OCIS with Collabora on K3S : Unauthorized WOPI host 'unable to get local issuer certificate'

Infinite Scale
1

Hello,

I’ve been using OCIS for a year now and I’m now trying to set up Collabora with it.
Unfortunately loading a file on the web interface end up with the following popup :

image
image493×146 2.81 KB

Notes :
In my use case SSL is manage at the ingress and my containers have no knowledge of my personal root CA certificate hence everything needs to be ‘insecure’ in the env.
ocis.yaml as been patched for the collaboration service.
csp.yaml as been created and updated for Collabora.

ingress :
ownloud.lan → 9200 → assigned to the OCIS container
wopi.lan → 9300 → assigned to the collaboration container
office.lan → 9980 → assigned to the Collabora container

service :
registry → 9233 → assigned to the OCIS

OCIS env :

  containers:
    - name: owncloud
      image: docker.io/owncloud/ocis-rolling:latest
      ports:
        - containerPort: 9200
      env:
        - name: OCIS_INSECURE
          value: "true"
        - name: PROXY_TLS
          value: "false"
        - name: OCIS_URL
          value: "https://owncloud.lan"
        - name: PROXY_CSP_CONFIG_FILE_LOCATION
          value: "/etc/ocis/csp.yaml"
        - name: COLLABORA_DOMAIN
          value: "office.lan"
        - name: NATS_NATS_HOST
          value: "0.0.0.0"
        - name: GATEWAY_GRPC_ADDR
          value: "0.0.0.0:9142"
        - name: FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR
          value: eu.opencloud.api.collaboration.CollaboraOnline
        - name: GRAPH_AVAILABLE_ROLES
          value: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"

Collaboration config :

  containers:
    - name: collaboration
      image: docker.io/owncloud/ocis-rolling:latest
      ports:
        - containerPort: 9300
      env:
        - name: COLLABORATION_GRPC_ADDR
          value: "0.0.0.0:9301"
        - name: COLLABORATION_HTTP_ADDR
          value: "0.0.0.0:9300"
        - name: COLLABORATION_WOPI_SRC
          value: "https://wopi.lan"
        - name: COLLABORATION_APP_ADDR
          value: "https://office.lan"
        - name: COLLABORATION_APP_ICON
          value: "https://office.lan/favicon.ico"
        - name: COLLABORATION_APP_NAME
          value: "CollaboraOnline"
        - name: COLLABORATION_APP_PRODUCT
          value: "Collabora"
        - name: COLLABORATION_APP_INSECURE
          value: "true"
        - name: COLLABORATION_CS3API_DATAGATEWAY_INSECURE
          value: "true"
        - name: MICRO_REGISTRY
          value: "nats-js-kv"
        - name: MICRO_REGISTRY_ADDRESS
          value: "registry:9233"

Collabora config :

  containers:
    - name: office
      image: docker.io/collabora/code:latest
      ports:
        - containerPort: 9980
      command: ["/bin/sh","-c"]
      args: ["coolconfig generate-proof-key && /start-collabora-online.sh"]
      env:
        - name: aliasgroup1
          value: "https://wopi.lan:443"
        - name: username
          value: "admin"
        - name: password
          value: "admin"
        - name: server_name
          value: "office.lan"
        - name: domain
          value: "owncloud.lan"
        - name: DONT_GEN_SSL_CERT
          value: "YES"
        - name: extra_params
          value:  "--o:ssl.enable=false --o:ssl.ssl_verification=false --o:ssl.termination=true --o:welcome.enable=false --o:net.frame_ancestors=https://owncloud.lan"
      securityContext:
        capabilities:
          add: ["MKNOD"]

Thanks

2

Update :

I’ve corrected a bunch of mistake :
frame_ancestors without the https
added OCIS_URL to collaboration
corrected the FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR

Now I have random errors when trying to access collabora :

  1. web-app-external error Error: Error fetching app information
  2. popup ‘failed to read document from storage’
  3. popup ‘unable to get local issuer certificate’
  4. Collabora loading splash screen but the load doesn’t progress
  5. rarely collabora load, I can read a document but I can’t edit it (the keyboard doesn’t register)

thanks

3

Last update :

I finally manage to have it working.
the whole ‘failed to read document from storage’ come from bad network traffic. Since my pods have no knowledge of external domain name I’ve set up hostnames with hostAliases but some where unnecessary and were the problem.

For the ‘unable to get local issuer certificate’ this simply comes from the fact that my collaboration container was up before collabora

Bye

1 Like