Nextcloud not able to open documents using the Onlyoffice document viewer/editor

ChristopherMag

@nebulon I have gone through the same steps above and they worked fine, with and without the disable certificate verification checkbox checked as your demo system gets valid SSL certs.

Our internal cloudron is not able to be publicly accessible and so we use our own root ca with a wild card cert for cloudron apps that we have loaded into the root trust stores of our client computers and phones.

It sounds like either we need to be on cloudron 7.5 instead of 7.4.3 or there is something that is now no longer working with locally managed certificates, even though we have the insecure option checked and the error message is different when it is blocked due to ssl certificate issues.

Here is the error our current instance gets when the disable certificate verification checkbox is unchecked Error when trying to connect (cURL error 60: SSL certificate problem: unable to get local issuer certificate.

Nothing shows up in the logs section of the nextcloud and onlyoffice cloudron apps that appears to be collrelated, is there other log locations I can check to try and see additional logs that might be generated when we try to save the setting and get the error Error when trying to connect (Error occurred in the document service: Error while downloading the document file to be converted.) (version 7.3.3.49)?

nebulon

ahm the external reachability might be the issue. Both the browser (basically nextcloud UI) as well as the Nextcloud backend have to be able to reach the office app by domain. Depending on your router this may or may not work then if things are not publicly reachable.

ChristopherMag

@nebulon All dns requests for any host in the subdomain of cloudron.ourtopdomain.com all return the same ip address.
There is a feature of our DNS provider that basically allowed us to setup *.cloudron.ourtopdomain.com so that even requests for hosts we have never done anything specific to setup records for will respond with the same ip address as everything is hosted on one server.

If DNS reachability was a problem in general I wouldn't have expected it to work for 8 months and also wouldn't expect that it would be able to give error messages that are different than the one that you receive when nextcloud can't reach the onlyoffice host via dns resolution.

If I mess up the hostname intentionally we get the error Error when trying to connect (cURL error 6: Could not resolve host: testonlyoffice.cloudron.wrongrootdomain.com which is not the error Error when trying to connect (Error occurred in the document service: Error while downloading the document file to be converted.) (version 7.3.3.49) we get when the domain name is corrected.

The document service would need to be reachable to receive an error message from it about it having trouble downloading the document to be converted.

In this case maybe it is Onlyoffice that is having trouble reaching out to nextcloud to pull the document that nextcloud requested Onlyoffice open.

if I run dig testnextcloud.cloudron.ourtopdomain.com from the terminal of the testonlyoffice cloudron app it returns an A record with the correct ip address so dns reachability doesn't seem like the issue.

imc67

I'm on 7.5 and since the NC update to 27.0.1 the OnlyOffice integration gets stuck with:

Fout bij het verbinden (Er is een fout opgetreden in de documentservice: Error while downloading the document file to be converted.) (versie 7.3.3.49)

This error is shown while trying to save the settings in NC regarding OnlyOffice. I tried all the suggestions here but it still doesn't work.

girish

@imc67 do you also have any special setup you can think of? cloudflare/custom certs/reverse proxy in front etc?

imc67

@girish OUCH! My fault, after installation and all the updates I switched on Cloudflare DNS proxy because I’ve set up there “country whitelist”. I just switched proxy off and it works!

How can I use Cloudflare proxy in this setup or even better would be to have on Cloudron per app geo blocking

girish

Interesting. I wonder why the proxy matters.

@imc67 Did you have to turn off the proxy for both apps or just onlyoffice?

imc67

@imc67 @girish strange! On another Cloudron (not on 7.5) NC and OO are both proxied and there it works!

I switched on both proxies and now I get another error:

Fout bij het verbinden (Client error: `GET https://oo.xxx.x/healthcheck` resulted in a `403 Forbidden` response:

girish

I wonder if Cloudflare is blocking requests? Do you have some security or WAF stuff also enabled in Cloudflare as part of the proxying?

imc67

@girish yes, the only WAF rule I use is “block everything except NL + DE + AU” and I only proxy some subdomains where there might be sensitive information.

girish

@imc67 Is there something in Cloudflare "logs" (if there is such a thing) as to why the healthcheck request was blocked? I wonder if Cloudflare is throwing some captcha or something and the server/browser request cannot handle this (since this is an API call)?

imc67

GOT IT! I recently moved my Cloudron from a Netcup VPS to a Netcup RS, it got a new IP. Just seconds ago (I didn’t saw you latest comment but it was the same direction) I discovered by the Cloudflare WAF logs that according to Cloudflare this IP is not in Germany (DE) but in the UK! Therefore all proxied domains where blocked by their own server! Bizar!

