nodeJS - wopi error checkFileInfo:Error: self signed certificate

ahassain · 5 December 2023 14:45

Document Server version: Document server 7.
Type of installation of the Document Server (docker, deb/rpm, exe): Docker
OS: CentOS7
Browser version: Firefox 115.4.0esr (64 bits)

I have integrated OnlyOffice with my ECM (Electronic Content Management) application (using the WOPI protocol).
When my application had sent a WOIPsrc I recieved the error “… Please contact your administrator.”

for more information :

all exchanges are in https
I copied de CA with the following command
docker cp frd115r07fel.bke.integra.fr.pem onlyoffice-onlyoffice-documentserver-1:/usr/local/share/ca-certificates/ to add external application certificate to OnlyOffice
then docker-compose down and docker-compose up -d --force-recreate
BUT the problem remains

and in the out.log I recieved this message as well:

[2023-12-05T10:13:07.265] [DEBUG] [localhost] [0393fbf6-6c84-4942-83ec-d8f07231d29c_1701771186292] [userId] nodeJS - wopiEditor req.query:{“rs”:“fr”,“dchat”:“false”,“hid”:“”,“sc”:“”,“ui”:“fr”,“wopisrc”:“https://nam-gedt.ansm-intra.fr/any/rest/wopihost/files/0393fbf6-6c84-4942-83ec-d8f07231d29c_1701771186292”}
[2023-12-05T10:13:07.265] [DEBUG] [localhost] [0393fbf6-6c84-4942-83ec-d8f07231d29c_1701771186292] [userId] nodeJS - wopiEditor req.body:{“access_token”:“3fa8771c-b824-4844-8a4f-3ca21c5121bc”,“access_token_ttl”:“1701951186913”}
[2023-12-05T10:13:07.266] [INFO] [localhost] [0393fbf6-6c84-4942-83ec-d8f07231d29c_1701771186292] [userId] nodeJS - wopi checkFileInfo start
[2023-12-05T10:13:07.271] [DEBUG] [localhost] [0393fbf6-6c84-4942-83ec-d8f07231d29c_1701771186292] [userId] nodeJS - wopi checkFileInfo request uri=https://nam-gedt.ansm-intra.fr/any/rest/wopihost/files/0393fbf6-6c84-4942-83ec-d8f07231d29c_1701771186292?access_token=3fa8771c-b824-4844-8a4f-3ca21c5121bc headers={“X-WOPI-Proof”:“b2yG6tBV0oWt6qQKO0Fs/5Qj1Xx1DE4Iv07ESfDFJx5ETrDkc6TZuaEmXNQ11NdFjEvTkvjkAyiRrHJwMN6Tb+ARvO0LqeduLX0UsyEjLrCSpTo6kltQa+Wc7X0id0Y6HjNbjeyFUSBFoTnhi0lfmRLYD7JwbqvQbjLwHv+YFR9wqUQbCf4ZY20AuUYsbJ4po3bmBX8wLlHvQg5uUex2H0k40NmY6Y6ph00Ckpm2iOKTarKGW3lSJ98zTu/FrI1Z2gJoXF05uGNHvijkGQsoy3ihaKJ6etbokapeEL2qFEzrypSHbELMwdko62E0rVBlD88AkJ02NE7imw8gaFtgyA==”,“X-WOPI-ProofOld”:“b2yG6tBV0oWt6qQKO0Fs/5Qj1Xx1DE4Iv07ESfDFJx5ETrDkc6TZuaEmXNQ11NdFjEvTkvjkAyiRrHJwMN6Tb+ARvO0LqeduLX0UsyEjLrCSpTo6kltQa+Wc7X0id0Y6HjNbjeyFUSBFoTnhi0lfmRLYD7JwbqvQbjLwHv+YFR9wqUQbCf4ZY20AuUYsbJ4po3bmBX8wLlHvQg5uUex2H0k40NmY6Y6ph00Ckpm2iOKTarKGW3lSJ98zTu/FrI1Z2gJoXF05uGNHvijkGQsoy3ihaKJ6etbokapeEL2qFEzrypSHbELMwdko62E0rVBlD88AkJ02NE7imw8gaFtgyA==”,“X-WOPI-TimeStamp”:“638373679872670000”,“X-WOPI-ClientVersion”:“7.3.2.8”,“Authorization”:“Bearer 3fa8771c-b824-4844-8a4f-3ca21c5121bc”}
[2023-12-05T10:13:07.325] [ERROR] [localhost] [0393fbf6-6c84-4942-83ec-d8f07231d29c_1701771186292] [userId] nodeJS - wopi error checkFileInfo:Error: self signed certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1515:34)
at TLSSocket.emit (events.js:400:28)
at TLSSocket._finishInit (_tls_wrap.js:937:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:709:12)
[2023-12-05T10:13:07.325] [INFO] [localhost] [0393fbf6-6c84-4942-83ec-d8f07231d29c_1701771186292] [userId] nodeJS - wopi checkFileInfo end

