Collabora cURL error 60: SSL certificate problem: self signed certificate in certificate chain

koval · December 1, 2016, 3:06pm

Hello!
I’ve installed ownCLoud 9.1.2

My web interface https://owncloud.mydomain.com works fine.

Then I’ve installed Collabora Online app from repository and Collabora docker image to the same server.
Collabora docker image instruction here

When I am trying to open Office in APP section in ownCloud I see this error

Collabora Online: Сертифікат SSL не встановлено.
Please ask your administrator to add ca-chain.cert.pem to the ca-bundle.crt, for example "cat /etc/loolwsd/ca-chain.cert.pem >> /resources/config/ca-bundle.crt" . The exact error message was: cURL error 60: SSL certificate problem: self signed certificate in certificate chain

I am sure that my bundle file is ok, because the same config file in vhost for https://owncloud.mydomain.com and it’s work without error.

I’ve added my bundle-ca to /var/www/owncloud/resources/config/ca-bundle.crt
It doesn’t help.

What else can i do ?

anon30676603 · December 1, 2016, 3:56pm

Moved to the miscellaneous category as this is a 3rdparty docker image not related to ownCloud.

The docker image itself is using a self-signed certificate. Thats why you should use a nginx or apache webserver in front of the docker image providing a valid certificate like described in various resources collected here:

koval · December 1, 2016, 4:05pm

I use Apache as reversed proxy, but problem still here.

Maybe problem with my reverse proxy? How can I check ?

<VirtualHost *:443>
ServerName office.nextcloud.com:443

SSL configuration, you may want to take the easy route instead and use Lets Encrypt!

SSLEngine on
SSLCertificateFile /path/to/signed_certificate
SSLCertificateChainFile /path/to/intermediate_certificate
SSLCertificateKeyFile /path/to/private/key
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on

Encoded slashes need to be allowed

AllowEncodedSlashes On

Container uses a unique non-signed certificate

SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

keep the host

ProxyPreserveHost On

static html, js, images, etc. served from loolwsd

loleaflet is the client part of LibreOffice Online

ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet

WOPI discovery URL

ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery

Main websocket

ProxyPassMatch “/lool/(.*)/ws$” wss://127.0.0.1:9980/lool/$1/ws

Admin Console websocket

ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws

Download as, Fullscreen presentation and Image upload operations

ProxyPass /lool https://127.0.0.1:9980/lool
ProxyPassReverse /lool https://127.0.0.1:9980/lool

anon30676603 · December 1, 2016, 4:12pm

There are tools like sslscan or SSL Server Test (Powered by Qualys SSL Labs) available helping you to check your ssl configuration.

koval · December 1, 2016, 4:26pm

My based domain https://owncloud.mydomain.com according to SSL Server Test (Powered by Qualys SSL Labs) works fine.
But I cannot check my reverse proxy domain.

anon30676603 · December 1, 2016, 4:32pm

There are other tools available as previously advised:

A search on google should give you also other tools / resources how to check your SSL configuration if that reverse proxy is not reachable from the internet.

hubearth · January 23, 2017, 6:42am

I have the same error, but I actually use a self signed certificate via Let’s Encrypt.
Do you have any idea how I can configure LOOL to work with that? Official documentation does not support self signed certificates.

EDIT:
Nevermind… I thought I’ve added LOOL certificate to owncloud ca-bundel.crt, but did not.
I found it in the docker container mounted aufs.

soda · March 22, 2018, 10:27am

How did you solve this?
I’ve the same problem, using self certificate…

dmitry · March 22, 2018, 2:30pm

This is an old issue, would you mind opening a new one with full information about your setup?