How do I tell OnlyOffice server to use the OwnCloud container hostname instead of the url?

I have OwnCloud running in a container behind haproxy. haproxy terminates ssl. OwnCloud itself seems to work just fine without any addition configuration (at least with the limited testing I’ve performed.)

Now I want to set up OnlyOffice. So I put it in it’s own container, on the same network as OwnCloud. Once I got everything started I tried to configure OwnCloud via the “ONLYOFFICE Document Service Location…” form. I set the OnlyOffice hostname to the name of the container.

When I try that, a yellow error message pops up and disappears before I can read it, and in my docker logs I see this:

cloud_mysite_onlyoffice    | ==> /var/log/onlyoffice/documentserver/converter/out.log <==
cloud_mysite_onlyoffice    | [2021-04-04T17:47:48.695] [ERROR] nodeJS - error downloadFile:url=http://test.cloud.mysite.blah/apps/onlyoffice/empty?doc=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhY3Rpb24iOiJlbXB0eSJ9.8mnIWnQj8xOcCUQBISpXUN5iL2eOEsZr4y6VsZjWsJw;attempt=1;code:UNABLE_TO_GET_ISSUER_CERT_LOCALLY;connect:null;(id=conv_check_1921902834_docx)
cloud_mysite_onlyoffice    | Error: unable to get local issuer certificate
cloud_mysite_onlyoffice    |     at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34)
cloud_mysite_onlyoffice    |     at TLSSocket.emit (events.js:198:13)
cloud_mysite_onlyoffice    |     at TLSSocket._finishInit (_tls_wrap.js:636:8)

It looks like the OnlyOffice container is trying to connect to my OwnCloud public url on http. Is that what is happening?

If so, then haproxy is redirecting the request to https. And OnlyOffice either can’t handle the redirect, or is hitting my custom CA cert and can’t verify it. (It’s a test environment, so I have a step-ca instance to make https testing easier.)

Which brings me to the subject of this topic. Is there a way to tell the OnlyOffice container to use the docker hostname instead of the public url?

Specifically with the onlyoffice/documentserver:latest image.

I’d prefer that, to rebuilding the image with my custom ca enabled. Running things as out of the box as possible is usually a good idea.

For the record, here is my docker-compose file. I use environment variables and Ansible to keep track of my containers. (The jury is still out on if it’s really better that way than using Kube or something else…)

version: "3.7"

networks:
  customnetwork:
    external: True

volumes:
  cloud_mysite_db_data:
    external: true
  cloud_mysite_files_data:
    external: true
  cloud_mysite_backup_data:
    external: true
  cloud_mysite_redis_data:
    external: true
  cloud_mysite_onlyoffice_data:
      external: true
  cloud_mysite_onlyoffice_logs:
      external: true

secrets:
  dbhost:
    file: ./secrets/dbhost
  dbname:
    file: ./secrets/dbname
  dbpass:
    file: ./secrets/dbpass
  dbport:
    file: ./secrets/dbport
  dbuser:
    file: ./secrets/dbuser
  dbrootpass:
    file: ./secrets/dbrootpass