ChristopherMag

@girish I have emailed support on Tuesday as requested.

What would be my next step to get assistance in determining what is causing the issue we are seeing?

Happy to perform any additional troubleshooting steps, seems like possibly doing a packet capture from the nextcloud and onlyoffice containers on the Demo system where this works and on a system where it doesn't work would at least provide us the ability to pinpoint the differences between the failure and success states.

girish

@ChristopherMag I replied a couple of days ago, but was waiting for your reply. Did it end up in spam or something?

girish

OK, I tested this a bit.

Installed nextcloud with a proper cert

• Installed the onlyoffice app inside nextcloud.
• With the "Demo server" setting, it says "you are using demo server" warning when opening files.
• Installed onlyoffice app in cloudron with proper cert
  • With bad server name, the error is Error when trying to connect (cURL error 6: Could not resolve host: xxx
  • With bad password, the error is Error when trying to connect (Error occurred in the document service: Invalid token)
  • With good hostname and password, it says Settings have been successfully updated

Installed nextcloud with self signed cert

• Used the demo server.
• When you open files, they just download and editor does not open. Meaning it's not working.
• Configured with onlyoffice app in Cloudron with proper cert
  • Settings don't save at all - Error when trying to connect (Error occurred in the document service: Error while downloading the document file to be converted.)

Installed nextcloud with propert cert again

• Install onlyoffice in cloudron with self-signed cert
• Without Disable certificate verification , error is Error when trying to connect (cURL error 60: SSL certificate problem: unable to get local issuer certificate
• When Disable certificate verification is checked, settings save and documents open.

So, to conclude: when nextcloud has self-signed certs, onlyoffice integration does not work.

girish

I found the magic incantation here - https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/4ae34b4d02822f68d661cca629083e1381d83612/run-document-server.sh#L340

You have to add below under services.CoAuthoring and restart the app:

      "requestDefaults": {
        "rejectUnauthorized": false
      },

@ChristopherMag please try the above

ChristopherMag

@girish That worked, thank you! My old onlyoffice app is still broken but with this setting I was able to make a new onlyoffice app install work as expected.

I apologize as after you found this I searched the forum for requestDefaults and found that I had put in this feature request that would help resolve issues like these and in the request I mentioned an equivelant step of adding services.CoAuthoring.requestDefaults.rejectUnauthorized=false in the /etc/onlyoffice/documentserver/defaults.json file to accomplish the same thing.

I still don't know why the original onlyoffice app stopped working but I was missing this step in my documentation to build a new one and just making a new one would have resolved the issue if I hadn't lost track of this step being needed.

Thank you for your help and if there is any way we can bump up the priority of the other feature request it would help eliminate issues like this from occurring in the first place as custom root-ca certs would be implicitly trusted inside each container.

girish

@ChristopherMag said in Nextcloud not able to open documents using the Onlyoffice document viewer/editor:

if there is any way we can bump up the priority of the other feature request

sorry, I lost track. What is this other feature request?

ChristopherMag

@girish Sorry, I hyper linked it but maybe that didn't work right, it is this one: https://forum.cloudron.io/topic/6381/if-the-custom-certificate-option-is-chosen-please-map-a-path-to-the-public-keys-into-each-container-s-ca-certificates-or-equivalent

Esentially if cloudron domain is set to manual such that it is bieng provided a certificate and a key, at minimum, all apps that are loaded under that same domain should trust that certificate such that if you have cross app https connections, those connections will be trusted for all apps within that same domain at minimum.

One might make an arguement for wanting to trust certs accross cloudron app domains but at least making everything within a single app domain trust each other would be a huge help and prevent a lot of issues we have hit when using apps that then need to communicate with other apps.

ChristopherMag

In case any one else is looking through this thread later, the best path forward in our case was to start using DigitalOcean's free DNS service and then change the domain configuration in cloudron from manual to DigitalOcean.

Our cloudron apps are hosted under a subdomain of the top level domain so we needed to setup both the top level domain and the subdomain in digital ocean with name server records for the subdomain defined at the top level domain. We also needed to change our domain registrar's setup so that they would point to DigitalOcean's name servers as authoritative for the domain.

All of this worked and has resulted in us being able to have a cloudron instance that is not reachable from the public internet in any way but is still able to use Let's Encrypt certificates for everything via cloudron's automatic certificate management.

If you go down this path please be sure to get things setup, change the domains configuration, sync dns, renew certificates, and reboot the cloudron server and if things are configured properly you should be able to see that the certificates being used switch from your manually loaded certificate to the Let's Encrypt certificate.

Ultimately this results in https connections between apps, like nextcloud and onlyoffice, working by default without work around needed to bypass certificate verification.