NextCloud with Collabora over SSL

[Rajstopy]

Dear all,

I'm desperately trying to configure NextCloud with a docker instance of Collabora over SSL. I've spent hours, not to say days but now I guess I need some help because I'm really struggling

This is my configuration :

NextCloud is installed on TrueNAS as a plugin.
Collabora runs in a virtual machine (Debian 10), also hosted on TrueNAS.

In NextCloud parameters / Collabora Online, when I check the tick box telling not to verify SSL certificate, then everything works well.

BUT, I just want to be able to use SSL... When the check box is not checked, then I got an error telling Collabora server not found...

I use my own CA, CA certificates and server certificates have been installed. When log on my NextCloud server (dohelper is my collabora server), I get the following outputs:
openssl s_client -connect dohelper.test.net:443 [...] Start Time: 1615206777 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes [...] curl -i --verbose https://dohelper.test.net [...] * SSL certificate verify ok. [...]
Collabora is running behind a reverse :

Compose file :
services: code: ports: - '127.0.0.1:9980:9980' container_name: collabora-code environment: - domain=cloud\.test\.net - server_name=dohelper\.test\.net - username=admin - password=secret - 'extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:net.post_allow.host[0]=::ffff:172\.[0-9\.]+ --o:storage.wopi.host[0]=::ffff:172\.[0-9\.]+' cap_add: - MKNOD restart: always image: collabora/code reverse-proxy: depends_on: - code image: nginx volumes: - /mnt/docker/collabora/nginx/etc/nginx.conf:/etc/nginx/nginx.conf - /mnt/docker/collabora/nginx/conf.d:/etc/nginx/conf.d - /etc/ssl/private:/etc/ssl/private ports: - '80:80' - '443:443'
Nginx config file :
server { listen 443 ssl http2; server_name dohelper.test.net; ssl_certificate /etc/ssl/private/dohelper.crt; ssl_certificate_key /etc/ssl/private/dohelper.key; # static files location ^~ /loleaflet { proxy_pass http://collabora-code:9980; proxy_set_header Host $http_host; } # WOPI discovery URL location ^~ /hosting/discovery { proxy_pass http://collabora-code:9980; proxy_set_header Host $http_host; } # Capabilities location ^~ /hosting/capabilities { proxy_pass http://collabora-code:9980; proxy_set_header Host $http_host; } # main websocket location ~ ^/lool/(.*)/ws$ { proxy_pass http://collabora-code:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; proxy_read_timeout 36000s; } # download, presentation and image upload location ~ ^/lool { proxy_pass http://collabora-code:9980; proxy_set_header Host $http_host; } # Admin Console websocket location ^~ /lool/adminws { proxy_pass http://collabora-code:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; proxy_read_timeout 36000s; } }
What the hell do I miss?
I don't understand why curl @ openssl succeed, whereas NextCloud does not....

Is there any log file I would look into, in order to find why this connection doesn't succeed?

Any help would be much appreciated!

 

[Rajstopy]

My two cents feeling : it seems the SSL connection is established, but the certificated cannot be verified. Does it perhaps mean the root CA cannot be found by NextCloud? In that case, I don't know why Curl for instance is able to locate it...

 

[Rajstopy]

Sometimes, it is worth to write down the question I've been able to solve the issue!

As I wrote before, NextCloud was not able to locate the root CA, because I installed it into the wrong place.

In NextCloud, there is a file rootcerts.crt located under /usr/local/www/nextcloud/data/files_external

You just need to place you root CA at the very end of the file, followed by service nginx restart and that's all.

Hope this post may save some time to others