SSL handshake failure onlyoffice integration - cannot open documents


#1

hi all,

I had onlyoffice integration already running fine but for other reasons setup the onlyoffice docker container again. Now onlyoffice document server is unable to access the files apparently and is throwing ssl handshake errors when I attach to the container.

  • Seafile works flawlessy with Nginx reverse proxy
  • the document server is availble via url/ds-vpath/
  • document server is up and running and shows welcome page
  • when I look into the source code of the webpage when opening a doc, I can click the referenced document link and download the file
  • before (when it worked) I was running an older version of oods - now I am running the latest version

Any help is greatly appreciated!

Thanks
Alex

My oods specific nginx config is as follow:

Before server block:

#Required for only office document server
map $http_x_forwarded_proto $the_scheme {
    default $http_x_forwarded_proto;
    "" $scheme;
}
map $http_x_forwarded_host $the_host {
    default $http_x_forwarded_host;
    "" $host;
}
map $http_upgrade $proxy_connection {
    default upgrade;
    "" close;
}

Inside server block:

location /ds-vpath/ {
    # THIS ONE IS IMPORTANT ! - Trailing slash !
    proxy_pass http://192.168.178.14:80/;

    proxy_http_version 1.1;
    client_max_body_size 100M; # Limit Document size to 100MB
    proxy_read_timeout 3600s;
    proxy_connect_timeout 3600s;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $proxy_connection;

    # THIS ONE IS IMPORTANT ! - Subfolder and NO trailing slash !
    proxy_set_header X-Forwarded-Host $the_host/ds-vpath;

    proxy_set_header X-Forwarded-Proto $the_scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Errors I see when attached to container:

indent preformatted text by 4 spaces

==> /var/log/onlyoffice/documentserver/docservice/out.log <==
[2019-01-30T10:24:18.684] [ERROR] nodeJS - postData error: docId = 7d2989210adf7f488c91;url = https://seafile.mydomain.de/onlyoffice/editor-callback/;data = {“key”:“7d2989210adf7f488c91”,“status”:1,“users”:[“uid-1548843857200”],“actions”:[{“type”:1,“userid”:“uid-1548843857200”}]}
Error: write EPROTO 140117065283392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:…/deps/openssl/openssl/ssl/s23_clnt.c:802:

at WriteWrap.afterWrite [as oncomplete] (net.js:868:14)

==> /var/log/onlyoffice/documentserver/converter/out.log <==
[2019-01-30T10:24:18.879] [ERROR] nodeJS - error downloadFile:url=https://seafile.mydomain.de/seafhttp/files/bfc18793-8a58-498b-8ddd-ac58e09e9431/test.xlsx;attempt=1;code:EPROTO;connect:null;(id=7d2989210adf7f488c91)
Error: write EPROTO 140208622262080:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:…/deps/openssl/openssl/ssl/s23_clnt.c:802:

at WriteWrap.afterWrite [as oncomplete] (net.js:868:14)

[2019-01-30T10:24:19.902] [ERROR] nodeJS - error downloadFile:url=https://seafile.mydomain.de/seafhttp/files/bfc18793-8a58-498b-8ddd-ac58e09e9431/test.xlsx;attempt=2;code:EPROTO;connect:null;(id=7d2989210adf7f488c91)
Error: write EPROTO 140208622262080:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:…/deps/openssl/openssl/ssl/s23_clnt.c:802:

at WriteWrap.afterWrite [as oncomplete] (net.js:868:14)

[2019-01-30T10:24:20.922] [ERROR] nodeJS - error downloadFile:url=https://seafile.mydomain.de/seafhttp/files/bfc18793-8a58-498b-8ddd-ac58e09e9431/test.xlsx;attempt=3;code:EPROTO;connect:null;(id=7d2989210adf7f488c91)
Error: write EPROTO 140208622262080:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:…/deps/openssl/openssl/ssl/s23_clnt.c:802:

at WriteWrap.afterWrite [as oncomplete] (net.js:868:14)

#2

Are you using self signed or publicly trusted SSL certificate? When testing OO I encounter the same problem when I used self signed certificates since NODEJS on OO side didn’t trust my ROOT CA. Workaround was to tel NODEJS inside OO config files what ROOT CA to trust.

https://docs.axway.com/bundle/API_Builder_4x_allOS_en/page/enable_additional_ca_certificates.html

I didn’t run OO as a docker but rather as a .deb package but procedure should be the same.
As I recall those config files are at /etc/onlyoffice/documentserver/supervisor/*.conf , and in all .conf files under environment I have added NODE_EXTRA_CA_CERTS=./path_to_your_root_ca_cert.pem


#3

using a letsencrypt certificate…so that should not be the issue


#4

Proxy_pass doesn’t look right to me. What command did you run to install OO DS? The Manual says (Ubuntu):

docker run -dit -p 88:80 --restart always --name oods onlyoffice/documentserver

in which case proxy_pass should be (as per Manual)

proxy_pass http://{your Seafile server’s domain or IP}:88/;

or

proxy_pass http://127.0.0.1:88/;


#5

Any changes to seahub_settings.py ?

# Enable Only Office
ENABLE_ONLYOFFICE = True
VERIFY_ONLYOFFICE_CERTIFICATE = True

What do you have for:

ONLYOFFICE_APIJS_URL = 'http{s}://{your Seafile server's domain or IP}/{your subdolder}/web-apps/apps/api/documents/api.js'

Is it set for https?