NextCloud / OnlyOffice / Let's Encrypt (Nginx) CA issue

KdB · February 23, 2018, 11:15am

NethServer Version: 7.4.1708 (Final)

In short, I have an issue where I can’t verify a https connection on port 8082. It appears to be a CA related issue.

I setup OnlyOffice as per @mrmarkuz howto ; and
I setup Let’s Encrypt using acme.sh as per @danb35 howto

The Document Server (nginx) is responding correctly with SSL on port 8082, yet when I attempted to add the Document Editing Service address (https://<domain.tld>:8082) I would get a bad read error.

I tested via the command line:
openssl s_client -CApath /etc/ssl/certs/ -connect :8082

and it fails with:
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN =
verify error:num=21:unable to verify the first certificate
verify return:1

Same command on Port 443 completes without error:

verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN =
verify return:1

At this point, please note that I have successfully installed OnlyOffice and nginx etc on a similar server setup without issue.

The only difference in the setup between the two machines is on the first one I used CERTBOT to get the certificate and on the second (problem one) I used ACME.SH.

I have checked and compared the two machine configs; I can get to and see the certs/keys in their respective locations; the db config is correct; the apache, nginx and nextcloud configs are correct; and, as mentioned, the SSL cert on the document server is working correctly when accessed from inside or outside of the network.

In troubleshooting I pulled it all down and started from scratch with the same result. I didn’t try going down the certbot path (the only real difference) as I would rather find what is causing this issue if it is related to the suggested acme.sh install - which places and PATHs the certs in different locations other than the nethserver pre-defined letsencrypt folder (eg):

pki=configuration
CertificateDuration=3650
ChainFile=/etc/pki/tls/certs/chain.pem
CrtFile=/etc/pki/tls/certs/cert.pem
KeyFile=/etc/pki/tls/private/privkey.pem
LetsEncrypt=disabled
LetsEncryptDomains=
LetsEncryptMail=
LetsEncryptRenewDays=30

Obviously, any suggestions are welcomed.

Thanks,
Klaus

mrmarkuz · February 23, 2018, 12:46pm

Hi @KdB,

do you have cloudflare? The ACME howto is intended to use it with cloudflare. If you don’t have cloudflare, a solution to get back to defaults is in the howto thread:

The certificates are defined in /etc/httpd/conf.d/ssl.conf for apache and in /etc/nginx/conf.d/onlyoffice-documentserver.conf for nginx.

These are the commands to set the certificate in nginx from the onlyoffice howto:

# add ssl cert config - change if using letsencrypt or own certs
sed -i 's!{{SSL_CERTIFICATE_PATH}}!/etc/pki/tls/certs/localhost.crt!' /etc/nginx/conf.d/onlyoffice-documentserver.conf
# add ssl key config - change if using letsencrypt or own certs
sed -i 's!{{SSL_KEY_PATH}}!/etc/pki/tls/private/localhost.key!' /etc/nginx/conf.d/onlyoffice-documentserver.conf

KdB · February 23, 2018, 2:44pm

Update: After I read my response below, I realised the error. Although I had issued a “–fullchain” cert I wasn’t using it (cert + CA). Adjusting the /etc/nginx/conf.d/onlyoffice-documentserver.conf from:

ssl on;
ssl_certificate /etc/pki/tls/certs/cert.pem;

to

ssl on;
ssl_certificate /etc/pki/tls/certs/fullchain.pem;

systemctl reload nginx

resolved it for me and all is now working perfectly. Thanks @mrmarkuz for the brilliant howto by the way - it is much appreciated.

— earlier response —

Thanks Markus.

I understand that the Lets Encrypt howto was for internal servers and cloudflare - no, I’m not using cloudflare. I really only used the howto for the specific nethserver commands for placement of keys, db config and event signals etc. I wanted to use acme over certbot as I am familiar with it from other servers I look after. I have external DNS control so just used this to create:

./acme.sh --issue -f -w /var/www/html/ -d <domain.tld>  --cert-file /etc/pki/tls/certs/cert.pem --ca-file /etc/pki/tls/certs/chain.pem --fullchain-file /etc/pki/tls/certs/fullchain.pem --key-file /etc/pki/tls/private/privkey.pem --renew-hook "/sbin/e-smith/signal-event certificate-update"

I believe the issued certs are correct and the nginx / onlyoffice conf is pointing at them. The confusion for me is the document server/nginx is secured and operating yet is not finding the CA internally via port 8082 (nginx) yet it does on 443 (apache).

m.traeumner · February 26, 2018, 8:29am

@KdB Nice to hear that it works for you.
Could you please mark the topic as solved, so it’s easier for others to find the solution.