SSL handshake failure onlyoffice integration - cannot open documents

Seafile Server
1

hi all,

I had onlyoffice integration already running fine but for other reasons setup the onlyoffice docker container again. Now onlyoffice document server is unable to access the files apparently and is throwing ssl handshake errors when I attach to the container.

  • Seafile works flawlessy with Nginx reverse proxy
  • the document server is availble via url/ds-vpath/
  • document server is up and running and shows welcome page
  • when I look into the source code of the webpage when opening a doc, I can click the referenced document link and download the file
  • before (when it worked) I was running an older version of oods - now I am running the latest version

Any help is greatly appreciated!

Thanks
Alex

My oods specific nginx config is as follow:

Before server block:

#Required for only office document server
map $http_x_forwarded_proto $the_scheme {
    default $http_x_forwarded_proto;
    "" $scheme;
}
map $http_x_forwarded_host $the_host {
    default $http_x_forwarded_host;
    "" $host;
}
map $http_upgrade $proxy_connection {
    default upgrade;
    "" close;
}

Inside server block:

location /ds-vpath/ {
    # THIS ONE IS IMPORTANT ! - Trailing slash !
    proxy_pass http://192.168.178.14:80/;

    proxy_http_version 1.1;
    client_max_body_size 100M; # Limit Document size to 100MB
    proxy_read_timeout 3600s;
    proxy_connect_timeout 3600s;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $proxy_connection;

    # THIS ONE IS IMPORTANT ! - Subfolder and NO trailing slash !
    proxy_set_header X-Forwarded-Host $the_host/ds-vpath;

    proxy_set_header X-Forwarded-Proto $the_scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Errors I see when attached to container:

indent preformatted text by 4 spaces

==> /var/log/onlyoffice/documentserver/docservice/out.log <==
[2019-01-30T10:24:18.684] [ERROR] nodeJS - postData error: docId = 7d2989210adf7f488c91;url = https://seafile.mydomain.de/onlyoffice/editor-callback/;data = {“key”:“7d2989210adf7f488c91”,“status”:1,“users”:[“uid-1548843857200”],“actions”:[{“type”:1,“userid”:“uid-1548843857200”}]}
Error: write EPROTO 140117065283392:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:…/deps/openssl/openssl/ssl/s23_clnt.c:802:

at WriteWrap.afterWrite [as oncomplete] (net.js:868:14)

==> /var/log/onlyoffice/documentserver/converter/out.log <==
[2019-01-30T10:24:18.879] [ERROR] nodeJS - error downloadFile:url=https://seafile.mydomain.de/seafhttp/files/bfc18793-8a58-498b-8ddd-ac58e09e9431/test.xlsx;attempt=1;code:EPROTO;connect:null;(id=7d2989210adf7f488c91)
Error: write EPROTO 140208622262080:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:…/deps/openssl/openssl/ssl/s23_clnt.c:802:

at WriteWrap.afterWrite [as oncomplete] (net.js:868:14)

[2019-01-30T10:24:19.902] [ERROR] nodeJS - error downloadFile:url=https://seafile.mydomain.de/seafhttp/files/bfc18793-8a58-498b-8ddd-ac58e09e9431/test.xlsx;attempt=2;code:EPROTO;connect:null;(id=7d2989210adf7f488c91)
Error: write EPROTO 140208622262080:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:…/deps/openssl/openssl/ssl/s23_clnt.c:802:

at WriteWrap.afterWrite [as oncomplete] (net.js:868:14)

[2019-01-30T10:24:20.922] [ERROR] nodeJS - error downloadFile:url=https://seafile.mydomain.de/seafhttp/files/bfc18793-8a58-498b-8ddd-ac58e09e9431/test.xlsx;attempt=3;code:EPROTO;connect:null;(id=7d2989210adf7f488c91)
Error: write EPROTO 140208622262080:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:…/deps/openssl/openssl/ssl/s23_clnt.c:802:

at WriteWrap.afterWrite [as oncomplete] (net.js:868:14)
2

Are you using self signed or publicly trusted SSL certificate? When testing OO I encounter the same problem when I used self signed certificates since NODEJS on OO side didn’t trust my ROOT CA. Workaround was to tel NODEJS inside OO config files what ROOT CA to trust.

https://docs.axway.com/bundle/API_Builder_4x_allOS_en/page/enable_additional_ca_certificates.html

I didn’t run OO as a docker but rather as a .deb package but procedure should be the same.
As I recall those config files are at /etc/onlyoffice/documentserver/supervisor/*.conf , and in all .conf files under environment I have added NODE_EXTRA_CA_CERTS=./path_to_your_root_ca_cert.pem

3

using a letsencrypt certificate…so that should not be the issue

4

Proxy_pass doesn’t look right to me. What command did you run to install OO DS? The Manual says (Ubuntu):

docker run -dit -p 88:80 --restart always --name oods onlyoffice/documentserver

in which case proxy_pass should be (as per Manual)

proxy_pass http://{your Seafile server’s domain or IP}:88/;

or

proxy_pass http://127.0.0.1:88/;

5

Any changes to seahub_settings.py ?

# Enable Only Office
ENABLE_ONLYOFFICE = True
VERIFY_ONLYOFFICE_CERTIFICATE = True

What do you have for:

ONLYOFFICE_APIJS_URL = 'http{s}://{your Seafile server's domain or IP}/{your subdolder}/web-apps/apps/api/documents/api.js'

Is it set for https?

6

I finally fixed it. Quick answer: if your nginx.conf contains the line ssl_ecdh_curve secp384r1; change it to #ssl_ecdh_curve secp384r1;

It had nothing to with seafile but with a bug in node.js ( that was introduced in a recently updated onlyoffice docker container as well).

you can read up on it here https://github.com/nodejs/node/issues/21513

The quick fix for is to change your nginx.conf to remove the specific ecdh curve which will set it to “auto”. Hope this gets fixed soon…

7

It seems that after setting up the OnlyOffice Docker container again, you’re encountering SSL handshake errors when attempting to access files. This issue could stem from various factors, such as misconfigured Nginx settings, SSL certificate problems, or network restrictions. To troubleshoot, ensure your Nginx configuration correctly proxies requests to the OnlyOffice document server, with appropriate SSL settings. Verify SSL certificates and update protocols and ciphers for modern standards. Check network configurations for any restrictions or firewalls blocking SSL connections. Analyze logs from the OnlyOffice Docker container for insights into the SSL handshake failures. Additionally, seeking assistance from community forums or support channels could provide valuable insights . By systematically investigating these aspects, you can pinpoint and resolve the SSL handshake errors affecting your OnlyOffice setup.