Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Download failed" after upgrade to onlyoffice - unable to verify the first certificate #96

Open
thomass4t opened this Issue Apr 10, 2018 · 7 comments

Comments

Projects
None yet
8 participants
@thomass4t
Copy link

thomass4t commented Apr 10, 2018

I upgraded to the current community- and document-server 9.6.1.627
Community-Server runs with self-signed SSL certificate
Document-Server runs with plain http

After restart of the two docker containers, I get an error message when opening any kind of document. The error message merely shows "Download failed".

I discovered the underlying error within the logfile
/app/onlyoffice/DocumentServer/logs/documentserver/converter/out.log

Whenever I open a document, an error shows up in this logfile:

[2018-04-10 14:17:05.216] [ERROR] nodeJS - error downloadFile:url=https://onlyoffice/products/files/httphandlers/filehandler.ashx?action=stream&fileid=4&version=6&stream_auth=xxx;attempt=3;code:UNABLE_TO_VERIFY_LEAF_SIGNATURE;connect:undefined;(id=PryKqIixHZSmYe_LEsQ_)
Error: unable to verify the first certificate
at Error (native)
at TLSSocket. (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:609:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:439:38)

The document-Server seems to download something from the community-server and fails because it doesn't know the CA of the self-signed certificate.

How can I add my self-signed certificate or my CA to the document-server?
My CA must be injected to Node-JS service.
(Adding it to /etc/ssl/certs didn't work and also setting the docker-env NODE_TLS_REJECT_UNAUTHORIZED=0 didn't help either)

Thanks for any suggestions,
Thomas

@dmkash

This comment has been minimized.

Copy link

dmkash commented Jul 13, 2018

I am running into the same problem while setting up local virtual machines in our development environment. For our development virtual machines we use the .test TLD, so need to use self-signed certificates.

The ONLYOFFICE Document Server has been installed on a CentOS 7 virtual machine following the directions here: https://helpcenter.onlyoffice.com/server/linux/document/linux-installation-centos.aspx

I tried adding NODE_TLS_REJECT_UNAUTHORIZED=0 to the /etc/onlyoffice/documentserver/supervisor/onlyoffice-documentserver-docservice.ini but this didn't work, either. I'm seeing the exact same error in /var/log/onlyoffice/documentserver/docservice/out.log as the OP:

[2018-07-13 14:50:22.799] [ERROR] nodeJS - postData error: docId = 2_2_;url = https://testserver.ourdomain.test/path/to/document;data = {"key":"2_2_","status":1,"users":["1"],"actions":[{"type":1,"userid":1}]}
Error: self signed certificate
    at TLSSocket.<anonymous> (_tls_wrap.js:1105:38)
    at emitNone (events.js:106:13)
    at TLSSocket.emit (events.js:208:7)
    at TLSSocket._finishInit (_tls_wrap.js:639:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:469:38)
@agolybev

This comment has been minimized.

Copy link
Contributor

agolybev commented Jul 16, 2018

Hi Dana, try turning off validating certificate by Document Server. Set services.CoAuthoring.requestDefaults.rejectUnauthorized=false in /etc/onlyoffice/documentserver/defaults.json file and restart documentserver serviceis with supervisorctl restart all.

@inpos

This comment has been minimized.

Copy link

inpos commented Aug 24, 2018

Unfortunately, node.js don't use system ca-certs and this issue can't be fixed by adding local CA cert to system bundle. Workaround by @agolybev work, but breaks SSL security due to allow connections to unauthorized ssl servers.

@thomaswollburg

This comment has been minimized.

Copy link

thomaswollburg commented Sep 26, 2018

The workaround does work, but pretty pretty please update your documentation as I have tried all -e SSL_VERIFY_CLIENT="off" -e NODE_TLS_REJECT_UNAUTHORIZED=0 and what not to make this work. Can I invoice these useless hours of frustration somewhere? Even set up chain file and gave it the recommend name and everything. Nothing helped here.

@ibnpetr

This comment has been minimized.

Copy link
Member

ibnpetr commented Sep 26, 2018

@thomaswollburg
Next version of the DocumentServer container will include node.js v8, it does use system CA bundle, you will be able to import your certificates without having to disable verification.

@changchichung

This comment has been minimized.

Copy link

changchichung commented Oct 30, 2018

@ibnpetr is there any schedule for next release ?

@skuep

This comment has been minimized.

Copy link

skuep commented Jan 15, 2019

@ibnpetr
I am curious, are you already using node v8? When I execute the following in the onlyoffice docker container, I get:

docker exec <id> node -v
v8.14.0

However I am having the exact same issues as above. Also tried every workaround given above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.