services:
  cloud_mysite_owncloud:
    image: owncloud/server:10.7
    container_name: cloud_mysite_owncloud
    restart: always
    env_file:
      - ./secrets/oc_dbhost
      - ./secrets/oc_dbname
      - ./secrets/oc_dbpass
      - ./secrets/oc_dbuser
      - ./secrets/ownadmin
      - ./secrets/ownpass
      - ./secrets/redishost
    environment:
      - OWNCLOUD_DOMAIN=test.cloud.ramblingreagans.com
      - OWNCLOUD_DB_TYPE=mysql
      - OWNCLOUD_MYSQL_UTF8MB4=true
      - OWNCLOUD_REDIS_ENABLED=true
    healthcheck:
      test: ["CMD", "/usr/bin/healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 5
    volumes:
      - type: volume
        source: cloud_mysite_files_data
        target: /mnt/data
    networks:
      customnetwork:
        ipv4_address: "${CLOUD_MYSITE_HOST_CONT_IP}"
    ports:
      - "${CLOUD_MYSITE_HOST_LOCAL_BIND_IP}:${CLOUD_MYSITE_HOST_PORT}:${CLOUD_MYSITE_CONT_PORT}"
    depends_on:
      - cloud_mysite_db
      - cloud_mysite_redis
  cloud_mysite_db:
    image: library/mariadb:10
    container_name: cloud_mysite_db
    restart: always
    volumes:
      - type: volume
        source: cloud_mysite_db_data
        target: /var/lib/mysql
      - type: volume
        source: cloud_mysite_backup_data
        target: /var/lib/backup
    secrets:
      - dbname
      - dbpass
      - dbuser
      - dbrootpass
    environment:
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/dbrootpass
      - MYSQL_USER_FILE=/run/secrets/dbuser
      - MYSQL_PASSWORD_FILE=/run/secrets/dbpass
      - MYSQL_DATABASE_FILE=/run/secrets/dbname
    healthcheck:
      test: ["CMD", "/usr/bin/healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 5
    networks:
      customnetwork:
        ipv4_address: "${CLOUD_MYSITE_DB_HOST_CONT_IP}"
    ports:
      - "${CLOUD_MYSITE_DB_HOST_LOCAL_BIND_IP}:${CLOUD_MYSITE_DB_HOST_PORT}:${CLOUD_MYSITE_DB_CONT_PORT}"
  cloud_mysite_redis:
    image: library/redis:latest
    container_name: cloud_mysite_redis
    restart: always
    environment:
      - REDIS_DATABASES=1
    healthcheck:
      test: ["CMD", "/usr/bin/healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 5
    volumes:
      - type: volume
        source: cloud_mysite_redis_data
        target: /var/lib/redis
    networks:
      customnetwork:
        ipv4_address: "${CLOUD_MYSITE_REDIS_HOST_CONT_IP}"
    ports:
      - "${CLOUD_MYSITE_REDIS_HOST_LOCAL_BIND_IP}:${CLOUD_MYSITE_REDIS_HOST_PORT}:${CLOUD_MYSITE_REDIS_CONT_PORT}"
  cloud_mysite_onlyoffice:
    image: onlyoffice/documentserver:latest
    container_name: cloud_mysite_onlyoffice
    restart: always
    stdin_open: true
    tty: true
    volumes:
      - type: volume
        source: cloud_mysite_redis_data
        target: /var/lib/redis
      - type: volume
        source: cloud_mysite_onlyoffice_data
        target: /var/www/onlyoffice/Data
      - type: volume
        source: cloud_mysite_onlyoffice_logs
        target: /var/log/onlyoffice
    networks:
      customnetwork:
        ipv4_address: "${CLOUD_MYSITE_ONLYOFFICE_HOST_CONT_IP}"
    ports:
      - "${CLOUD_MYSITE_ONLYOFFICE_HOST_LOCAL_BIND_IP}:${CLOUD_MYSITE_ONLYOFFICE_HOST_PORT}:${CLOUD_MYSITE_ONLYOFFICE_CONT_PORT}"

Well, I was able to get it working. Somewhat.

  • First, I configured an external url for the OnlyOffice container.
  • Second, I copied /etc/onlyoffice/documentserver/default.json out of the OnlyOffice container, modified it to set "rejectUnauthorized": false, and used a custom Dockerfile to apply the change.
  • Third, I checked the Disable certificate verification (insecure) box in OwnCloud’s settings.

Now it works.

From all my googling on the subject, this was partially caused by my custom CA cert. And since, I think, NodeJS doesn’t use the cert’s you configure in /usr/local/share/ca-certificates, I wasn’t able to just tell the OnlyOffice container to trust my cert.

That said, I am not a fan of having to have an external url for the OnlyOffice container. Which I have to have if I plan to configure https via Lets Encrypt on my production server.

Is there a way to bypass that need? With my current setup, switching to http://containername in OwnCloud settings and saving results in this:

Error when trying to connect (Mixed Active Content is not allowed. HTTPS address for Document Server is required.)

I’m guessing I’m running into mixed mode content being disallowed because the OnlyOffice interface is loaded via an iframe?

I’m also wondering if I can get past the "rejectUnauthorized": false setting. Would configuring a key for the OwnCloud Secret key (leave blank to disable) setting work? Can you point me to the docs on how? My search skills have failed me this evening…

Hey,

it seems the documentation from OnlyOffice is available at https://api.onlyoffice.com/editors/owncloud for the app itself and for the docker container at https://github.com/ONLYOFFICE/Docker-DocumentServer#overview.

If none of both are answer you question (it seems the docker container is also provided by OnlyOffice and not ownCloud) then i think you could ask for additional documentation or a configuration option at https://github.com/ONLYOFFICE/Docker-DocumentServer/issues

1 Like

Thanks. I was able to set the secret in local.json, thanks to this doc https://api.onlyoffice.com/editors/signature. But that didn’t make it so I could stop using the "rejectUnauthorized": false setting.

I’ll go post on their forums.

1 Like