloud instances on the same Cloudron. (I've only been trying to connect 1 instance to Collabora.)

Again, I appreciate you sticking in there with me on this one. Any ideas on what I could try next?

nebulon

@shai not sure what the issue could be but, you could send a mail to support@cloudron.io with the exact domain names, if you don't want to disclose them, maybe we can get some clue from the certs then.

If you have other domains which are non .tech maybe you could test installing collabora on those and check if this really is some tld issue, just to be able to rule out some concerns about that.

girish

We got this sorted out on support@ . The issue was @Shai 's router does not actually support hairpinning. Because of this, he has added manual DNS server entries in the router to point to the internal Cloudron IP.

The fix is to to tell Cloudron also to remove to internal Cloudron IP for the apps. This was achieved by adding a local-zone as per https://docs.cloudron.io/networking/#internal-dns-server

Shai

@girish Thanks so much for the great service! I'm a happy customer.

staypath

@girish Similar problem here with a new Cloudron installation on a dedicated server with a public IPv4. The Nextcloud container cannot access the host's external IP (loopback issue?), thus it cannot reach the Collabora container by DNS name. I do not have access to update any routing settings external to my host server. Is there a similar internal DNS trick with Unbound I could try? Thanks!

Curl from within my Nextcloud container works with external hosts...

root@1971ddba-1e76-495e-b0f7-40ab4a544caf:/app/code# curl -v yahoo.com
* Rebuilt URL to: yahoo.com/
*   Trying 98.137.11.164...
* TCP_NODELAY set
* Connected to yahoo.com (98.137.11.164) port 80 (#0)
> GET / HTTP/1.1
> Host: yahoo.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Wed, 03 Feb 2021 21:33:41 GMT
< Connection: keep-alive
< Server: ATS
< Cache-Control: no-store, no-cache
< Content-Type: text/html
< Content-Language: en
< X-Frame-Options: SAMEORIGIN
< Location: https://yahoo.com/
< Content-Length: 8
< 
* Connection #0 to host yahoo.com left intact

But not when trying to connect to my Collabora container:

root@1971ddba-1e76-495e-b0f7-40ab4a544caf:/app/code# curl -v collab.mydomain.com
* Rebuilt URL to: collab.mydomain.com/
*   Trying 131.xxx.xxx.xxx...
* TCP_NODELAY set

girish

@staypath Can you check if the unbound server is running OK? Services -> unbound (this is our DNS server). Does anything change if you restart it?

staypath

@girish Thanks for the response! Restart of Unbound had no effect. Actually, the problem seems to be independent of DNS. I also cannot complete a curl request directly to the external IP of my host machine from inside the Nextcloud container. I can, however, complete a curl request from the host itself to the host's external IP. The problem only occurs when traffic originates from inside a container.

girish

@staypath That's indeed strange that the container cannot ping the host IP. Is there anything unique about your setup we should know or is it the equivalent of a server with a public IP? Is there some special virtualization/networking going on?

staypath

@girish I ran some tcpdump sessions. When the container pings the public IPv4 of the host, the host responds to the ICMP packet, but it is responding to the private IP of the container (172.18.0.x). The packet doesn't seem to know how to get back to the container from the host.

staypath

@staypath I'd like to ask - besides Nextcloud and Collabora/OnlyOffice, what Cloudron apps depend on being able to reach other apps on the same host?

girish

@staypath Most apps don't. The only case I can think of on top of my head is if you had webooks when one app is calling the other. Say you setup GitLab notifications to rocket.chat but those are not configured out of the box. So, you will see the issue and they won't be failing transparently.

girish

@staypath said in Nextcloud can't connect to Collabora:

When the container pings the public IPv4 of the host, the host responds to the ICMP packet, but it is responding to the private IP of the container (172.18.0.x). The packet doesn't seem to know how to get back to the container from the host.

If you happen to have another server, can you test this with a normal ubuntu and docker installation ? i.e just create server, install docker. Then from a container try to ping public IP.

FWIW, this works out of the box in all the VPS servers.

staypath

@girish Thank you for the recommendation. I have tried on another bare metal server running Docker and I am able to access the external host IP from the Docker container. This is clearly a network issue with the host where I have Cloudron installed.

jdaviescoates

I just tried installing Collabora and hit this exact same issue.

This issue is marked as solved, but I'm not sure why as it doesn't appear to be actually solved.

nebulon

@jdaviescoates actually so far reinstallation of collabora and resetting the app in nextcloud mostly solved this. It is however quite unclear still why this happens.

jdaviescoates

@nebulon I note the setting says:

URL (and Port) of Collabora Online-server

I wonder if we need to specify a port too?

jdaviescoates

Although I think in my case perhaps it's just because I've already connected Netxtcloud to OnlyOffice! I'm not sure it's actually possible to use both alongside eachother.

jdaviescoates

@jdaviescoates said in Nextcloud can't connect to Collabora:

Although I think in my case perhaps it's just because I've already connected Netxtcloud to OnlyOffice!

Nope, that's not it. I just tried it with a Nextcloud that doesn't have OnlyOffice set-up and that couldn't connect either.

I'm not sure it's actually possible to use both alongside eachother.

Sounds like perhaps it is possible https://help.nextcloud.com/t/install-both-onlyoffice-and-collabora/76180/3

jdaviescoates

OK, so actually the solution was maddeningly simple

You mustn't put a trailing slash because then it's not a FQDN

You have to put

collabora.domain.coop
or
https://collabora.domain.coop

NOT

collabora.domain.coop/
nor
https://collabora.domain.coop/

Then it works fine!

(And it is possible to have both OnlyOffice and Collabora installs. My files still default to opening in OnlyOffice but I've now got an extra Edit with Collabora Online Development Edition option in the 3 little dots menu for files)

@nebulon I guess something about trailing slashes could be added to the docs?

girish

@jdaviescoates Oh good catch. I much prefer fixing the app itself than docs which nobody reads cc @nebulon