Constantine · 7 December 2023 11:01

Hello @ahassain

Does integrated example not work too? Please check it by accessing it from Document Server address. In case it is not enabled, on the Welcome Page you will find an instruction on how to enable it.

In general, if you’ve generated a self-signed certificate by yourself, you can try disabling certificate verification on Document Server side by changing rejectUnauthorized parameter to false in default.json config. Config is located in /etc/onlyoffice/documentserver/, once you changed the config you need to restart all services of Document Server inside the container with command supervisorctl restart all to apply changes.

ahassain · 11 December 2023 14:12

Hello Constantine
thanks for your reply
https://nam-onlyofficet.ansm-intra.fr/welcome/ (Environment URL) works fine
As decribed above, DocumentServer has been deployed / installed with docker
I don’ know how to modify default.json in this situation.
=> I’v tried to do it via un json file (enable_wopi.json) referenced in compose.yaml
compose.yaml :
volumes:
- onlyoffice-data:/var/www/onlyoffice/Data
- /var/log/onlyoffice-logs:/var/log/onlyoffice
- onlyoffice-cache:/var/lib/onlyoffice/documentserver/App_Data/cache/files
- onlyoffice-fonts:/usr/share/fonts
- ./enable_wopi.json:/etc/onlyoffice/documentserver/local-production-linux.json
- ./production.json:/etc/onlyoffice/documentserver/log4js/production.json

enable_wopi.json :
{
“services”: {
“CoAuthoring”: {
“autoAssembly”: {
“enable”: true,
“interval”: “5m”,
“step”: “5m”
}
“requestDefaults”: {
“rejectUnauthorized”: false
}
}
},
“wopi”: {
“enable”: true,
“host”: “https://nam-onlyofficet.ansm-intra.fr”,
“wopiZone”: “external-https”
}
}

BUT in this case, I have bocking error in the third-party application : 502 Bad Gateway (nginx)

if you have more information, please keep me informed

ahassain · 11 December 2023 14:22

furthermore, rejectUnauthorized set to false seems disable TLS exchanges. My initial request is to be able to understand the root cause of the error :
[userId] nodeJS - wopi error checkFileInfo:Error: self signed certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1515:34)
at TLSSocket.emit (events.js:400:28)
at TLSSocket._finishInit (_tls_wrap.js:937:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:709:12)
and in the same time all seems correctly installed even certificates in the 2 both sides (third-party aplication and onlyoffice)

Thanks in advance

ahassain · 11 December 2023 14:26

is the problem related to self signed certificate usage ?

Constantine · 12 December 2023 13:00

Yes, by default Document Server does not allow connections from resources with self-signed certificates.

ahassain · 12 December 2023 13:59

Thanks Constantine, is there any configuration parameter to allow self-signed certificates ?
best regards

Constantine · 13 December 2023 08:26

I’ve mentioned it already:

ahassain · 13 December 2023 11:03

Thanks Constantine,

docker ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8da66ccb7e0a onlyoffice/documentserver:7.3.2 “/app/ds/run-documen…” 45 hours ago Up 45 hours 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp onlyoffice-onlyoffice-documentserver-1
11f35a5dc98d postgres:14.7-alpine “docker-entrypoint.s…” 45 hours ago Up 45 hours 5432/tcp onlyoffice-onlyoffice-postgresql-1
fe8e69682d5f rabbitmq “docker-entrypoint.s…” 45 hours ago Up 45 hours 4369/tcp, 5671-5672/tcp, 15691-15692/tcp, 25672/tcp onlyoffice-onlyoffice-rabbitmq-1

find / -type f -name ‘default.json’

