ONLYOFFICE Docs v7.3 released: enhanced forms, SmartArt, new security settings, Watch Window, and more
ONLYOFFICE Docs v7.3 released

"Document security token is not correctly formed" error

Docs
#1

Document Server version: 7.68
Type of installation of the Document Server: docker
OS: Debian 11
Browser version: Firefox 110

I have installed Nextcloud + OnlyOffice as Docker containers (all images have :latest tag) and yesterday users suddenly complained they cannot open any document. trying to open any doc (xls, xlsx, doc, docx, ppt, pptx) brings up an error message saying that the “document security token is not correctly formed. Please contact your Document Server administrator.” (see below, sorry for the French).

Capture d'écran_20230301_181459

I didn’t apply any core update recently, only Nextcloud secondary applications (i.e. Dashboard or External storage support).

Found some posts talking about JWT tokens, but didn’t understand what to do not where to look for local.json file, which seems to be part of the problem.

Could anyone help on this issue? The repository is just useless today…

Thanks in advance for any help!

#2

Hello @jlgarnier
First of all please compare JWT secret values between connector app page and local.json file on the Document server side. In case of docker installation, it’s located inside the container here: /etc/onlyoffice/documentserver/local.json
If it doesn’t help, please provide us with whole logs folder (/app/onlyoffice/DocumentServer/logs/documentserver/), connector app settings screenshot and versions of all components (Document server, Nextcloiud, connector app). Also please point me to the guide which you used for installation process.

#3

Dear Alexandre,

Thanks for your answer! I’m keen to compare the values you mentioned but don’t know what you call the “connector app page”: can you please explain?

As for your other questions:

  • Document Server version: v 7.68
  • Nextcloud: v 25.0.4
  • Connector app: waiting for further explanations

I don’t remember which guide I really followed, as I picked things in different threads. Here’s the docker-compose file I’ve used to deploy the stack (using Portainer):

version: '2'

networks:
  frontend:
  backend:

services:
  mariadb:
    image: mariadb:10.5
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    restart: always
    container_name: "nc-hub-mariadb"
    volumes:
      - /home/nextcloud/database:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=mysql-root-password
      - MYSQL_DATABASE=mysql-database
      - MYSQL_USER=mysql-user
      - MYSQL_PASSWORD=mysql-password
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "5"
    networks:
      - backend

  onlyoffice:
    image: onlyoffice/documentserver
    restart: always
    container_name: "nc-hub-onlyoffice"
    ports:
      - 8089:80
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "5"
    networks:
      - frontend

  av:
    image: "clamav/clamav:stable_base"
    restart: always
    container_name: "nc-hub-clamav"
    volumes:
      # Virus database
      - /home/clamav/virusdb:/var/lib/clamav/
      # Socket
      - /var/run/clamav/:/var/run/clamav/
    networks:
      - backend

  nextcloud:
    image: nextcloud
    ports:
      - 8088:80
    depends_on:
      - mariadb
      - onlyoffice
      - av
    volumes:
      - /home/nextcloud/html:/var/www/html
      - /home/nextcloud/data:/var/www/html/data
      - /home/clamav/virusdb:/var/lib/clamav/
      - /var/run/clamav/:/var/run/clamav/
    environment:
      - MYSQL_HOST=mariadb
      - MYSQL_DATABASE=mysql-database
      - MYSQL_USER=mysql-user
      - MYSQL_PASSWORD=mysql-password
    restart: always
    container_name: "nc-hub-app"
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "5"
    networks:
      - frontend
      - backend

Thanks again for your help!

#4

what you call the “connector app page”: can you please explain?

Connector app is the separate module. It is needed for communication between Document server and Nextcloud. Please go to Nextcloud > Settings > ONLYOFFICE. There you have to set up Document server address and JWT secret:

0000
00001239×835 58.4 KB

#5

Thanks Alexandre!

The field is empty in Nextcloud>OnlyOffice settings page: should I copy here the value found in /etc/onlyoffice/documentserver/local.json? If yes, which value (I have inbox, outbox and session secrets)?

