Nextcloud not able to open documents using the Onlyoffice document viewer/editor
-
@girish said in Nextcloud not able to open documents using the Onlyoffice document viewer/editor:
Are you able to reproduce this in our demo maybe ? https://my.demo.cloudron.io (username/password: cloudron)
@ChristopherMag just to rule out some internal / network related issues, can you quickly try this on the demo?
-
@girish When I navigate to that site and enter the username and password as
cloudron
it takes be back to the username and password login form and doesn't seem to login. -
@nebulon I have gone through the same steps above and they worked fine, with and without the disable certificate verification checkbox checked as your demo system gets valid SSL certs.
Our internal cloudron is not able to be publicly accessible and so we use our own root ca with a wild card cert for cloudron apps that we have loaded into the root trust stores of our client computers and phones.
It sounds like either we need to be on cloudron 7.5 instead of 7.4.3 or there is something that is now no longer working with locally managed certificates, even though we have the insecure option checked and the error message is different when it is blocked due to ssl certificate issues.
Here is the error our current instance gets when the disable certificate verification checkbox is unchecked
Error when trying to connect (cURL error 60: SSL certificate problem: unable to get local issuer certificate
.Nothing shows up in the logs section of the nextcloud and onlyoffice cloudron apps that appears to be collrelated, is there other log locations I can check to try and see additional logs that might be generated when we try to save the setting and get the error
Error when trying to connect (Error occurred in the document service: Error while downloading the document file to be converted.) (version 7.3.3.49)
? -
ahm the external reachability might be the issue. Both the browser (basically nextcloud UI) as well as the Nextcloud backend have to be able to reach the office app by domain. Depending on your router this may or may not work then if things are not publicly reachable.
-
@nebulon All dns requests for any host in the subdomain of cloudron.ourtopdomain.com all return the same ip address.
There is a feature of our DNS provider that basically allowed us to setup *.cloudron.ourtopdomain.com so that even requests for hosts we have never done anything specific to setup records for will respond with the same ip address as everything is hosted on one server.If DNS reachability was a problem in general I wouldn't have expected it to work for 8 months and also wouldn't expect that it would be able to give error messages that are different than the one that you receive when nextcloud can't reach the onlyoffice host via dns resolution.
If I mess up the hostname intentionally we get the error
Error when trying to connect (cURL error 6: Could not resolve host: testonlyoffice.cloudron.wrongrootdomain.com
which is not the errorError when trying to connect (Error occurred in the document service: Error while downloading the document file to be converted.) (version 7.3.3.49)
we get when the domain name is corrected.The document service would need to be reachable to receive an error message from it about it having trouble downloading the document to be converted.
In this case maybe it is Onlyoffice that is having trouble reaching out to nextcloud to pull the document that nextcloud requested Onlyoffice open.
if I run
dig testnextcloud.cloudron.ourtopdomain.com
from the terminal of the testonlyoffice cloudron app it returns an A record with the correct ip address so dns reachability doesn't seem like the issue. -
I'm on 7.5 and since the NC update to 27.0.1 the OnlyOffice integration gets stuck with:
Fout bij het verbinden (Er is een fout opgetreden in de documentservice: Error while downloading the document file to be converted.) (versie 7.3.3.49)
This error is shown while trying to save the settings in NC regarding OnlyOffice. I tried all the suggestions here but it still doesn't work.
-
@girish OUCH! My fault, after installation and all the updates I switched on Cloudflare DNS proxy because I’ve set up there “country whitelist”. I just switched proxy off and it works!
How can I use Cloudflare proxy in this setup or even better would be to have on Cloudron per app geo blocking
-
-
@imc67 Is there something in Cloudflare "logs" (if there is such a thing) as to why the healthcheck request was blocked? I wonder if Cloudflare is throwing some captcha or something and the server/browser request cannot handle this (since this is an API call)?
-
GOT IT! I recently moved my Cloudron from a Netcup VPS to a Netcup RS, it got a new IP. Just seconds ago (I didn’t saw you latest comment but it was the same direction) I discovered by the Cloudflare WAF logs that according to Cloudflare this IP is not in Germany (DE) but in the UK! Therefore all proxied domains where blocked by their own server! Bizar!
-
@girish I have emailed support on Tuesday as requested.
What would be my next step to get assistance in determining what is causing the issue we are seeing?
Happy to perform any additional troubleshooting steps, seems like possibly doing a packet capture from the nextcloud and onlyoffice containers on the Demo system where this works and on a system where it doesn't work would at least provide us the ability to pinpoint the differences between the failure and success states.
-
OK, I tested this a bit.
Installed nextcloud with a proper cert
- Installed the onlyoffice app inside nextcloud.
- With the "Demo server" setting, it says "you are using demo server" warning when opening files.
- Installed onlyoffice app in cloudron with proper cert
- With bad server name, the error is
Error when trying to connect (cURL error 6: Could not resolve host: xxx
- With bad password, the error is
Error when trying to connect (Error occurred in the document service: Invalid token)
- With good hostname and password, it says
Settings have been successfully updated
- With bad server name, the error is
Installed nextcloud with self signed cert
- Used the demo server.
- When you open files, they just download and editor does not open. Meaning it's not working.
- Configured with onlyoffice app in Cloudron with proper cert
- Settings don't save at all -
Error when trying to connect (Error occurred in the document service: Error while downloading the document file to be converted.)
- Settings don't save at all -
Installed nextcloud with propert cert again
- Install onlyoffice in cloudron with self-signed cert
- Without
Disable certificate verification
, error isError when trying to connect (cURL error 60: SSL certificate problem: unable to get local issuer certificate
- When
Disable certificate verification
is checked, settings save and documents open.
So, to conclude: when nextcloud has self-signed certs, onlyoffice integration does not work.
-
I found the magic incantation here - https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/4ae34b4d02822f68d661cca629083e1381d83612/run-document-server.sh#L340
You have to add below under services.CoAuthoring and restart the app:
"requestDefaults": { "rejectUnauthorized": false },
@ChristopherMag please try the above
-
@girish That worked, thank you! My old onlyoffice app is still broken but with this setting I was able to make a new onlyoffice app install work as expected.
I apologize as after you found this I searched the forum for
requestDefaults
and found that I had put in this feature request that would help resolve issues like these and in the request I mentioned an equivelant step of addingservices.CoAuthoring.requestDefaults.rejectUnauthorized=false
in the/etc/onlyoffice/documentserver/defaults.json
file to accomplish the same thing.I still don't know why the original onlyoffice app stopped working but I was missing this step in my documentation to build a new one and just making a new one would have resolved the issue if I hadn't lost track of this step being needed.
Thank you for your help and if there is any way we can bump up the priority of the other feature request it would help eliminate issues like this from occurring in the first place as custom root-ca certs would be implicitly trusted inside each container.