Collabora cURL error 60: SSL certificate problem: self signed certificate in certificate chain


#1

Hello!
I've installed ownCLoud 9.1.2

My web interface https://owncloud.mydomain.com works fine.

Then I've installed Collabora Online app from repository and Collabora docker image to the same server.
Collabora docker image instruction here
https://nextcloud.com/collaboraonline/

When I am trying to open Office in APP section in ownCloud I see this error

Collabora Online: Сертифікат SSL не встановлено.
Please ask your administrator to add ca-chain.cert.pem to the ca-bundle.crt, for example "cat /etc/loolwsd/ca-chain.cert.pem >> /resources/config/ca-bundle.crt" . The exact error message was: cURL error 60: SSL certificate problem: self signed certificate in certificate chain

I am sure that my bundle file is ok, because the same config file in vhost for https://owncloud.mydomain.com and it's work without error.

I've added my bundle-ca to /var/www/owncloud/resources/config/ca-bundle.crt
It doesn't help.

What else can i do ?


#2

Moved to the miscellaneous category as this is a 3rdparty docker image not related to ownCloud.

The docker image itself is using a self-signed certificate. Thats why you should use a nginx or apache webserver in front of the docker image providing a valid certificate like described in various resources collected here:


#3

I use Apache as reversed proxy, but problem still here.

Maybe problem with my reverse proxy? How can I check ?


ServerName office.nextcloud.com:443

# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLEngine on
SSLCertificateFile /path/to/signed_certificate
SSLCertificateChainFile /path/to/intermediate_certificate
SSLCertificateKeyFile /path/to/private/key
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on

# Encoded slashes need to be allowed
AllowEncodedSlashes On

# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# keep the host
ProxyPreserveHost On

# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet

# WOPI discovery URL
ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws

# Admin Console websocket
ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass /lool https://127.0.0.1:9980/lool
ProxyPassReverse /lool https://127.0.0.1:9980/lool


#4

There are tools like sslscan or https://www.ssllabs.com/ssltest/index.html available helping you to check your ssl configuration.


#5

My based domain https://owncloud.mydomain.com according to https://www.ssllabs.com/ssltest/index.html works fine.
But I cannot check my reverse proxy domain.


#6

There are other tools available as previously advised:

A search on google should give you also other tools / resources how to check your SSL configuration if that reverse proxy is not reachable from the internet.


#7

I have the same error, but I actually use a self signed certificate via Let's Encrypt.
Do you have any idea how I can configure LOOL to work with that? Official documentation does not support self signed certificates.

EDIT:
Nevermind... I thought I've added LOOL certificate to owncloud ca-bundel.crt, but did not.
I found it in the docker container mounted aufs.


#8

How did you solve this?
I've the same problem, using self certificate...


#9

This is an old issue, would you mind opening a new one with full information about your setup?