/production/docker/overlay2/05d5bc4a3fda73e255a5223933a9241782c90a0a43b88e0b3e626e89c1a9b6c1/diff/etc/onlyoffice/documentserver/default.json
/production/docker/overlay2/05d5bc4a3fda73e255a5223933a9241782c90a0a43b88e0b3e626e89c1a9b6c1/diff/etc/onlyoffice/documentserver-example/default.json
/production/docker/overlay2/274be9fd36c4da25269b0930a41c6d00edddf743a056d960df13ce04b8b20713/diff/etc/onlyoffice/documentserver/default.json
/production/docker/overlay2/274be9fd36c4da25269b0930a41c6d00edddf743a056d960df13ce04b8b20713/diff/etc/onlyoffice/documentserver-example/default.json
/production/docker/overlay2/52c56a8234529c4ad13082e4e07e965067efb70a6fe5789664d765ec39eb1978/diff/etc/onlyoffice/documentserver/default.json
/production/docker/overlay2/52c56a8234529c4ad13082e4e07e965067efb70a6fe5789664d765ec39eb1978/diff/etc/onlyoffice/documentserver-example/default.json
/production/docker/overlay2/7d007881589272c87e7f3675a0e96adb6cf0b7d2eab7fccb8dd71f43648b8727/diff/etc/onlyoffice/documentserver/default.json
/production/docker/overlay2/7d007881589272c87e7f3675a0e96adb6cf0b7d2eab7fccb8dd71f43648b8727/diff/etc/onlyoffice/documentserver-example/default.json
/production/docker/overlay2/7d007881589272c87e7f3675a0e96adb6cf0b7d2eab7fccb8dd71f43648b8727/merged/etc/onlyoffice/documentserver/default.json
/production/docker/overlay2/7d007881589272c87e7f3675a0e96adb6cf0b7d2eab7fccb8dd71f43648b8727/merged/etc/onlyoffice/documentserver-example/default.json

Could you help me which file to change and how to do it ? to change the file in bold into docker ?

docker exec -it onlyoffice-onlyoffice-documentserver-1 /bin/bash

root@8da66ccb7e0a:/# find / -type f -name ‘default.json’
/etc/onlyoffice/documentserver/default.json
/etc/onlyoffice/documentserver-example/default.json

?

Thanks in advance

Constantine · 14 December 2023 06:26

Yes, this is correct. The default.json config is located inside the Docker container with Document Server in /etc/onlyoffice/documentserver/ directory (not ../documentserver-example/).

Also note, that you are using an outdated version of Document Server. I’d recommend updating your instance to the actual version /

ahassain · 15 December 2023 10:32

Very strange ! The change does not seem persistent. Actually, after restart documentserver the parameter returns to initial value
docker exec -it onlyoffice-onlyoffice-documentserver-1 /bin/bash
root@1ea2ba9881e3:/# nano /etc/onlyoffice/documentserver/default.json
root@1ea2ba9881e3:/# grep rejectUnauthorized /etc/onlyoffice/documentserver/default.json
“rejectUnauthorized”: false
[root@frd115r12fel:/production/onlyoffice]

docker compose up -d

[+] Running 3/3
⠿ Container onlyoffice-onlyoffice-postgresql-1 Started 69.5s
⠿ Container onlyoffice-onlyoffice-rabbitmq-1 Started 69.4s
⠿ Container onlyoffice-onlyoffice-documentserver-1 Started 63.4s

docker exec -it onlyoffice-onlyoffice-documentserver-1 /bin/bash

root@f14bd8015f79:/# grep rejectUnauthorized /etc/onlyoffice/documentserver/default.json
“rejectUnauthorized”: true

otherwise, how to download the documentserver last version ? is there any compatibility issues ? here are the packages installed for the moment on my environment :
927M Mar 16 2023 onlyoffice-documentserver_7.3.2.tar.gz
87M Mar 16 2023 postgres_14.7-alpine.tar.gz
99M Mar 16 2023 rabbitmq_latest.tar.gz

Constantine · 18 December 2023 05:22

This is expected behavior when restarting not Document Server but the container with it. We usually recommend restarting services only to avoid such problems with command supervisorctl restart all.

As for the update: I think the easiest way here would be downloading new image with latest tag. However, once you want to update again, you will need to delete previous image with latest tag in order to download newer one and start container off of it.

ahassain · 18 December 2023 09:44

Thanks Constantine. It works !!!

Constantine · 18 December 2023 13:48

I am glad to hear that.

As for the way to preserve the value when restarting the container with docker-compose: as I mentioned, the easiest way is to keep the container running and avoid stopping it. However, if you are planning on restarting the container frequently, you can mount custom config into the container with Document Server and pass required parameters in it. I’ve shared the description of this procedure previously in this thread, please take a look at:

Please note that this is an example, your configuration may differ from the one provided there.