ONLYOFFICE not working with Nextcloud when using a secret key

  • Do you want to: Ask a how-to question
  • Document Server version: 7.3.3.49
  • OS: Docker (dietpi os)
  • Browser: Safari
  • Nextcloud version: 26.0.1
  • Nextcloud is running on TrueNAS Scale 22.12.2

Setup:

  • Nextcloud is running on my TrueNAS Scale server.
  • ONLYOFFICE Documentserver is installed on my Raspberry Pi 4 Model B using Docker.
  • Port 443 is opened in Docker and on my Router
  • Certificate verification is disabled in Nextcloud
  • I can access Nextcloud using my Domain through a Cloudflare Tunnel.
  • I can access ONLYOFFICE using my public IP address
  • I can access Nextcloud from my ONLYOFFICE instance using wget.

Config files:
I have not modified any ONLYOFFICE config files. I also haven‘t added anything related to ONLYOFFICE to my Nextcloud config.php file.

The Problem:
I get the following error when trying to save the ONLYOFFICE server settings in Nextcloud:

Error when trying to connect (Error occurred in the document service: Error while downloading the document file to be converted.) (version 7.3.3.49)

ONLYOFFICE Documentserver logs (from Docker; I started the container and clicked the save button in Nextcloud three times):

chmod: cannot access '/usr/share/ca-certificates/ds/*.pem': No such file or directory
 * Starting PostgreSQL 14 database server        
[ OK ]
 * Starting RabbitMQ Messaging Server rabbitmq-server        
[ OK ]
 * Reloading nginx configuration nginx        
[ OK ]
Starting supervisor: supervisord.
cron: unrecognized service
 * Starting nginx nginx        
[ OK ]
Generating AllFonts.js, please wait...Done
Generating presentation themes, please wait...Done
Generating js caches, please wait...Done
ds:docservice: stopped
ds:docservice: started
ds:converter: stopped
ds:converter: started
 * Reloading nginx configuration nginx        
[ OK ]

==> /var/log/onlyoffice/documentserver/converter/err.log <==

==> /var/log/onlyoffice/documentserver/converter/out.log <==
    at Request.onRequestResponse (/snapshot/server/build/server/Common/node_modules/request/request.js:1059:10)
    at ClientRequest.emit (events.js:400:28)
    at HTTPParser.parserOnIncomingClient (_http_client.js:647:27)
    at HTTPParser.parserOnHeadersComplete (_http_common.js:127:17)
    at TLSSocket.socketOnData (_http_client.js:515:22)
    at TLSSocket.emit (events.js:400:28)
    at addChunk (internal/streams/readable.js:293:12)
    at readableAddChunk (internal/streams/readable.js:267:9)
    at TLSSocket.Readable.push (internal/streams/readable.js:206:10)
    at TLSWrap.onStreamRead (internal/stream_base_commons.js:188:23)

==> /var/log/onlyoffice/documentserver/docservice/err.log <==

==> /var/log/onlyoffice/documentserver/docservice/out.log <==
[2023-05-11T12:22:19.966] [WARN] [localhost] [docId] [userId] nodeJS - Express server listening on port 8000 in production-linux mode. Version: 7.3.3. Build: 49
[2023-05-11T12:24:40.639] [WARN] [localhost] [docId] [userId] nodeJS - start shutdown:%b true
[2023-05-11T12:24:40.642] [WARN] [localhost] [docId] [userId] nodeJS - active connections: 0
[2023-05-11T12:24:40.645] [WARN] [localhost] [docId] [userId] nodeJS - end shutdown
[2023-05-11T12:43:54.268] [WARN] [localhost] [docId] [userId] nodeJS - Express server starting...
[2023-05-11T12:43:54.281] [WARN] [localhost] [docId] [userId] nodeJS - Failed to subscribe to plugin folder updates. When changing the list of plugins, you must restart the server. https://nodejs.org/docs/latest/api/fs.html#fs_availability
[2023-05-11T12:43:54.566] [WARN] [localhost] [docId] [userId] nodeJS - Express server listening on port 8000 in production-linux mode. Version: 7.3.3. Build: 49
[2023-05-11T12:45:48.689] [WARN] [localhost] [docId] [userId] nodeJS - Express server starting...
[2023-05-11T12:45:48.699] [WARN] [localhost] [docId] [userId] nodeJS - Failed to subscribe to plugin folder updates. When changing the list of plugins, you must restart the server. https://nodejs.org/docs/latest/api/fs.html#fs_availability
[2023-05-11T12:45:48.975] [WARN] [localhost] [docId] [userId] nodeJS - Express server listening on port 8000 in production-linux mode. Version: 7.3.3. Build: 49

==> /var/log/onlyoffice/documentserver-example/out.log <==

==> /var/log/onlyoffice/documentserver/metrics/err.log <==

==> /var/log/onlyoffice/documentserver/metrics/out.log <==
    'statsd.packets_received': 0,
    'statsd.metrics_received': 0
  },
  sets: {},
  pctThreshold: [ 90 ]
}
11 May 12:20:18 - [647] reading config file: ./config/config.js
11 May 12:20:18 - server is up INFO
11 May 12:43:50 - [647] reading config file: ./config/config.js
11 May 12:43:50 - server is up INFO

==> /var/log/onlyoffice/documentserver/nginx.error.log <==

What I‘ve tried:

  • I have checked if the token matches multiple times. I have tried a long token (about 64 characters) and a short one (seven characters), one with only numbers and one with numbers and letters. ONLYOFFICE and Nextcloud work if I remove the token.

