I have Nextcloud (21.0.3) and Onlyoffice Documents Server (6.3.2.2) installed on the same server without docker. I'm using only nginx as webserver. SSL certificate is from European SSL.
Nextcloud and Document Server they have different domain names -> cloud.xxx.com and office.xxx.com. However if I'm trying to connect Document Server via Nextcloud Onlyoffice app I'm getting following error message: Error when trying to connect (Error occurred in the document service: Error while downloading the document file to be converted.) (version 6.3.2.2)
If I open cloud.xxx.com on my web browser there is no ssl issues.
Log File from the Onlyoffice Document Server says:
[2021-08-18T07:56:40.881] [ERROR] nodeJS - error downloadFile:url=https://cloud.xxx.com/apps/onlyoffice/empty?doc=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhY3Rpb24iOiJlbXB0eSJ9.OYLklS-dJKtf0drJmWQgzxPrEWCQwir10jCIM5r_SMc;attempt=3;code:UNABLE_TO_VERIFY_LEAF_SIGNATURE;connect:null;(id=conv_check_363560041_docx)
Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1088:34)
at TLSSocket.emit (events.js:198:13)
at TLSSocket._finishInit (_tls_wrap.js:666:8)
If I run openssl s_client -connect cloud.xxx.com:443
CONNECTED(00000003)
depth=0 CN = *.xxx.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.xxx.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = *.xxx.com
i:C = DE, ST = Baden-W\C3\BCrttemberg, L = Durmersheim, O = EUNETIC GmbH, CN = EuropeanSSL Server CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxx
xxxxx
xxxxx
-----END CERTIFICATE-----
subject=CN = *.xxx.com
issuer=C = DE, ST = Baden-W\C3\BCrttemberg, L = Durmersheim, O = EUNETIC GmbH, CN = EuropeanSSL Server CA 2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2177 bytes and written 404 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: xxxxxxxxxxxxx
Session-ID-ctx:
Master-Key: xxxxxxxxxxxxx
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
xxxxxxxxxxxxx
Start Time: 1629275069
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
Run wget https://cloud.xxx.com:
--2021-08-18 08:28:05-- https://cloud.xxx.com/
Resolving cloud.xxx.com (cloud.xxx.com)... xx.xx.xx.xx
Connecting to cloud.xxx.com (cloud.xxx.com)|xx.xx.xx.xx|:443... connected.
ERROR: cannot verify cloud.xxx.com's certificate, issued by ‘CN=EuropeanSSL Server CA 2,O=EUNETIC GmbH,L=Durmersheim,ST=Baden-W\\C3\\BCrttemberg,C=DE’:
Unable to locally verify the issuer's authority.
To connect to cloud.xxx.com insecurely, use `--no-check-certificate'.
NGINX config for Nextcloud:
upstream php-handler {
server 127.0.0.1:9000;
# Depending on your used PHP version
server unix:/var/run/php7.4-fpm.sock;
}
server {
listen 80;
server_name cloud.xxx.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name cloud.xxx.com;
ssl_certificate /etc/nginx/ssl/xxx.com.crt;
ssl_certificate_key /etc/nginx/ssl/xxx.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AE>
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# Add headers to serve security related headers
# The always parameter ensures that the header is set for all responses, including internally generated error responses.
# Before enabling Strict-Transport-Security headers please read into this topic first.
# https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
#add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" always;
add_header Strict-Transport-Security max-age=63072000;
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Robots-Tag none always;
add_header X-Download-Options noopen always;
add_header X-Permitted-Cross-Domain-Policies none always;
add_header Referrer-Policy 'no-referrer';
# Path to the root of your installation
root /var/www/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 8 4K; # Please see note 1
fastcgi_ignore_headers X-Accel-Buffering; # Please see note 2
# Disable gzip to avoid the removal of the ETag header
# Enabling gzip would also make your server vulnerable to BREACH
# if no additional measures are done. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773332
gzip off;
I saved the xxx.com.crt file to /usr/local/share/ca-certificates/ and run sudo dpkg-reconfigure ca-certificates after that wget didn't show me any errors.
But on the log file from Onlyoffice Documents Server it still says "Error: unable to verify the first certificate"
Can someone help me to solve this problem?