Thanks again for your help!

#6

There should be the same value. And yes, you have to copy\paste this value to connector app page. If it’s possible please point me to the guide which you used. I guess you used unofficial guide if you see different values in mentioned section.
The official installation guides: Installation Guides - Docs Community Edition - ONLYOFFICE

#7

I’ve tried to copy the value (you’re right, these are the same value) and clicked Save, but receive an error from Nextcloud: “Erreur durant la tentative de connexion (cURL error 3: (see libcurl - Error Codes) for /ooserver/healthcheck)”.

Regarding the guide, I clearly didn’t follow the official one, being helped/coached by experts on a Discord forum. The server is now in production, I’m afraid I can’t reinstall from scratch…

#8

Let’s run a few tests. This way you can check out that Document server works.

  1. Open Document server Welcome page (http://domain_name/welcome) > enable integrated example > check out if you can create and edit files in the integrated example. If the example runs without issue, please check out exact version of Document server in the ‘About’ tab of editor interface.
    33333

  2. Double-check mutual availability between both sides. Go to Document server container and run wget http://Nextcloud_domain_name. And vice versa (go to Nextcloud container and run wget http://DS_domain_name)

Regarding the guide, I clearly didn’t follow the official one, being helped/coached by experts on a Discord forum.

Sorry, but we can’t troubleshoot unofficial installation, because I don’t know what changes were performed on Document server side. Anyway, please run mentioned tests and check out the result. Also you can reproduce the issue and share logs folder, we will check them out.

#9

Hi Alexandre,

Test 1: I can’t connect to https://domain_name/welcome: this page does not exist and I’m routed to NC dashboard. DocumentServer doesn’t live on its own but only as a Nextcloud extension.

Test2: there’s no DS_domain_name.

Regarding the installation, the docker-compose file should give you all information, as all containers belong to the same stack.

Which container can I draw this logfile from? In DocumentServer container, all I can find is an /app/ds folder, which looks almost empty…

By the way, here’s the NC connector settings:

OONC
OONC485×507 13.5 KB

The https://<documentserver>/ looks strange as it seems to refer to some keyword. Even the container’s name doesn’t match… :thinking:

#10

Hi Alexandre,

I understand your position, but, as you can figure out with my docker-compose file, no modification has been made on the server side. The installation only configures the DocumentServer as a Nextcloud extension, and it has no dedicated domain name.

I could try to use the official docker-compose file, but, as all tools have been installed through Portainer, I would have to adapt it to integrate with the existing stack (especially with the existing MariaDB container). Moreover, this seems to build the DocumentServer from a docker file, which could be a bit tricky to run with Portainer…

Would you any link to an “official” (DS + NC) stack, so I can use it as an example to tweak mine?

Thanks in advance for any help!

#11

Hi all,

I finally managed to solve my issue, by adding the variables to the existing OO container

    environment:
      - JWT_ENABLED=true
      - JWT_SECRET=my_secret

and configuring the NextCloud settings appropriately. A restart did the trick and OnlyOffice is once again up and running!

Thanks again for your help!

#12

We are glad that the issue is solved, but I still believe you have to follow official guides. You added JWT to your container, but official installations contain this step already: https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#all-editors-4
We have enabled JWT by default in v.7.2
That means there’s the difference between our guides and your one.

Anyway, please feel free to contact us if you face any difficulties.

#13

Yes, I know I don’t run the official configuration, but I had to cope with an existing production set. Moreover, I don’t need nor want to have a standalone DS, but just “bury” it within the file server, for security reason (reduce the attack surface).

One last question: what’s the role of the RabbitMQ container here?

Thanks again for your help!

#14

RabbitMQ is used to handle the conversion task queue, result task queue, and event bus. But I have no idea why your installation contains separate container for this service. Official docker installation provides all-in-one docker container of Document server (it includes all necessary services).

#15

Thanks Alexandre for this feedback! My distribution doesn’t have any RabbitMQ instance by the way, this is why I was asking for its role…
Have a great day!

1 Like