  • Adding the following to config.php (Nextcloud):

'onlyoffice' =>
array (
'verify_peer_off' => true,
'jwt_secret' => '<your_key>',
'jwt_header' => 'AuthorizationJwt',
)
  • Turning SSL on and off

  • Changing Authorization to AuthorizationJwt in inbox and outbox in local.json

  • Reinstalling ONLYOFFICE Documentserver

  • Reinstalling the ONLYOFFICE App for Nextcloud

  • Setting internal addresses in the Nextcloud settings for my Nextcloud and ONLYOFFICE servers

I‘ve also tried combining different things from the list above.

Sometimes I got the following error message in the Docker logs of the ONLYOFFICE container (I‘m not sure what combination of settings caused this):

[2023-05-11T08:36:22.136] [ERROR] [localhost] [conv_check_537086732_docx] [userId] nodeJS - error downloadFile:url=https://<mydomain>/apps/onlyoffice/empty?doc=<charactersandnumbers>.<charactersandnumbers>.<charactersandnumbers>;attempt=3;code:undefined;connect:undefined Error: Error response: statusCode:403; headers:{"date":"Thu, 11 May 2023 08:36:21 GMT","content-type":"application/json; charset=utf-8","content-length":"27","connection":"keep-alive","cache-control":"no-cache, no-store, must-revalidate","content-security-policy":"default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'","expires":"Thu, 19 Nov 1981 08:52:00 GMT","feature-policy":"autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'","pragma":"no-cache","referrer-policy":"no-referrer","set-cookie":["<charactersandnumbers>=<charactersandnumbers>; path=/; secure; HttpOnly; SameSite=Lax","oc_sessionPassphrase=<charactersandnumbers>; path=/; secure; HttpOnly; SameSite=Lax","<charactersandnumbers>=<charactersandnumbers>; path=/; secure; HttpOnly; SameSite=Lax","<charactersandnumbers>=<charactersandnumbers>; path=/; secure; HttpOnly; SameSite=Lax","__Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax","__Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict","<charactersandnumbers>=<charactersandnumbers>; path=/; secure; HttpOnly; SameSite=Lax"],"x-content-type-options":"nosniff","x-frame-options":"SAMEORIGIN","x-permitted-cross-domain-policies":"none","x-powered-by":"PHP/8.1.18","x-request-id":"<charactersandnumbers>","x-robots-tag":"noindex, nofollow","x-xss-protection":"1; mode=block","cf-cache-status":"DYNAMIC","report-to":"{\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=<charactersandnumbers>%<charactersandnumbers>%<charactersandnumbers>%<charactersandnumbers>%<charactersandnumbers>%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}","nel":"{\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}","strict-transport-security":"max-age=15552000; includeSubDomains; preload","server":"cloudflare","cf-ray":"7c59180229e19b31-FRA","alt-svc":"h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400"};
    at Request.fResponse (/snapshot/server/build/server/Common/sources/utils.js)
    at Request.emit (events.js:400:28)
    at Request.onRequestResponse (/snapshot/server/build/server/Common/node_modules/request/request.js:1059:10)
    at ClientRequest.emit (events.js:400:28)
    at HTTPParser.parserOnIncomingClient (_http_client.js:647:27)
    at HTTPParser.parserOnHeadersComplete (_http_common.js:127:17)
    at TLSSocket.socketOnData (_http_client.js:515:22)
    at TLSSocket.emit (events.js:400:28)
    at addChunk (internal/streams/readable.js:293:12)
    at readableAddChunk (internal/streams/readable.js:267:9)
    at TLSSocket.Readable.push (internal/streams/readable.js:206:10)
    at TLSWrap.onStreamRead (internal/stream_base_commons.js:188:23)

I know that many people come across (and post) about this error. I have read lots of forum posts but I couldn‘t find a solution that works. This is also my first time setting up TrueNAS, Nextcloud and ONLYOFFICE so I don’t really have that much experience in this topic.

Hello @Tobi

I think we have to start from the beginning.
Have you checked if editing works in the integrated test example? To do it please navigate to the Document Server Welcome page via Document Server address and follow the instruction to enable the test example in the first place. If you see any errors, please make screenshots of them and also check browser console for any additional error entries.

After installation of the SSL certificate did you perform bash /usr/bin/documentserver-update-securelink.sh? If not and currently Document Server is running over HTTPS please perform this step from Docker container with Document Server and check the situation again.

If none of these helps, please provide information about the current settings of Document Server, e.g. whether JWT is enabled or not, HTTPS is enabled or not, etc.
Also, attempt to connect Document Server with Nextcloud via connector app interface one more time and please make screenshot of the error and share logs of Document Server to understand what’s the current issue.

Hi @Constantine,
thanks for your response.

I just figured it out.

It turned out to be unrelated to those tokens, Cloudflare, or SSL.
I had to change my UEFI time to UTC (it had previously been set to my local time).

I got a random thought that it may be related to another issue I was having with TrueNAS Scale and Nextcloud. 2FA did not function for me on these platforms. And since JWT has something to do with authentication too, I believed the two issues were connected.

According to several posts, this is caused by wrong system / UEFI time settings. I had previously changed my UEFI time, but it did not work since I had set it to my local time rather than UTC. Today, though, I came across a forum post in which a user stated that UNIX-based operating systems utilize UTC instead of local time.

Changing the UEFI time again finally solved my issue (and it made 2FA work too ^^)

Hello @Tobi

I’m glad to hear that you’ve managed to solve the issue.