Cloud Computing Insider Awards 2022: Vote for ONLYOFFICE
Vote for ONLYOFFICE

502 Error domain.com/controlpanel/sso/generatecert

Problem:
We installed OnlyOffice via Debian package and ran the official instructions for terminating SSL. We almost have everything running, but if we try configuring SSO in control panel we get gateway error.
Checking the logs we see that port 9083 is having communication issues.
So we checked netstat and it looks like the port is unavailable. Below is the nginx configuration

upstream fastcgi_backend_apisystem {
        server unix:/var/run/onlyoffice/onlyofficeApiSystem.socket;
        keepalive 32;
}

upstream fastcgi_backend {
        server unix:/var/run/onlyoffice/onlyoffice.socket;
        keepalive 16;
}

fastcgi_cache_path /var/cache/nginx/onlyoffice
        levels=1:2
        keys_zone=onlyoffice:256m
        max_size=1024m
        inactive=1d;

geo $ip_external {
     default 1;
     ## {{DOCKER_APP_SUBNET}} 0;
     127.0.0.1 0;
}

map $http_host $this_host {
  "" $host;
  default $http_host;
}

map $http_x_forwarded_proto $the_scheme {
  default $http_x_forwarded_proto;
  "" $scheme;
}

map $http_x_forwarded_host $the_host {
  default $http_x_forwarded_host;
  "" $this_host;
}

map $request_uri $header_access_control_allow_origin {
  ~*^/(api\/2.0|products\/crm\/httphandlers\/webtoleadfromhandler.ashx|products\/files\/httphandlers\/filehandler.ashx|products\/files\/chunkeduploader.ashx|thirdparty\/plugin) "*";
  default "";
}

map $request_uri $header_x_frame_options {
  ~*^/(favicon\.ico|products\/files\/share\.aspx|products\/files\/saveas\.aspx|products\/files\/filechoice\.aspx|products\/files\/doceditor\.aspx|thirdparty\/plugin) "";
  ~*^/ds-vpath "SAMEORIGIN";
  default "SAMEORIGIN";
}

server {
        listen 0.0.0.0:80 default_server;
        listen [::]:80;
        server_name _;
        server_tokens off;

        root /nowhere; ## root doesn't have to be a valid path since we are redirecting

        location / {
                if ($ip_external) {
                                ## Redirects all traffic to the HTTPS host
                                 rewrite ^ https://$host$request_uri? permanent;
                        }

                        client_max_body_size 100m;

                        proxy_pass https://127.0.0.1;
                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                        proxy_set_header Host $host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header X-Forwarded-Host $server_name;
                        proxy_set_header X-Forwarded-Proto $scheme;
                        proxy_ssl_verify off;
        }
}

server {
        listen 0.0.0.0:443 ssl http2;
        listen [::]:443 ssl http2 default_server;

        charset utf-8;

        server_tokens off;

        ## Increase this if you want to upload large attachments
        client_max_body_size 100m;

        ssl_certificate /etc/nginx/certs/onlyoffice.xxx.pem;
        ssl_certificate_key /etc/nginx/certs/onlyoffice.xxx.key;
        ## ssl_verify_client {{SSL_VERIFY_CLIENT}};
        ## ssl_client_certificate {{CA_CERTIFICATES_PATH}};
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

        ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options $header_x_frame_options;
        add_header X-Content-Type-Options nosniff;
        add_header Access-Control-Allow-Origin $header_access_control_allow_origin;

        ## ssl_stapling on;
        ## ssl_stapling_verify on;
        ## ssl_trusted_certificate {{SSL_OCSP_CERTIFICATE_PATH}};
        resolver 8.8.8.8 8.8.4.4 127.0.0.11 valid=300s; # Can change to your DNS resolver if desired
        resolver_timeout 10s;

        ## ssl_dhparam {{SSL_DHPARAM_PATH}};

        large_client_header_buffers 4 16k;

        set $X_REWRITER_URL $the_scheme://$the_host;

        if ($http_x_rewriter_url != '') {
                set $X_REWRITER_URL $http_x_rewriter_url ;
        }

    include /etc/nginx/includes/onlyoffice-communityserver-*.conf;
}

In the nginx configuration we notice that it calls on /etc/nginx/includes/onlyoffice-communityserver-services.conf where the configuration for talking with SSO (port 9834) is located.
We did the following command to see if there are any other missing ports.

for P in `grep local /etc/nginx/includes/onlyoffice-communityserver-services.conf |awk -F: '{print $3}'|cut -c 1-4`; do echo "Port: $P"; netstat -tulpn |grep $P; done
Port: 5280
tcp        0      0 0.0.0.0:5280            0.0.0.0:*               LISTEN      1842/mono
Port: 9899
tcp6       0      0 :::9899                 :::*                    LISTEN      2314/node
Port: 9999
Port: 5232
tcp        0      0 127.0.0.1:5232          0.0.0.0:*               LISTEN      1903/python3
tcp6       0      0 ::1:5232                :::*                    LISTEN      1903/python3
Port: 5232
tcp        0      0 127.0.0.1:5232          0.0.0.0:*               LISTEN      1903/python3
tcp6       0      0 ::1:5232                :::*                    LISTEN      1903/python3
Port: 9889
Port: 9834

Any help here would be greatly appreciated.

Hello @DownRight770
We just released new versions of Community server and Control Panel. Please prepare whole server backup just in case > update your installation > re-check the situation.

My current version is Version 12.0.0.1726. We are running all testing and configurations before putting into production. Now on Version 12.0.1.1748

Please run the update process and re-check the situation. If the issue persists with latest portal components, please provide us with Community server and Control panel logs folders.